Skip to main content
Sumo Logic

Collect Events for Box

This procedure documents how to collect logs from Box into Sumo Logic.

Log Types

The Sumo Logic App for Box collects Box events, which are described in detail in the Box documentation.

Prerequisites

Before you can collect events for the Sumo Logic App for Box, you must have a co-admin Box user with Run new reports and access existing reports privileges. 

The following files are required:

Deploy the packages, edit sumojanus-2.0/conf/sumologic.properties, and authenticate Box. For more information, see Collect Events for the Box App.

Configure Logging in Box

Before you can deploy the scripts to production, you must first deploy the packages and authenticate Box.

Deploy the Packages

To perform this step, you will need an internet-connected computer with a web browser.

If you have not previously set up the SumoJanus package

  1. Copy the two package files you downloaded to the same folder, then unzip them there.
    1. On Linux, run the following commands:

      tar xzvf sumojanus-2.0.tar.gz
      tar xzvf sumojanus-2.0-box.tar.gz

    2. On Windows, use a third-party tool to unzip the package.
  2. These will create a folder called sumojanus-2.0 with all the files from both packages.

If you have previously set up the SumoJanus package

  1. Back up conf/sumologic.properties.
  2. Copy the file sumojanus-2.0-box.tar.gz to the parent folder where SumoJanus is currently installed.
  3. From there, unzip the file sumojanus-2.0-box.tar.gz using the following command:

    tar xzvf sumojanus-2.0-box.tar.gz

  4. This will copy the files from the Box package to the sumojanus-2.0 folder.

Edit the Properties file

  1. Open the file sumojanus-2.0/conf/sumologic.properties in a text editor and add the following lines:

    [boxcollector]
    token_path = ${path}/data/box_enc.token
    stream_pos_path = ${path}/data/box_stream_position.dat
    # optional, default is admin event
    #event_type = admin
    # optional, encrypt token file or not. Default is false
    encrypt_token_file = true
    # Optional, Overwrite default encryption key
    # encryption_key =
    # optional, startTime to query for Event Log files, in epoch milliseconds, optional, default is 2 days back.
    #startTime = 1435709058000
    # optional, endTime to query for Event Log files, in epoch milliseconds
    #endTime = 1436377600000
  2. Replace the ${path} variable with the actual path on the server where sumojanus-2.0 is installed. This is usually /sumojanus/sumojanus-2.0/.
  3. Save your changes.

Authenticate Box

As part of authentication, the script will open and listen to port 8080. It will also create a token file under the sumojanus-2.0/data folder. Before you begin, make sure the local firewall settings and file permissions allow these operations.

  1. If you are currently logged in to your Box account, log out.
  2. From the sumojanus-2.0 folder, run:
    1. For Linux: bin/SumoJanus_Box.bash -s
    2. For Windows: bin\SumoJanus_Box.bat -s
  3. The script opens the browser. Log in to Box and click Authorizebox_authorize_564x354.png
  4. To grant access to all requested permissions, click Grant access to Box.box_grant_access_566x376.png
  5. Once permissions are granted, the script saves the access token into a local file, as shown. Verify that the file is actually created. If not, you may need to repeat the authentication steps. box_token_620x35.png

    The path to this token file is configured in the file config/sumologic.properties, under the property token_path.

  6. Test the script manually before you deploy it to production. To do so, go to the sumojanus-2.0 folder and run the following command:

    bin\SumoJanus_Box.bash

Production Deployment

If you have not previously set up the SumoJanus package

Copy the whole sumojanus-2.0 folder to your production system where you set up the Sumo Logic Local Collector. We recommend putting this folder under the Collector folder.

Make sure the Local Collector has write permission to this folder, as the script will need to write locally on a regular basis.

If you have previously set up the SumoJanus package

If you are using SumoJanus 2.0 on the target box as part of another script collection, Salesforce for example, the folder sumojanus-2.0 already exists on your system. Do the following:

  1. Back up the file conf/sumologic.properties.
  2. Copy only the configuration section of conf/sumologic.properties to the target box. (This is the section you edited earlier.)
  3. Unzip only the bundle package sumojanus-2.0-box.tar.gz to the sumojanus-2.0 folder.
  4. Copy the token file just generated to sumojanus-2.0/data.
  5. Test the script manually. To do so, go to the sumojanus-2.0 folder and run the following command:

    bin\SumoJanus_Box.bash

Configure a Collector

Configure an Installed Collector. Linux and Windows, with Java Runtime Environments, are supported.

Configure a Source

  1. Configure a Script Source.
    boxv2_script_source.png
  2. Configure the Source fields:
    1. Name. (Required) BoxCollector. (Description is optional.)
    2. Source Category. (Required) box
    3. Frequency (Required) Every 5 Minutes
    4. Specify a timeout for your command: Active the checkbox and select 60 Minutes
    5. Command (Required) /bin/bash (specify the correct path on your system)
    6. Script (Required) Use the path to sumojanus-2.0 that you created in the Production Deployment step, such as /home/ubuntu/sumojanus-2.0/bin/SumoJanus_Box.bash. (Do not select “Type the script to execute.”)
    7. Working Directory. /home/ubuntu/sumojanus-2.0
  3. Click Save.

Sample Log Messages

{"source":{"type":"user","id":"225980941","name":"First Last","login":"user@sumologic.com"},
"created_by":{"type":"user","id":"225980941","name":"First Last","login":"user@sumologic.com"},
"created_at":"2016-12-15T11:08:58-08:00","event_id":"7988d00a-aca3-4454-9021-652477f4fa78",
"event_type":"LOGIN","ip_address":"1.1.1.1","type":"event","session_id":null,"additional_details":null}

{"source":{"type":"user","id":"262207389","name":"user","login":"luser@sumologic.com"},
"created_by":{"type":"user","id":"225980941","name":"first last","login":"user1@sumologic.com"},
"created_at":"2016-12-14T16:09:33-08:00","event_id":"d82f1946-2c51-43fe-bfcc-3452f9e2f6ff",
"event_type":"DELETE_USER","ip_address":"1.1.1.1","type":"event","session_id":null,
"additional_details":null}

Query Sample

Top 10 Failed Logins

_sourceCategory=box  type "event_type" login
| json "created_at","ip_address","event_type","created_by.name","created_by.login" as messagetime,src_ip,event_type, src_user,src_login nodrop
| json "source.name","source.login","source.type"  as dest_user,dest_login, item_type nodrop
| where event_type="FAILED_LOGIN" 
| count as EventCount by src_user,src_login,src_ip | top 10 src_user,src_login,src_ip by EventCount

Sumo Logic App

Now that you have set up collection for Box, install the Sumo Logic App for Box to use the preconfigured searches and dashboards that provide insight into website visitor behavior patterns, monitors server operations, and assists in troubleshooting issues that span entire web server farms. 

The Script Source is available for Linux or Windows environments with Java Runtime Environments.