Skip to main content

Sumo Logic

A Lacework Amazon CloudWatch alert channel can forward Lacework alerts to you via CloudWatch. You can then configure a rule to send alerts to a specified target via SNS. After this is setup, you can subscribe a Sumo Logic custom app endpoint to the SNS topic. This allows your Lacework alerts to be sent via SNS (Simple Notification Service) subscription to your Sumo Logic custom app endpoint where you can view alert data in Sumo Logic.

Follow these steps to set up a Sumo Logic alert channel in Lacework:

Create a Lacework Alert Channel

Configure a Lacework alert channel with Amazon CloudWatch.

Set Up an SNS Topic

  1. In AWS, navigate to SNS, and on the left menu, select Topics.
  2. Click Create new topic and provide a Topic name and Display name.

Configure CloudWatch to Send to Your SNS Topic as a Target

  1. In AWS, navigate to CloudWatch.
  2. Under Events > Rules, click into the rule you created with the Amazon CloudWatch integration.
  3. In the top right, select Actions > Edit to bring up the rule and target page. On the left, you should see the custom event pattern you configured when setting up CloudWatch. On the right, you should see where you can configure your targets.
  4. Click Add target.
  5. In the Target drop-down, select SNS topic.
  6. In the Topic drop-down, select the SNS topic you configured to receive Lacework events.
  7. (Optional) Under Configure input, select Part of the matched event and input the following:
       $.detail

Configure Sumo Logic HTTP Endpoint

  1. In Sumo Logic, navigate to Manage Data > Collection.

  2. In the top right, click Add Collector.

  3. Select Hosted Collector.
    Provide a name, for example, HTTP, and optional description, category, and time zone. Click Save to create your collector.

  4. Add a data source to your collector by proceeding or clicking Add source.

  5. Under Cloud APIs, select HTTP Logs & Metrics.

  6. Provide a name for your source as well as optional configuration. For additional information about configuring a source and options, see the Sumo Logic documentation Add a Source.

  7. Click Save.
    This generates an HTTP source address. This address is the endpoint you subscribe to the previously configured SNS topic.

Subscribe Sumo Logic HTTP Endpoint to SNS Topic

  1. In AWS, navigate to SNS, and on the left menu select Topics.
  2. Go into the SNS topic by clicking the ARN of the topic that was created in the previous Set Up an SNS Topic procedure.
  3. Under Subscriptions, click Create subscription.
    1. The Topic ARN should be populated with the ARN of your SNS topic.
    2. For protocol, select HTTPS.
    3. For endpoint, input the HTTP source address url generated when creating your Sumo Logic HTTP endpoint.
  4. This initializes the configuration for Lacework events to be sent via CloudWatch to the SNS topic subscribed to by the Sumo Logic HTTP endpoint. Upon subscription, complete the verification by navigating to an event sent into Sumo Logic and clicking the URL to confirm subscription.

Configure SNS to Send Raw Message Delivery

  1. In AWS > SNS, click into the ARN to select your topic.
  2. Under Subscriptions, click Other subscription actions and select Edit subscription attributes.
  3. Select the raw message delivery checkbox and click Set subscription attributes.