Skip to main content

Ingest OneLogin Data into Cloud SIEM

To ingest OneLogin data into Cloud SIEM:

  1. Configure an HTTP Logs and Metrics source on a collector. When you configure the source, do the following:
    1. Select the Forward to SIEM option in the source configuration UI. This will ensure all logs for this source are forwarded to Cloud SIEM.
    2. Click the +Add link to add a field whose name is _parser with value /Parsers/System/OneLogin/OneLogin SSO JSON. This ensures that the OneLogin logs are parsed and normalized into structured records in Cloud SIEM.
  2. Configure OneLogin to send log messages to the Sumo Logic platform. For instructions, see Streaming Real-Time OneLogin Event Data to SIEM Solutions in the OneLogin knowledge base. You must use the SIEM (NDJSON) format. Use the Sumo Logic HTTP Source URL as the Listener URL, and a custom header is not needed.
  3. To verify that your logs are successfully making it into Cloud SIEM:
    1. Classic UI. In the top menu select Configuration, and then under Incoming Data select Log Mappings.
      New UI. In the top menu select Configuration, and then under Cloud SIEM Integrations select Log Mappings. You can also click the Go To... menu at the top of the screen and select Log Mappings.
    2. On the Log Mappings tab search for "OneLogin" and check the Records columns.
    3. For a more granular look at the incoming records, you can also search the Sumo Logic platform for OneLogin security records:
      _index=sec_record* and metadata_product = "OneLogin"
Edit this page
Last updated on by John Pipkin (Sumo Logic)
Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.