Skip to main content

Sumo Logic Alert Channel

A Lacework Amazon CloudWatch alert channel can forward Lacework alerts through CloudWatch. You can define a rule to send alerts to a specified target using Amazon SNS (Simple Notification Service), and subscribe a Sumo Logic custom app endpoint to the SNS topic. Lacework alerts are sent using SNS subscription to your Sumo Logic custom app endpoint where you can view alert data in Sumo Logic.

Create a Lacework Alert Channel

Configure a Lacework alert channel with Amazon CloudWatch.

Set Up an SNS Topic

  1. In the AWS Console, navigate to SNS, and on the left menu, select Topics.
  2. Click Create new topic and provide a Topic name and Display name.
  3. In AWS, navigate to CloudWatch.
  4. Under Events > Rules, select the rule you created with the Amazon CloudWatch integration.
  5. In the top right, select Actions > Edit to bring up the rule and target page. On the left, you should see the custom event pattern you configured when setting up CloudWatch. On the right, you should see where you can configure your targets.
  6. Select Add target.
  7. In the Target drop-down, select SNS topic.
  8. In the Topic drop-down, select the SNS topic you configured to receive Lacework events.
  9. (Optional) Under Configure input, select Part of the matched event and input the following:

Configure Sumo Logic HTTP Endpoint

Do the following:

  1. In Sumo Logic, navigate to Manage Data > Collection.
  2. In the top right, click Add Collector.
  3. Select Hosted Collector.
  4. Provide a name, for example, HTTP, and optional description, category, and time zone. Click Save to create your collector.
  5. Add a data source to your collector by proceeding or clicking Add source.
  6. Under Cloud APIs, select HTTP Logs & Metrics.
  7. Provide a name for your source as well as optional configuration. For additional information about configuring a source and options, see the Sumo Logic documentation Add a Source.
  8. Click Save.

This generates an HTTP source address. This address is the endpoint you subscribe to the previously configured SNS topic.

Subscribe Sumo Logic HTTP Endpoint to SNS Topic

Do the following:

  1. In the AWS Console, navigate to SNS, and on the left menu select Topics.
  2. Go into the SNS topic by clicking the ARN of the topic that was created in the previous Set Up an SNS Topic procedure.
  3. Under Subscriptions, click Create subscription.
    1. The Topic ARN should be populated with the ARN of your SNS topic.
    2. For protocol, select HTTPS.
    3. For endpoint, input the HTTP source address url generated when creating your Sumo Logic HTTP endpoint.
  4. This initializes the configuration for Lacework events to be sent via CloudWatch to the SNS topic subscribed to by the Sumo Logic HTTP endpoint. Upon subscription, complete the verification by navigating to an event sent into Sumo Logic and clicking the URL to confirm subscription.

Configure SNS to Send Raw Message Delivery

Do the following:

  1. In AWS > SNS, click into the ARN to select your topic.
  2. Under Subscriptions, click Other subscription actions and select Edit subscription attributes.
  3. Select the raw message delivery checkbox and click Set subscription attributes.