Getting Alerts into Sumo Logic
Lightweight log collection agents are often used to harvest application logs or metrics for a variety of platforms. In some cases, however, it is often easier to ingest data through an HTTP webhook endpoint. This example deployment will illustrate how to do that with the Capsule8 Sensor and Sumo Logic.
Follow Sumo Logic’s Collect Streaming Data from HTTP guide to set up the new HTTP collector. If you are using the collector setup wizard, the default values are all that is needed. Shortly after you finish, you should receive an email from Sumo Logic letting you know that your index is ready. Be sure to copy the URL for your collection endpoint. Should you need to access the HTTP collector or regenerate it at any time, click “Manage Data > Collection” in the Sumo Logic console’s sidebar and find the HTTP collector you created. You are now ready to start adding Alerts.
We will be configuring the Capsule8 Sensor to send its Alert JSON to an HTTP endpoint hosted by Sumo Logic. Once the data is received, it will be indexed and made available in your environment. If you do not already have a policy for testing Capsule8’s Alerts, copy and paste the following analytics configuration with
$SUMO_LOGIC_URL replaced with the URL for your collection endpoint into
alert_output: outputs: - type: webhook enabled: true url: $SUMO_LOGIC_URL Wget Program Blacklist: policy: program enabled: true alertMessage: Unauthorized Program Execution priority: High rules: - match programName == "*/wget" - default ignore comments: Alert on usage of the wget command
For example, your webhook URL configuration might look like this:
Restart your sensor and generate an Alert by running
wget on your machine. You should see a resulting Alert for
Unauthorized Program Execution.