Sumo Logic Integration

Configuring Sumo Logic to Receive Data

Realm Security supports integration with Sumo Logic using OTLP/HTTP for log ingestion. This guide provides instructions to configure Sumo Logic to receive data from Realm.

Configuration of the Realm Collector and specific firewall sources (such as FortiGate or Palo Alto) are documented separately.

Step 1: Configure Sumo Logic to Receive OTLP Data

1. Navigate to Settings > Connections > Add Collector
2. Type this for Name: Realm OTLP
3. Copy the OTLP Endpoint URL
4. Create a New Partition (Recommended)

• Helps separate Realm Security logs from other existing data pipelines.

Step 2: Create a Destination in Realm for Sumo Logic

1. Navigate to Destinations > Add Destination
2. Type name: Sumologic
3. Under Destinations, select Add New Source

• Connect the relevant log source (e.g., FortiGate, Azure, etc.) to the Sumologic destination

4. Go to Output Feeds > Add Output Feed

• Choose Sumologic output feed
• Paste the OTLP Endpoint URL copied earlier

Step 3: Add fields in Sumo Logic

Event logs sent to Sumo Logic get additional event metadata _realmfeed with the input feed name (for collector feeds, this is the stream name) & _realmcollector with the collector name.

Within Sumo Logic, these fields get indexed and can be used for RBAC, searching, filtering, reporting & monitoring logs. To make use of these meta fields, login to Sumo Logic and add these two fields.

Add Field

Fields

Next Step: Configure Your Realm Collector

Once Sumo Logic is configured to receive logs, proceed to the next step: setting up the Realm Collector. Instructions can be found on the Realm Collector Installation Guide.

Related Resources

• For FortiGate setup, refer to the FortiGate Syslog Configuration Guide
• For Collector installation, see Install Realm Collector
• For additional support, contact Realm Security.

Sending data from multiple sources to Sumo Logic

Broadly speaking, there are two approaches for sending logs from multiple sources to Sumo Logic

1) Data Collector per Source in Sumo Logic

In this option, setup a different Data Collector in Sumo Logic for each source and override the value of sourceCategory field to match the source.

2) One Data Collector in Sumo Logic

When using Realm as your data pipeline, you have the option to use a single Data Collector in Sumo Logic there by simplifying the setup/configuration required in Sumo Logic.

Realm tags all the events with an additional meta data field _sourceCategory and sets it value appropriately based on the source to which the event belongs. This way there is no need to setup a separate Data Collector for each additional source in Sumo Logic. Realm documentation for each source lists the value of _sourceCategory field.

For the single Realm Data collector within Sumo Logic, do not set an override value for the _sourceCategory field. Use the _sourceCategory field to map the logs to appropriate indexes in Sumo Logic as you would normally do.