To configure the server where audit logs will be sent, add the Sumo Logic as an SIEM logging endpoint.

Prerequisites

Note:

To perform the task, you must have a Control Room administrator account with the required rights and permissions.

Procedure

  1. Navigate to Administration > Settings > SIEM Integration Configuration.
    Access SIEM Integration Configuration
  2. Click the Edit icon. (edit-icon)
  3. Select Enabled and paste the SIEM server endpoint that you copied previously, from Adding Sumo Logic as an SIEM logging endpoint.
    SIEM endpoint server
    Note: Ensure that you refer to your SIEM provider's documentation to get the information regarding the HTTP headers and requirements around JSON attributes (request body).
  4. Select POST HTTP method, because Sumo Logic accepts the inputs as a POST method.
    Note: The SIEM tool certificate is optional and depends on the SIEM provider. Some SIEM providers require you to enter a valid SIEM tool certificate.
  5. Enter a name for Event attribute (for example, audit or message). This value serves as a key to find the audit events sent to your SIEM solution. All audit events will be recorded under this category.
    Note: The timestamp attribute is an optional field and depends on the SIEM provider's mapping for this field. For example, Splunk requires the value to be time and mapped to one of its timestamp fields. The maximum length allowed is 256 characters. All special characters are allowed except the backslash (\) and double quotation marks ("). These characters have to be escaped.
  6. Click on plus (+) sign to enter a few key-value pairs for body (static attributes) that are sent out along with the logs. The key-value pairs also take special characters as inputs. You will be able to configure a maximum of 50 attributes.
    SIEM key-value pairs
  7. Click on plus (+) sign to enter a key value pair sent as an HTTP header with every audit event using the key value pairs for header field. The header data is specific to the SIEM provider. For example, with Sumo Logic, it supports header names starting with the letter X (for example, X-Sumo-Fields). You will be able to configure a maximum of 50 headers.
    Header key-value pairs
    For more information about header data, see the corresponding SIEM provider's documentation.
    Note:
    The following HTTP headers are sent as part of all the audit events that are forwarded to your SIEM solution. Therefore, do not include them as part of the key value pairs associated with any audit event:
    • Content-Type: application/json
    • Accept: application/json