Sumo Logic destinations: sumologic-http() and sumologic-syslog()

From version 3.27.1, the AxoSyslog application can send log messages to Sumo Logic, a cloud-based log management and security analytics service, by using the sumologic-http() and sumologic-syslog() destinations.

Prerequisites

Currently, using the sumologic-http() and sumologic-syslog() destinations with AxoSyslog has the following prerequisites:

  • A Sumo Logic account.

    If you do not yet have a Sumo Logic account, visit the official Sumo Logic website, and click Start free trial to create an account.

  • A Cloud Syslog Source configured with your Sumo Logic account.

    For details, follow the configuration instructions under the Configure a Cloud Syslog Source section on the official Sumo Logic website.

  • A Cloud Syslog Source Token (from the Cloud Syslog Source side).

  • TLS set up on your Sumo Logic account.

    For detailed information about setting up TLS in your Sumo Logic account, see the description for setting up TLS on the Sumo Logic official website.

  • Your Sumo Logic syslog client, configured to send data to the Sumo Logic cloud syslog service, by using AxoSyslog.

    For detailed information, follow the instructions under the Send data to cloud syslog source with syslog-ng section on the official Sumo Logic website.

  • A verified connection and client configuration with the Sumo Logic service.

  • (Optional) For using the sumologic-http() destination, you need a HTTP Hosted Collector configured in the Sumo Logic service.

    To configure a Hosted Collector, follow the configuration instructions under the Configure a Hosted Collector section on the official Sumo Logic website.

  • (Optional) For using the sumologic-http() destination, you need the unique HTTP collector code you receive while configuring your Host Collector for HTTP requests.

Limitations

Currently, using the sumologic-syslog() and sumologic-http() destinations with AxoSyslog has the following limitations:

  • The minimum required version of AxoSyslog is version 3.27.1.

  • Message format must be in RFC 5424-compliant form. Messages over 64KB in length are truncated.

    For more information about the message format limitations, see the Message format section on the official Sumo Logic website.

  • 64 characters long Sumo Logic tokens must be passed in the message body.

Declaration for the sumologic-http() destination

   destination d_sumo_http {
      sumologic-http(
        collector("ZaVnC4dhaV3_[...]UF2D8DRSnHiGKoq9Onvz-XT7RJG2FA6RuyE5z4A==")
        deployment("eu")
      );
    };

Declaration for the sumologic-syslog() destination

   destination d_sumo_syslog {
      sumologic-syslog(
        token("rqf/bdxYVaBLFMoU39[...]CCC5jwETm@41123")
        deployment("eu")
        tls(peer-verify(yes) ca-dir('/etc/syslog-ng/ca.d'))
      );
    };

Using the sumologic() driver

To use the sumologic() driver, the scl.conf file must be included in your AxoSyslog configuration:

   @include "scl.conf"