Adding a Sumo Logic Log Collector

The following section details how to add a Sumo Logic log collector to CAS Manager. For information on Sumo Logic, see here. In order to add the log collector you must have a CAS Managers instance, and a Sumo Logic account that has the permissions levels required to create log collectors.

  1. SSH to the CAS Manager host and create the Sumo Logic configuration file:
    cd ~
    vim sources.json
    
  2. Paste in the following information:
    {
    "api.version": "v1",
    "sources": [
        {
            "name":  "test", # <<< Replace this with your own or leave it as is
            "category":  "casm/test", # <<< Replace this with your own category or leave it as is
            "automaticDateParsing":  true,
            "multilineProcessingEnabled":  false,
            "useAutolineMatching":  false,
            "forceTimeZone":  false,
            "timeZone":  "Etc/UTC",
            "filters":  [
                        ],
            "cutoffTimestamp":  0,
            "encoding":  "UTF-8",
            "pathExpression":  "/var/log/containers/*.log", # <<< this tells sumologic which file paterns to ingest. We only care about the logs. Leave this as is.
            "blacklist":  [
                          ],
            "sourceType":  "LocalFile",
            "alive":  false
        }
    ]
    }
    
  3. Download the Sumo Logic Collector:
    curl "https://collectors.sumologic.com/rest/download/linux/64" -o SumoCollector.sh
    sudo chmod +x SumoCollector.sh
    
  4. Install the Sumo Logic Collector. For more information on installing the Sumo Collector, see here.

Once you have access to the CAS Manager host, you need to perform one of the following:

  • Installation using an installation token

Installation tokens can be created by going to Administration>Security>Installation Tokens in the Sumo Logic web app and adding a token. Once you have completed this, run the following command:

sudo ./SumoCollector.sh -q -Vsumo.token_and_url=<Your-Installation-Token> -VsyncSources=/path/to/sources.json

  • Installation using an access key

Access keys can be created by going to the Preferences page in the Sumo Logic web app and adding an Access key. You will then be able to copy the accessID and accessKey. Once you have completed this, run the following command:

sudo ./SumoCollector.sh -q -Vsumo.accessid=<accessid> -Vsumo.accesskey=<accesskey> -VsyncSources=/path/to/sources.json

Once you have the Sumo Logic collector installed, you can log into Sumo Logic and access the logs for this collector.