Introduction

Sumo Logic provides secure, cloud-based service for logs and metrics management with real-time analytics and insights. OpsRamp integration with Sumo Logic triggers alerts in OpsRamp based on a scheduled search.

Sumo Logic Version Supported for Integration: February 13, 2020 (19.288-3)

OpsRamp configuration

Configuration involves:

  1. Installing the integration.
  2. Configuring the integration.

Step 1: Install the integration

To install:

  1. From All Clients, select a client.
  2. Go to Setup > Integrations > Integrations.
  3. From Available Integrations, select Monitoring > Sumo Logic.
  4. Click Install.

Step 2: Configure the integration

To configure the integration:

  1. From the API tab, provide the following:
    • Authentication: Token and Webhook URL for configuration.
      These settings are required for defining alert endpoints.
    • Map Attributes: Provide the mapping information for the third-party.
      The Map Attributes section maps the third-party attributes to OpsRamp attributes associated with payloads.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

To configure the mapping attributes:

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values.
  5. Click Save.

The following table shows the property mappings.

Property Mappings
Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp Property (non-editable)
ProblemAlertState
Third-Party Property ValueOpsRamp Property Value
HighCritical
alert.currentState
ProblemAlertRawResultsJson
OperatorStart WordEnd Word
Between"Category":"",
alert.serviceName
ProblemAlertsearchDescriptionalert.description
ProblemAlertRawResultsJson
OperatorStart WordEnd Word
Between"Host":"",
alert.deviceName
ProblemAlertalert.idalert.extAlertId
ProblemAlertsearchName
SearchDescription
alert.subject

Sumo Logic configuration

Configuration involves:

  1. Creating connections
  2. Configuring trigger alerts

Step 1: Create connection

To create a connection:

  1. Log into the Sumo Logic Admin UI.
  2. Go to Manage Data, Settings, Connections and click +.
  3. Select Webhook and provide the following:
    • Unique Name
    • Webhook URL (copied from OpsRamp configuration in URL field
    • Additional fields such as description, authorization header, custom header.
    • Elements in the payload according to your alert requirement. Refer to documentation for samples.
  4. Click Save:

Sample Payload:

{
“searchName”: “{{SearchName}}”,
“searchDescription”: “{{SearchDescription}}”,
“searchQuery”: “{{SearchQuery}}”,
“searchQueryUrl”: “{{SearchQueryUrl}}”,
“rawResultsJson”: “{{RawResultsJson}}”,
“numRawResults”: “{{NumRawResults}}”,
“State” : “High”,
“aggregateResultsJson” : “{{AggregateResultsJson}}”
}

Step 2: Configure trigger alerts

Alerts can be triggered using one of the following:

  • Schedule search
  • Monitors

To configure a trigger with schedule search:

  1. From Sumo Login home, go to Log Search and click Save As.
    Save Item dialog box opens.
  2. Enter the following details:
    • Name and Description
    • Query: build a query as per requirement.
      Note: Alerts are triggered according to the query built.
      Query exmaple:
      Example 1:
      _sourceCategory=apache| parse “* ” as src_IP 
      | parse ” 200 * ” as size
      | count, sum(size) by src_IPExample 2: _sourceCategory=”hostmetrics”
      
    • Click Schedule this search and provide the following:
      • Select the Run Frequency and Send Notifications accordingly from drop-down list.
      • For Alert Type, enter Webhook.
      • Select the check box if you require separate alerts.
      • For Connection, select the connection that you created.
      • If you want to edit the payload, then enable Customize Payload and make the necessary changes.
  3. Click Save.

Configuring triggers with monitors

To configure a trigger with a monitor:

  1. Go to Manage Data, Alerts, and click Add Monitor.
    Metrics Monitor window opens.
  2. For Select Time Series to Monitor, build a query to monitor (as built for Schedule Search option) and if required make the necessary changes in Settings and Legend.
  3. For Set Rules, set the rules and select the Send Notification Via the Connection that was created earlier..
  4. For Set Name and Description, enter desired details and click Save.

Sample payload

{
    "searchname": "Other",
    "SearchDescription": "",
    "SearchQuery": "*",
    "SearchQueryUrl": "https://service.in.sumologic.com/ui/index.html#/search/3jZ7g4s65MuGSoa6iCHXOzw8pKqJLuc9ZpGfOpo8FQ8OmroIDJtsYPtOW6B941KQxCfzRbGliBxfShw8sDfEBbKt5Qb0Jx9uJ6YSaDGozQPDvdhDGD4guOJZuVFTpU61",
    "RawResultsJson": "[{"Message":"[02/Oct/2019:18:23:46] VendorID=7026 Code=C AcctID=8702194102896748","Time":1570040626000,"Host":"127.0.0.1","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:23:31] VendorID=1043 Code=B AcctID=2063718909897951","Time":1570040611000,"Host":"103.49.52.70","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:59] VendorID=1243 Code=F AcctID=8768831614147676","Time":1570040579000,"Host":"103.49.52.71","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:48] VendorID=1239 Code=K AcctID=5822351159954740","Time":1570040568000,"Host":"103.49.52.72","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:32] VendorID=7033 Code=E AcctID=4390644811207834","Time":1570040552000,"Host":"103.49.52.73","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:13] VendorID=1139 Code=D AcctID=2548096337574259","Time":1570040533000,"Host":"103.49.52.74","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:21:40] VendorID=9103 Code=B AcctID=6081238166719034","Time":1570040500000,"Host":"103.49.52.75","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:21:21] VendorID=1151 Code=D AcctID=6980883790773744","Time":1570040481000,"Host":"103.49.52.76","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:20:58] VendorID=1155 Code=F AcctID=3595732379989377","Time":1570040458000,"Host":"103.49.52.77","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"182.236.164.11 - - [02/Oct/2019:18:20:56] "GET /cart.do?action=addtocart&itemId=EST-15&productId=BS-AG-G09&JSESSIONID=SD6SL8FF10ADFF53101 HTTP 1.1" 200 2252 "http://www.buttercupgames.com/oldlink?itemId=EST-15" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 506","Time":1570040456000,"Host":"103.49.52.7","Category":"uploads/other","Name":"access.log","Collector":"File Uploads"}]",
    "NumRawResults": "53700",
    "State": "High",
    "AggregateResultsJson": ""
}

Viewing alerts

To view the alerts in OpsRamp:

  1. Go to the Alerts page, search with the source name as Sumo Logic.
    Related alerts are displayed.
  2. Click Alert ID to view. Click an Alert ID to view.