Skip to main content
Sumo Logic

Collect Observable Network Logs

Add a Hosted Collector with an HTTP Source

  1. In Sumo Logic, go to Manage > Collection.
  2. Click Access Keys.
  3. Add a new access key called Observable Networks, then save the new Access ID and Access Key values.
  4. Go back to the Manage Collection page.
  5. Click Add Collector, select Hosted Collector, and name it "observable" (case sensitive). For complete instructions, see Set up Hosted Collector.
  6. From this new Collector, click Add Source, select HTTP, and name it “observable”. For complete instructions, see HTTP Source.
  7. Deselect the check box Enable Timestamp Parsing.
  8. When the URL associated with the Source is displayed, copy the URL so you can use it to send files.

Configure the Observable Portal

  1. From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Settings.
  2. On the Sumo Logic Settings page, enter the Access ID, Access Key, and Source URL from the previous section.
  3. Check Enabled, then click Save.

Your Observable Networks deployment will now publishing alert and endpoint information to Sumo Logic.

Configure Log Monitoring (optional)

If you have Sumo Logic API access, you can integrate Observable Networks and Sumo Logic even further. You can configure Observable Networks to identify devices on your network that do not have Collectors installed. Additionally, Observable Networks can parse authentication log ("auth.log") data from certain Linux distributions (e.g., Ubuntu) to monitor user access.

Identify Missing Collectors

You can configure the Observable Networks portal to expect certain roles in the network to have corresponding log files. For example, you might expect a Terminal Server to capture an auth.log. When you configure this expectation, Observable will alert when a role is missing an expected log file, notifying you that there is a gap in your log coverage.

To configure an expectation in Observable Networks:

  1. From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Logs.
  2. Enter the name for the expected log, such as Auth Log.
  3. Enter the Log Query Prefix, which is the search prefix given to Sumo Logic to filter for this log. For example, _source=auth.log.
  4. Select the roles that are expected to have this log. For example, Terminal Server.

 

  1. Click Save.

You can also add a log without associating any roles. In this case, simply leave all roles deselected in Step 4.

Parse Authentication Logs

If you are collecting auth.log data in Sumo Logic from a compatible Linux distribution, you can configure Observable Networks to parse this data and monitor session activity.

Before you begin, make sure that you are collecting from an auth.log source, and make sure that it is configured on the Sumo Logic Logs page.

To parse authentication logs:

  1. From your Observable Networks portal, click Settings (gear icon) > Integrations > Sumo Logic > Settings.
  2. From the Auth.log drop-down, select the log configuration that represents the auth.log source.
  3. Click Save.