Integrate with Sumo Logic

In this topic, you will learn how to send Portnox™ Cloud alerts to the Sumo Logic SIEM solution.

Create a HTTP collector in Sumo Logic

In this section, you will learn how to add a HTTP collector in Sumo Logic, so that it can receive data via HTTPS from Portnox™ Cloud.

  1. Open your Sumo Logic dashboard in the browser.
  2. In the left-hand side menu, select the Manage Data > Collection option.

  3. In the top-right corner of the Collection pane, click on the Setup Wizard link.

  4. Hover your mouse cursor over the Integrate with Sumo Logic tile, and then click on the Get Started button.

  5. On the Select Data Type screen, scroll all the way down, and then click on the All Other Sources tile.

  6. On the Set Up Collection screen, click on the HTTPS Source tile.

  7. On the Configure Source: HTTP Source screen, do the following:

    1. In the Source Category field, enter a source category for this source.

      Source categories are used by Sumo Logic to categorize log data and later to search for logs. The suggested format is: environment / server type / app name / log type.

      In this example, we used prod/web/portnox/event, but you can come up with your own category.

    2. In the Select a time zone for your log file section, we recommend that you select the option Ignore time zone from log file, and select the time zone for all your alerts.

      You can choose the other option if you have a multi-zone environment and would rather use local time zone information.

    3. Click on the Next button and wait a moment until Sumo Logic completes the setup.
  8. In the next step of the Configure Source: HTTP Source screen, click on the Copy button to copy the HTTP source URL. Then, click on the Next button.

    Save the copied value in a text file. You will need this value to configure Portnox Cloud.

  9. Wait until you receive an email confirming that your source is active. Click on the Sumo Logic logo to go back to your Sumo Logic dashboard.

Result: The collector is running.

Configure Portnox Cloud

In this section, you will learn how to configure Portnox™ Cloud to send alert data to the Sumo Logic collector.

  1. In the Cloud portal top menu, click on the Settings option.

  2. In the Cloud portal left-hand menu, click on the Integration Services > SIEM INTEGRATION SERVICE option.

  3. Create a new SIEM integration with Sumo Logic.
    1. In the SIEM integration service section, click on the Add new SIEM link.

      The NEW SIEM INTEGRATION section opens.

    2. In the Type field, select the Custom option.

    3. In the Name field, enter the name for the new integration.

      In this example, we used the name Sumo Logic but you can use any name you like.

    4. In the Status field, select the Enabled option.

    5. In the Protocol type field, select the HTTPS option.

    6. In the Endpoint url field, paste the HTTP source URL that you copied earlier when setting up the Sumo Logic collector.
      Note:
      Make sure to paste the entire URL together with the authentication token at the end.

    7. In the Authentication token field, paste the token part of the HTTP source URL that you copied earlier when setting up the Sumo Logic collector.
      Note:
      The token is simply the part of the URL that is after the last slash (/).

    8. In the Data format field, select the JSON option.

    9. Click on the Save button to add the integration.

    10. Optional: Test the configuration by clicking on the Test button.

  4. Optional: To configure the types of alerts sent to your SIEM solution, see the following topic: Portnox Cloud alerts.
    Note:
    To learn more about the content and format of alert messages sent to SIEM solutions, see the following topic: Format and content of alert information for SIEM.

    You can also send all of the Portnox Cloud activity log (activities performed by administrators in Portnox Cloud) to your SIEM solution. To do this, go to Troubleshooting > ACTIVITY LOG > Log Settings, activate the Activity log switch, and click on the Save button.

Result: Sumo Logic is receiving alerts from Portnox Cloud.

You can confirm that, for example, by running a query _collector="HTTP".

If you cannot see any events when searching, this is usually to the differences in time zones. Try the following fixes:

  • In the Collection tab, Edit the collector and deactivate the checkbox: Advanced Options for Logs (Optional) > Extract timestamp information from log file entries.

  • In the search tab, click on the  ⚙  icon and select the Use Receipt Time option.