"How to" Webinar: Sending Data to Sumo Logic

Editor's Notes

• #2: Welcome everyone. My name is…. I’m joined by Maisie and Ryan who are part of our Engineering team that works on Data Collection. They will be fielding questions at the end of this webinar’s Q&A session. Housekeeping items: Everyone is on mute to avoid distractions If you want to ask a question, please do so using the GTW question panel This webinar will be recorded and shared with all of you, along with the slides
• #3: Please note that this webinar is specifically for users with Admin priviledges who have access to install and manage Collectors. At the completion of this webinar, you will be able to…
• #5: Sumo Logic Data Flow is broken into 3 main areas: Data Collection through configurable Collectors and Sources. Collectors collect, compress, cache and encrypt the data for secure transfer. Search and Analyze – Users can run searches and correlate events in real-time across the entire application stack. We will be spending most of our time in this area during this webinar, as this is most likely what you will first be doing as a new user. Visualize and Monitor- Users have the ability to create custom dashboards to help you easily monitor your data in real-time. Custom alerts notify you when specific events are identified across your stack. I will cover Data Collection at a high-level, and cover the next 2 areas through a demo.
• #6: What data can we ingest? We can ingest data from just about any source you can imagine - structured or unstructured. Here are just a few of the devices, applications and frameworks you may be using - all of which produce log data that SL can analyze. The left hands side can present you technology stack – from custom application code all the way down to your network devices.
• #7: Sumo Logic Installed and Hosted Collectors are infinitely flexible. Design a Sumo Logic deployment that's right for your organization. <Review slide citing some examples>
• #8: At a High-level, Customers collect and send data to Sumo Logic through the use of Collectors and Sources. We’ll cover collectors first and then dive into Sources. This is an great example what we see at a typical customer. This customer is sending web server log files to the Sumo Logic service. Host A and Host B are each sending a couple of log files through a locally installed Sumo Logic collector. In the case of Host C, which is sending IIS log files, it’s using a hosted collector where a local script can send data to an HTTP endpoint (running curl and POST commands).
• #11: Hosted Collectors Allow for seamless collection from Amazon S3 buckets and HTTP Sources. Hosted Collectors don't require installation or activation, nor do Hosted Collectors have physical requirements, since they're hosted in AWS. Because there are no performance issues to consider, you can configure as many S3 and HTTP Sources as you'd like for a single Hosted Collector. Installed Collectors Sumo Logic Installed Collectors are lightweight and efficient. You can choose to install a small number of Collectors to minimize maintenance or just because you want to keep your topology simple (Centralized). Alternatively, you can choose to install many Collectors on many machines (Local) to distribute the bandwidth impact across your network. Installed Collectors are deployed in your environment, either on a local machine, a machine in your organization, or even an Amazon Machine Image (AMI). Installed Collectors require a software download and installation. Upgrades to Collector software are released regularly. A few things to consider: Consider having an Installed Collector on a dedicated machine if: You are running a very high-bandwidth network with high logging levels. You want a central collection point for many Sources. Consider having more than one Installed Collector if: You expect the combined number of files coming into one Collector to exceed 500. Your hardware has memory or CPU limitations. You expect combined logging traffic for one Collector to be higher than 15,000 events per second. Your network clusters or regions are geographically separated. You prefer to install many Collectors, for example, one per machine to collect local files. IMPORTANT: For system requirement details, see Installed Collector Requirements.
• #13: The Sumo Logic Collector is installed on all target Hosts and, where possible, sends log data produced on those target Hosts directly to Sumo Logic Backend via https connection.
• #14: The Sumo Logic Collector is installed on all target Hosts and, where possible, sends log data produced on those target Hosts directly to Sumo Logic Backend via https connection.
• #15: The Sumo Logic Collector is installed on a set of dedicated machines, these collect log data from the target Hosts via various remote mechanisms and forward the data to the Sumo Logic Backend. This can be accomplished by either using Sumo Logic syslog source type or by running Syslog Servers (syslog-ng, rsyslog), write to file, and collect from there.
• #16: The Sumo Logic Collector is installed on a set of dedicated machines, these collect log data from the target Hosts via various remote mechanisms and forward the data to the Sumo Logic Backend. This can be accomplished by either using Sumo Logic syslog source type or by running Syslog Servers (syslog-ng, rsyslog), write to file, and collect from there.
• #17: In most cases our customers will employ a mix of the above options to account for different limitations on both the log types and source types. For example, network devices only broadcast syslog, so even if you generally employ local file collection paradigm, you still need some syslog infrastructure to collect these logs. Same is true for any Cloud API logs (e.g. Okta Event, etc) you may want to collect via script. Another example: an AWS-only customer, will most likely still choose to install collectors on all their EC2 instances (local collection) and collect AWS Audit logs (CloudTrail, ELB, etc) via the S3 integration. Which strategy you choose does not depend primarily on where the data lives, but on the following: sensitivity in terms of outbound internet access, technical abilities in your team (setting up centralized infrastructure requires knowledge, hardware and a need for monitoring/scaling/fault tolerance) Whether or not there is a logging infrastructure already in place. At a high-level, we only recommend the Centralize method if the following are true: - You absolutely cannot live with the internet access requirements - You have an existing infrastructure (syslog/logstash) - Your data volume or your number of target hosts is pretty large
• #19: At a High-level, Customers collect and send data to Sumo Logic through the use of Collectors and Sources. We’ll cover collectors first and then dive into Sources. This is an great example what we see at a typical customer. This customer is sending web server log files to the Sumo Logic service. Host A and Host B are each sending a couple of log files through a locally installed Sumo Logic collector. In the case of Host C, which is sending IIS log files, it’s using a hosted collector where a local script can send data to an HTTP endpoint (running curl and POST commands). Hosted collectors are also able to load data from AWS S3 buckets.
• #20: Name: something that is relevant to the data you are collecting Description: reference to understand the source Source Category; custom label that you can easily use to search data gathered by this source Timestamp Host File Path or Source (Name) Source Specific Config Local/Remote Path script/ File/Windows
• #27: Name: something that is relevant to the data you are collecting Description: reference to understand the source Source Category; custom label that you can easily use to search data gathered by this source Timestamp Host Hosted: S3: path expression allows you to identify which objects to upload from S3 can use wildcard to define the path expression and capture more files. Exact file name will only pick up files that match that
• #31: Great, data is ingested into the Sumo Logic service, but something else is also happening in the background. Every single message ingested gets tagged with metadata that makes it much easier to search for related messages. This table shows the 5 main tags (review them all) In particular, I want to point out the source Category metadata field, as choosing the right naming convention can make a big impact on your searching capabilities and performance.
• #32: This example will highlight the importance of defining the proper source category: Notice I’ve added the desired SourceCategory for each Source: = WS/Apache/Access Searches across Apache Security logs in both Host A and Host B = WS/Apache/* Searches across all Apache sources in both Host A and Host B = WS/* Searches across all Web Servers across all hosts