Sumo Logic destinations: sumologic-http() and sumologic-syslog()
From version 3.27.1, the AxoSyslog application can send log messages to Sumo Logic, a cloud-based log management and security analytics service, by using the sumologic-http()
and sumologic-syslog()
destinations.
Prerequisites
Currently, using the sumologic-http()
and sumologic-syslog()
destinations with AxoSyslog has the following prerequisites:
-
A Sumo Logic account.
If you do not yet have a Sumo Logic account, visit the official Sumo Logic website, and click
Start free trial
to create an account.Note A free trial version of the Sumo Logic account has limited functionalities and is only available for 90 days. -
A Cloud Syslog Source configured with your Sumo Logic account.
For details, follow the configuration instructions under the Configure a Cloud Syslog Source section on the official Sumo Logic website.
Note Transport-level security (TLS) 1.2 over TCP is required. -
A Cloud Syslog Source Token (from the Cloud Syslog Source side).
-
TLS set up on your Sumo Logic account.
For detailed information about setting up TLS in your Sumo Logic account, see the description for setting up TLS on the Sumo Logic official website.
Note After you download theDigiCert
certificate, make sure you follow the certificate setup steps under the syslog-ng section. -
Your Sumo Logic syslog client, configured to send data to the Sumo Logic cloud syslog service, by using AxoSyslog.
For detailed information, follow the instructions under the Send data to cloud syslog source with syslog-ng section on the official Sumo Logic website.
-
A verified connection and client configuration with the Sumo Logic service.
Warning To avoid potential data loss, we strongly recommend that you verify your connection and client configuration with the Sumo Logic service before you start using thesumologic-http()
orsumologic-syslog()
destination with AxoSyslog in a production environment. -
(Optional) For using the
sumologic-http()
destination, you need a HTTP Hosted Collector configured in the Sumo Logic service.To configure a Hosted Collector, follow the configuration instructions under the Configure a Hosted Collector section on the official Sumo Logic website.
-
(Optional) For using the
sumologic-http()
destination, you need the unique HTTP collector code you receive while configuring your Host Collector for HTTP requests.
Limitations
Currently, using the sumologic-syslog()
and sumologic-http()
destinations with AxoSyslog has the following limitations:
-
The minimum required version of AxoSyslog is version 3.27.1.
-
Message format must be in RFC 5424-compliant form. Messages over 64KB in length are truncated.
For more information about the message format limitations, see the Message format section on the official Sumo Logic website.
-
64 characters long Sumo Logic tokens must be passed in the message body.
Declaration for the sumologic-http() destination
destination d_sumo_http {
sumologic-http(
collector("ZaVnC4dhaV3_[...]UF2D8DRSnHiGKoq9Onvz-XT7RJG2FA6RuyE5z4A==")
deployment("eu")
);
};
Declaration for the sumologic-syslog() destination
destination d_sumo_syslog {
sumologic-syslog(
token("rqf/bdxYVaBLFMoU39[...]CCC5jwETm@41123")
deployment("eu")
tls(peer-verify(yes) ca-dir('/etc/syslog-ng/ca.d'))
);
};
Using the sumologic() driver
To use the sumologic()
driver, the scl.conf
file must be included in your AxoSyslog configuration:
@include "scl.conf"
sumologic()
driver is actually a reusable configuration snippet configured to send log messages using the network()
and http()
destination by using a template. For details on using or writing such configuration snippets, see Reusing configuration blocks. You can find the source of this configuration snippet on GitHub.