Ingesting logs from Sumo Logic

Realm supports ingesting logs from Sumo Logic. While this is not a typical setup our customers leverage in Production, it is useful during POCs.

The integration involves the following steps:

• Step 1: AWS Console: Create S3 Bucket & Role for Sumo Logic
• Step 2: Sumo Logic: Setup Data Forwarding in Sumo Logic
• Step 3: AWS Console: Setup Bucket Notifications & SQS Queue
• Step 4: Realm Console: Setup Source

Step 1: AWS Console: Setup S3 Bucket and Role

In this step, you will set up an S3 bucket and IAM Role for Sumo Logic to forward data to.

Setup S3 Bucket

1. Log in to the AWS console.
2. Go to S3.
3. Click Create bucket and fill out the details.

Setup IAM Policy

Set up an IAM policy that grants read and write permission to the S3 bucket.

1. Log in to the AWS console.
2. Go to IAM > Policies.
3. Click Create Policy.
4. Click JSON and paste the following policy, replacing <bucket_name> with the name of the bucket created above.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Writes",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket_name>",
                "arn:aws:s3:::<bucket_name>/*"
            ]
        }
    ]
}

5. Give it a name and click Save policy.

Create IAM Role

Create an IAM role that gives cross-account permission to the Sumo Logic Account ID.

1. Go to IAM > Roles.
2. Click Create Role.
3. Select AWS Account.
4. Select Another AWS Account and enter the account ID provided by Sumo Logic.
5. Select Require External ID and enter the External ID provided by Sumo Logic.

Note: To get the Sumo Logic Account ID and External ID, log in to the Sumo Logic console and go to Data Management > Data Forwarding > Add Destination. Copy the Account ID and External ID from the destination popup.

6. Click Next.
7. Search for the policy created above and select it.
8. Click Next and give the role a name, for example: sumo-fortigate-s3.

Step 2: Setup Data Forwarding in Sumo Logic

Add Data Forwarding Destination

1. In the Sumo Logic console, go to Data Management > Data Forwarding.
2. Click Add Destination.
3. Enter the name of the S3 bucket created above.
4. Enter the region where the S3 bucket was created.
5. Enter the ARN of the role created above.

Forward Partition Data to S3 Destination

1. In the Sumo Logic console, go to Data Management > Partitions.
2. Select the partition you want to configure Data Forwarding for.
3. Enable Data Forwarding for the partition and fill in the details:

   Forwarding Destination: Existing Amazon S3 DestinationAmazon S3 Destination: The destination created above Included Data: RawForwarded data type: TEXTFile Prefix: <product_name>/

Note: Make sure the prefix ends with / — this ensures all logs for the partition are saved to a "product name folder" in S3.

Step 3: AWS Console - Setup Bucket Notifications & Keys

Follow these instructions to set up the SQS queue, bucket notifications, and access keys that will be required in the next step.

Step 4: Realm Console: Setup Source & Destination

Add a Source

1. Log in to the Realm console.
2. Go to Sources > Add Source.
3. Select a product (e.g., FortiGate) and create a new source with a name.
4. Select Transport Method: AWS S3.
5. Enter the credentials and ARN of the SQS queue.
6. Update the name of the input feed to <source_name>-S3 (e.g., Fortigate - S3).
7. Click Save.

Add a Destination

1. Go to Destinations > Add Destination.

   Intended Use: SIEMName: SIEM

2. Click Add.

Add Blackhole Output Feed

1. On the SIEM Destination page, click Add Output Feed.

Name: BlackholeType: Blackhole

2. Click Add.

Connect Source to the Destination

1. On the SIEM Destination page, click Add Source.

2. Select a source from the drop-down (e.g., FortiGate).
3. Click Add.

References

• Forward Data from Sumo Logic to S3