Sumo Logic provides a secure, cloud-based service for logs and metrics management with real-time analytics and insights. OpsRamp integration with Sumo Logic triggers alerts in OpsRamp based on a scheduled search.

Sumo Logic Version Supported for Integration: February 13, 2020 (19.288-3)

OpsRamp configuration

Inbound configurations capture all the details required to call OpsRamp APIs.

Step 1: Install the integration

  1. From All Clients, select a client.
  2. Go to Setup > Account.
  3. Select the Integrations and Apps tab.
  4. The Installed Integrations page, where all the installed applications are displayed. Note: If there are no installed applications, it will navigate to the Available Integrations and Apps page.
  5. Click + ADD on the Installed Integrations page. The Available Integrations and Apps page displays all the available applications along with the newly created application with the version.
    Note: You can even search for the application using the search option available. Also yu can use the All Categories option to search.
  6. Click ADD in the Sumo Logic application and click Install.
  7. Select authentication type as WEBHOOK and click Save.
  8. Make a note of Tenant ID, Token and Webhook URL.
    These details are used while creating an HTTP Request template during Sumo Logic configuration.
  9. Click Save.

Step 2: Configure the integration

  1. From the API tab, enter:
    • Authentication: Token and Webhook URL for configuration.
      These settings are required for defining alert endpoints.
    • Map Attributes: Enter the mapping information for the third-party.
      The Map Attributes section maps the third-party attributes to OpsRamp attributes associated with payloads.
  2. From the Monitoring of Integration tab, click Assign Templates.
  3. From the Audit Logs, set up audit log criteria and time frame.

Configuring the map attributes

  1. Select the required OpsRamp property from the drop-down.
  2. Click Add Mapping Attributes to map attributes for the specific OpsRamp alert property.
  3. Click + to define the mappings.
  4. From Create Alert Mappings on Status, define the mappings, parsing conditions, and default values.
  5. Click Save.

The following table shows the property mappings.

Third-Party EntityOpsRamp EntityThird-Party PropertyOpsRamp Property (non-editable)
ProblemAlertState
Third-Party Property ValueOpsRamp Property Value
HighCritical
alert.currentState
ProblemAlertRawResultsJson
OperatorStart WordEnd Word
Between"Category":"",
alert.serviceName
ProblemAlertsearchDescriptionalert.description
ProblemAlertRawResultsJson
OperatorStart WordEnd Word
Between"Host":"",
alert.deviceName
ProblemAlertalert.idalert.extAlertId
ProblemAlertsearchName
SearchDescription
alert.subject
  • You can modify the attributes at any time.
  • You need not follow the same mappings.

Sumo Logic configuration

Step 1: Create connection

  1. Log into the Sumo Logic Admin UI.
  2. Go to Manage Data, Settings, Connections and click +.
  3. Select Webhook and enter:
    • Unique Name
    • Webhook URL (copied from OpsRamp configuration in URL field
    • Additional fields such as description, authorization header, custom header.
    • Elements in the payload according to your alert requirement. Refer to the documentation for samples.
  4. Click Save:

Example Payload:

{
“searchName”: “{{SearchName}}”,
“searchDescription”: “{{SearchDescription}}”,
“searchQuery”: “{{SearchQuery}}”,
“searchQueryUrl”: “{{SearchQueryUrl}}”,
“rawResultsJson”: “{{RawResultsJson}}”,
“numRawResults”: “{{NumRawResults}}”,
“State” : “High”,
“aggregateResultsJson” : “{{AggregateResultsJson}}”
}

Step 2: Configure trigger alerts

Alerts can be triggered using one of the following:

  • Schedule search
  • Monitors
  1. From Sumo Login home, go to Log Search and click Save As.
    Save Item dialog box opens.
  2. Enter the following details:
    • Name and Description

    • Query: build a query as per requirement. Alerts are triggered according to the query built.
      Query exmaple:
      Example 1:

      _sourceCategory=apache| parse “* ” as src_IP 
      | parse ” 200 * ” as size
      | count, sum(size) by src_IPExample 2: _sourceCategory=”hostmetrics”
      
    • Click Schedule this search and enter:

      • Select the Run Frequency and Send Notifications accordingly from the drop-down list.
      • For Alert Type, enter Webhook.
      • Select the checkbox if you require separate alerts.
      • For Connection, select the connection that you created.
      • If you want to edit the payload, enable Customize Payload and make the necessary changes.
  3. Click Save.

Configuring triggers with monitors

  1. Go to Manage Data, Alerts, and click Add Monitor.
    Metrics Monitor window opens.
  2. For Select Time Series to Monitor, build a query to monitor (as built for Schedule Search option) and if required make the necessary changes in Settings and Legend.
  3. For Set Rules, set the rules and select the Send Notification Via the Connection that was created earlier.
  4. For Set Name and Description, enter details and click Save.

Example payload

{
    "searchname": "Other",
    "SearchDescription": "",
    "SearchQuery": "*",
    "SearchQueryUrl": "https://service.in.sumologic.com/ui/index.html#/search/3jZ7g4s65MuGSoa6iCHXOzw8pKqJLuc9ZpGfOpo8FQ8OmroIDJtsYPtOW6B941KQxCfzRbGliBxfShw8sDfEBbKt5Qb0Jx9uJ6YSaDGozQPDvdhDGD4guOJZuVFTpU61",
    "RawResultsJson": "[{"Message":"[02/Oct/2019:18:23:46] VendorID=7026 Code=C AcctID=8702194102896748","Time":1570040626000,"Host":"127.0.0.1","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:23:31] VendorID=1043 Code=B AcctID=2063718909897951","Time":1570040611000,"Host":"103.49.52.70","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:59] VendorID=1243 Code=F AcctID=8768831614147676","Time":1570040579000,"Host":"103.49.52.71","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:48] VendorID=1239 Code=K AcctID=5822351159954740","Time":1570040568000,"Host":"103.49.52.72","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:32] VendorID=7033 Code=E AcctID=4390644811207834","Time":1570040552000,"Host":"103.49.52.73","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:22:13] VendorID=1139 Code=D AcctID=2548096337574259","Time":1570040533000,"Host":"103.49.52.74","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:21:40] VendorID=9103 Code=B AcctID=6081238166719034","Time":1570040500000,"Host":"103.49.52.75","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:21:21] VendorID=1151 Code=D AcctID=6980883790773744","Time":1570040481000,"Host":"103.49.52.76","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"[02/Oct/2019:18:20:58] VendorID=1155 Code=F AcctID=3595732379989377","Time":1570040458000,"Host":"103.49.52.77","Category":"uploads/other","Name":"vendor_sales.log","Collector":"File Uploads"},{"Message":"182.236.164.11 - - [02/Oct/2019:18:20:56] "GET /cart.do?action=addtocart&itemId=EST-15&productId=BS-AG-G09&JSESSIONID=SD6SL8FF10ADFF53101 HTTP 1.1" 200 2252 "http://www.buttercupgames.com/oldlink?itemId=EST-15" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5" 506","Time":1570040456000,"Host":"103.49.52.7","Category":"uploads/other","Name":"access.log","Collector":"File Uploads"}]",
    "NumRawResults": "53700",
    "State": "High",
    "AggregateResultsJson": ""
}

Viewing alerts

  1. Go to the Alerts page, search with the source name as Sumo Logic.
    Related alerts are displayed.
  2. Click Alert ID to view. Click an Alert ID to view.