Capsule8 Docs
Capsule8 Docs
Help

Getting Alerts into Sumo Logic

Lightweight log collection agents are often used to harvest application logs or metrics for a variety of platforms. In some cases, however, it is often easier to ingest data through an HTTP webhook endpoint. This example deployment will illustrate how to do that with the Capsule8 Sensor and Sumo Logic.

Follow Sumo Logic’s Collect Streaming Data from HTTP guide to set up the new HTTP collector. If you are using the collector setup wizard, the default values are all that is needed. Shortly after you finish, you should receive an email from Sumo Logic letting you know that your index is ready. Be sure to copy the URL for your collection endpoint. Should you need to access the HTTP collector or regenerate it at any time, click “Manage Data > Collection” in the Sumo Logic console’s sidebar and find the HTTP collector you created. You are now ready to start adding Alerts.

We will be configuring the Capsule8 Sensor to send its Alert JSON to an HTTP endpoint hosted by Sumo Logic. Once the data is received, it will be indexed and made available in your environment. If you do not already have a policy for testing Capsule8’s Alerts, copy and paste the following analytics configuration with $SUMO_LOGIC_URL replaced with the URL for your collection endpoint into /etc/capsule8/capsule8-analytics.yaml:

alert_output:
  outputs:
    - type: webhook
      enabled: true
      url: $SUMO_LOGIC_URL

Wget Program Blacklist:
  policy: program
  enabled: true
  alertMessage: Unauthorized Program Execution
  priority: High
  rules:
  - match programName == "*/wget"
  - default ignore
  comments: Alert on usage of the wget command

For example, your webhook URL configuration might look like this:

url: https://collection.us2.sumologic.com/receiver/v1/http/Za41235c==

Restart your sensor and generate an Alert by running wget on your machine. You should see a resulting Alert for Unauthorized Program Execution.