Adding Sumo Logic as an SIEM logging endpoint

To configure the server where audit logs will be sent, add the Sumo Logic as an SIEM logging endpoint.

Prerequisites

Note:

To perform the task, you must have a Control Room administrator account with the required rights and permissions.

Procedure

  1. Navigate to Administration > Settings > SIEM Integration Configuration.
    Access SIEM Integration Configuration
  2. Click the Edit icon. (edit-icon)
  3. Select Enabled and paste the SIEM server endpoint that you copied previously, from Adding Sumo Logic as an SIEM logging endpoint.
    Enable SIEM Server Endpoint
    Note: Ensure that you refer to your SIEM provider's documentation to get the information regarding the HTTP headers and requirements around JSON attributes (request body).
  4. Select POST HTTP method, because Sumo Logic accepts the inputs as a POST method.
    Note: The SIEM tool certificate is optional and depends on the SIEM provider. Some SIEM providers require you to enter a valid SIEM tool certificate.
  5. Enter a name for Event attribute(for example, audit). All the log messages will be logged under this category and will act as key to locate all the event logs.
    Note: The timestamp attribute is an optional field and depends on the SIEM provider's mapping for this field. For example, Splunk requires the value to be time and mapped to one of its timestamp fields. The maximum length allowed is 256 characters. All special characters are allowed except the backslash (\) and double quotation marks ("). These characters have to be escaped.
  6. Click on plus (+) sign to enter a few key-value pairs for body (static attributes) that are sent out along with the logs. The key-value pairs also take special characters as inputs. You will be able to configure a maximum of 50 attributes.
    SIEM Key-value pairs
  7. Click on plus (+) sign to enter a few key value pairs for header to be sent with every event data log. The header data is specific to the SIEM provider. For example, with Sumo Logic, it supports header names starting with the letter X (for example, X-Sumo-Fields). You will be able to configure a maximum of 50 headers.
    SIEM Header Key Value pairs
    For more information about header data, see the corresponding SIEM provider's documentation.