Sumo Logic provides a secure, cloud-based service for logs and metrics management with real-time analytics and insights. OpsRamp integration with Sumo Logic triggers alerts in OpsRamp based on a scheduled search.

Sumo Logic Version Supported for Integration: February 13, 2020 (19.288-3)

OpsRamp configuration

Inbound configurations capture all the details required to call OpsRamp APIs.

Step 1: Install the integration

  1. From All Clients, select a client.
  2. Navigate to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
  6. Search for the application using the search option available. Alternatively, use the All Categories option to search.
  7. Click ADD on the Sumo Logic tile.

Inbound (Optional):

Sumo Logic - Inbound configuration

To configure the inbound, follow these steps:
Authentication:

  1. Select the Authentication Type as Webhook.

    • Webhook: By default, Webhook is selected as the Authentication Type.
      Make a note of Tenant ID, Token and Webhook URL.
      These details are used while creating an HTTP Request template during Sumo Logic configuration.

  2. Map Attributes: Map OpsRamp entity attributes with Sumo Logic attributes.

    1. Click +Add from the Map Attributes section.

    2. From the Add Map Attributes window, enter the below information:

      • OpsRamp Entity: Select Alert from the dropdown.
      • OpsRamp Property: Select the OpsRamp property from the dropdown.
      • Sumo Logic Entity: Enter the Sumo Logic entity value in the box and click the +value from the dropdown to add it. You can add multiple values.
      • Sumo Logic Property: Enter the Sumo Logic property.

      Parsing Condition:

      1. Click +Add and provide the parsing condition:
      2. Select an operator from the dropdown and enter a value in the fields accordingly. Based on the operator selected, the fields vary.
      3. Click Save. Click +Add to add more conditions.

      Property Values:

      1. Click +Property Value.
      2. Enter a value in the Sumo Logic Property Value box and select the appropriate value from the OpsRamp Property Value dropdown.
        The options in the OpsRamp Property Value dropdown appear based on the OpsRamp Property selected.
      3. Click Save.
      • Click +Property Value to add more property values.

      Default Value: Alternatively, you can enter/select a default value in the box.

      Note: To map more attributes, click +Entity.

    3. Click Add Map Attributes. The mapped attributes list is added.

      • Click the three dots icon at the end of each row to edit or remove the map attributes.
      • Use the Filter option to filter the map attributes.

  3. Additional Settings: Select the Drop alerts from unmanaged resources checkbox if you do not want to trigger alerts from unmanaged resources.

  4. Enrich and Create Alert: Select a process definition from the dropdown. You can customize the incoming alerts according to the properties defined in the process definition.

  5. Click Finish.

The following table shows the property mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp Property (non-editable)
ProblemAlertState
Third-Party Property ValueOpsRamp Property Value
HighCritical
alert.currentState
ProblemAlertRawResultsJson
OperatorStart WordEnd Word
Between"Category":"",
alert.serviceName
ProblemAlertsearchDescriptionalert.description
ProblemAlertRawResultsJson
OperatorStart WordEnd Word
Between"Host":"",
alert.deviceName
ProblemAlertalert.idalert.extAlertId
ProblemAlertsearchName
SearchDescription		alert.subject
  • You can modify the attributes at any time.
  • You need not follow the same mappings.

Sumo Logic configuration

Step 1: Create connection

  1. Log into the Sumo Logic Admin UI.
  2. Go to Manage Data, Settings, Connections and click +.
  3. Select Webhook and enter:
    • Unique Name
    • Webhook URL (copied from OpsRamp configuration in URL field)
    • Additional fields such as description, authorization header, custom header.
    • Elements in the payload according to your alert requirement. Refer to the documentation for samples.
  4. Click Save:

Example Payload:

{
“searchName”: “{{SearchName}}”,
“searchDescription”: “{{SearchDescription}}”,
“searchQuery”: “{{SearchQuery}}”,
“searchQueryUrl”: “{{SearchQueryUrl}}”,
“rawResultsJson”: “{{RawResultsJson}}”,
“numRawResults”: “{{NumRawResults}}”,
“State” : “High”,
“aggregateResultsJson” : “{{AggregateResultsJson}}”
}

