Skip to main content
Sumo Logic

Collect Logs for Evident.io ESP

Steps to collect logs for Evident.io ESP.

To collect logs for Evident.io, you will perform these steps, detailed in the following sections:

  1. In Sumo Logic, configure a Hosted Collector and HTTP Source.
  2. Configure an Evident.io Integration to AWS Simple Notification Service (SNS).
  3. Subscribe to SNS Notifications.
  4. Enable Raw Message Delivery.

Add a Sumo Logic Collector and Source

  1. In Sumo Logic, configure a Hosted Collector.
  2. Configure an HTTP Source.
    1. Name. Enter Evident.io SNS Integration.  
    2. Source Category. Enter security_evident.
  3. In the Advanced section, configure:
    1. Enable Timestamp Parsing. Activate the check box Extract timestamp information from log files.
    2. Time Zone. Select Ignore time zone from log file, and select (UTC) Etc/UTC
  4. Processing Rules. Create the following Mask Rule:
    1. Name. Enable proper timestamp parsing
    2. Filter. Enter \"(?:created_at|updated_at|ended_at)\":\"\d+-\d+-\d+(T)\d+:\d+:\d+.\d+Z\"
    3. Type. Select Mask messages that match.
    4. Mask String. Enter t.
  5. Click Apply.
  6. Click Save.
  7. Copy the HTTP Source Address URL and use it in the following section.

Configure an Evident.io Integration with AWS SNS

To configure an Evident.IO Integration with AWS SNS:

  1. In Evident.io, add an Integration.
  2. Enable an AWS SNS integration.

Subscribe to SNS Notifications

Once the Hosted Collector and HTTP Source are configured, subscribe your Hosted Collector to the topic collecting data from Evident.io.

  1. In the AWS Management Console, go to SNS > Topics, and find the topic you created in Configure an Evident.IO Integration with AWS SNS.
  2. Select the checkbox for the topic.
  3. Under Amazon SNS, in the Actions menu, select Subscribe to Topic.
  4. Under Protocol, select HTTPS, and paste the Sumo Logic HTTP Source URL you created in the first step into the Endpoint field.
  5. Click Create Subscription.
  6. In a few minutes, a confirmation message is sent to Sumo Logic.
  7. In Sumo Logic, find the confirmation message from your HTTP Source by searching for SubscribeURL.
    For example, use the query: 
    _sourceCategory=security_evident SubscribeURL
  8. Then, in the Messages tab, find the JSON field SubscribeURL, and copy the URL to your clipboard, as shown.
  9. In the AWS Management Console, select SNS >Topics.
  10. Under Amazon SNS > Actions, select Confirm a subscription.
  11. Paste the SubscribeURL into the field Subscription confirmation URL, and click Confirm subscription.

Enable Raw Message Delivery

Enable Raw Message Delivery for the topic.

For details, see http://docs.aws.amazon.com/sns/latest/dg/large-payload-raw-message.html.

  1. Select the AWS Topic.
  2. Click Other subscription actions.
  3. Click Edit subscription attributes.
  4. Select the Raw message delivery check box.
  5. Click Set subscription attributes.