SumoLogic

From Igor personal wiki
Jump to: navigation, search

Local copy of the forums and blogs info


Getting current configuration using API[edit]

How can I see what a particular JSON syntax should look like in the sources.conf file? My new Source is not being created properly using the syntax that I am specifying.

Answer:

You can pull perfect working examples from a Source that is configured in the Sumo Logic Web Application UI by accessing the API via command line or browser.

Access the Sumo Logic API in a browser via https://api.sumologic.com/api/v1/collectors/. Log in and locate the Collector where your Source is configured. Then view the source URL that is located under the "href":

Example:

"href":"/v1/collectors/101453412/sources"


Append the path containing your Source's ID from Step 3 to the API URL, and then enter the full URL in your browser:

Example:

https://api.sumologic.com/api/v1/collectors/101453412/sources


Fortinet and SumoLogic integration[edit]

Forward syslog to SumoLogic[edit]

There are 2 places that need configuration options set up for this work, with correct timestamp parsing (very important!), between the Fortigate and Sumo Logic.

Let’s start first with Sumo Logic.

By now you should have a collector deployed but we need to set up a new ingestion point for the Fortigate device to send its version of syslog data, mostly because of the timestamp format used by the firewall. In my example I will be port 4514/UDP. Use whatever port suits your network and set your naming as needed.

  1. Add a new source and configure it as a syslog source.
  2. Give it a name: fgt_udp_4514
  3. Set the protocol to UDP
  4. Set the port to 4514
  5. Set your Category appropriately: fw_security
  6. Enable timestamp parsing (check the box if not already checked)
  7. Select ‘use time zone from logfile’ and set your local timezone
  8. In ‘Timestamp Format’ select ‘Specify a format’
  9. in the Format box, enter exactly:

'date='yy-MM-dd 'time='HH:mm:ss

  1. then save this new collector input.

If you are doing your configuration via a deployed JSON file then you would just need to add the following JSON stanza to your configuration.

 {
   "name": "fgt_udp_4514",
   "automaticDateParsing": true,
   "multilineProcessingEnabled": false,
   "useAutolineMatching": false,
   "forceTimeZone": false,
   "timeZone": "America/Chicago",
   "defaultDateFormat": "'date='yyyy-MM-dd 'time='HH:mm:ss",
   "encoding": "UTF-8",
   "protocol": "UDP",
   "port": 4514,
   "category": "fw_security",
   "sourceType": "Syslog"
 },

Now to configure the Fortigate, which has far fewer steps involved. As far as I know this can only be configured via the CLI.

Log in on the CLI and type the following to look at the current configuration (double-check to see what might be already configured).

show log syslogd setting If there isn’t a configuration in the firewall then you’ll have no output displayed, but if it’s already configured then you should see something like the following:

config log syslogd setting
   set status enable
   set server "10.10.245.79"
   set port 4514 
end

If you have nothing configured then it is easy to get started.

config log syslogd setting
set server IP_ADDRESS
set port PORT_NUMBER
set status enable
end

If you already have a syslog destination configured, and you don’t want to change that, then you can configure up to 2 more destinations.

Just replace

config log syslogd setting

with

config log syslogd2 setting

then add in your 3 configuration lines and ‘end’.