SumoLogic
Local copy of the forums and blogs info
Getting current configuration using API[edit]
How can I see what a particular JSON syntax should look like in the sources.conf file? My new Source is not being created properly using the syntax that I am specifying.
Answer:
You can pull perfect working examples from a Source that is configured in the Sumo Logic Web Application UI by accessing the API via command line or browser.
Access the Sumo Logic API in a browser via https://api.sumologic.com/api/v1/collectors/. Log in and locate the Collector where your Source is configured. Then view the source URL that is located under the "href":
Example:
"href":"/v1/collectors/101453412/sources"
Append the path containing your Source's ID from Step 3 to the API URL, and then enter the full URL in your browser:
Example:
https://api.sumologic.com/api/v1/collectors/101453412/sources
Fortinet and SumoLogic integration[edit]
Forward syslog to SumoLogic[edit]
There are 2 places that need configuration options set up for this work, with correct timestamp parsing (very important!), between the Fortigate and Sumo Logic.
Let’s start first with Sumo Logic.
By now you should have a collector deployed but we need to set up a new ingestion point for the Fortigate device to send its version of syslog data, mostly because of the timestamp format used by the firewall. In my example I will be port 4514/UDP. Use whatever port suits your network and set your naming as needed.
- Add a new source and configure it as a syslog source.
- Give it a name: fgt_udp_4514
- Set the protocol to UDP
- Set the port to 4514
- Set your Category appropriately: fw_security
- Enable timestamp parsing (check the box if not already checked)
- Select ‘use time zone from logfile’ and set your local timezone
- In ‘Timestamp Format’ select ‘Specify a format’
- in the Format box, enter exactly:
'date='yy-MM-dd 'time='HH:mm:ss
- then save this new collector input.
If you are doing your configuration via a deployed JSON file then you would just need to add the following JSON stanza to your configuration.
{
"name": "fgt_udp_4514",
"automaticDateParsing": true,
"multilineProcessingEnabled": false,
"useAutolineMatching": false,
"forceTimeZone": false,
"timeZone": "America/Chicago",
"defaultDateFormat": "'date='yyyy-MM-dd 'time='HH:mm:ss",
"encoding": "UTF-8",
"protocol": "UDP",
"port": 4514,
"category": "fw_security",
"sourceType": "Syslog"
},
Now to configure the Fortigate, which has far fewer steps involved. As far as I know this can only be configured via the CLI.
Log in on the CLI and type the following to look at the current configuration (double-check to see what might be already configured).
show log syslogd setting If there isn’t a configuration in the firewall then you’ll have no output displayed, but if it’s already configured then you should see something like the following:
config log syslogd setting set status enable set server "10.10.245.79" set port 4514 end
If you have nothing configured then it is easy to get started.
config log syslogd setting set server IP_ADDRESS set port PORT_NUMBER set status enable end
If you already have a syslog destination configured, and you don’t want to change that, then you can configure up to 2 more destinations.
Just replace
config log syslogd setting
with
config log syslogd2 setting
then add in your 3 configuration lines and ‘end’.