Step 2: Configure trigger alerts

Alerts can be triggered using one of the following:

  • Schedule search
  • Monitors
  1. From Sumo Login home, go to Log Search and click Save As.
    Save Item dialog box opens.
  2. Enter the following details:

    • Name and Description

    • Query: build a query as per requirement. Alerts are triggered according to the query built.
      Query exmaple:
      Example 1:

      _sourceCategory=apache| parse “* ” as src_IP 
| parse ” 200 * ” as size
| count, sum(size) by src_IPExample 2: _sourceCategory=”hostmetrics”

    • Click Schedule this search and enter:

      • Select the Run Frequency and Send Notifications accordingly from the drop-down list.
      • For Alert Type, enter Webhook.
      • Select the checkbox if you require separate alerts.
      • For Connection, select the connection that you created.
      • If you want to edit the payload, enable Customize Payload and make the necessary changes.
  3. Click Save.

Configuring triggers with monitors

  1. Go to Manage Data, Alerts, and click Add Monitor.
    Metrics Monitor window opens.
  2. For Select Time Series to Monitor, build a query to monitor (as built for Schedule Search option) and if required make the necessary changes in Settings and Legend.
  3. For Set Rules, set the rules and select the Send Notification Via the Connection that was created earlier.
  4. For Set Name and Description, enter details and click Save.

Example payload

{
    "searchname": "Other",
    "SearchDescription": "",
    "SearchQuery": "*",
    "SearchQueryUrl": "https://service.in.sumologic.com/ui/index.html#/search/3jZ7g4s65MuGSoa6iCHXOzw8pKqJLuc9ZpGfOpo8FQ8OmroIDJtsYPtOW6B941KQxCfzRbGliBxfShw8sDfEBbKt5Qb0Jx9uJ6YSaDGozQPDvdhDGD4guOJZuVFTpU61",
    "RawResultsJson": "[{"Message":"[02/Oct/2019:18:23:46] VendorID=7026 Code=C AcctID=8702194102896748","Time":1570040626000,"Host":"127.0.0.1","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:23:31] VendorID=1043 Code=B AcctID=2063718909897951","Time":1570040611000,"Host":"103.49.52.70","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:59] VendorID=1243 Code=F AcctID=8768831614147676","Time":1570040579000,"Host":"103.49.52.71","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:48] VendorID=1239 Code=K AcctID=5822351159954740","Time":1570040568000,"Host":"103.49.52.72","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:32] VendorID=7033 Code=E AcctID=4390644811207834","Time":1570040552000,"Host":"103.49.52.73","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:13] VendorID=1139 Code=D AcctID=2548096337574259","Time":1570040533000,"Host":"103.49.52.74","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:21:40] VendorID=9103 Code=B AcctID=6081238166719034","Time":1570040500000,"Host":"103.49.52.75","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:21:21] VendorID=1151 Code=D AcctID=6980883790773744","Time":1570040481000,"Host":"103.49.52.76","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:20:58] VendorID=1155 Code=F AcctID=3595732379989377","Time":1570040458000,"Host":"103.49.52.77","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"182.236.164.11 - - [02/Oct/2019:18:20:56] "GET /cart.do?action=addtocart&itemId=EST-15&productId=BS-AG-G09&JSESSIONID=SD6SL8FF10ADFF53101 HTTP 1.1" 200 2252 "http://www.buttercupgames.com/oldlink?itemId=EST-15" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 506","Time":1570040456000,"Host":"103.49.52.7","Category":"uploads/other","Name":"access.log","Collector":"File Uploads"}]",
    "NumRawResults": "53700",
    "State": "High",
    "AggregateResultsJson": ""
}

Viewing alerts

  1. Go to the Alerts page, search with the source name as Sumo Logic.
    Related alerts are displayed.
  2. Click Alert ID to view. Click an Alert ID to view.