Skip to content

Exporting Alerts to Sumologic

Lightweight log collection agents are often used to harvest application logs or metrics for a variety of platforms. In some cases, however, it's often easier to ingest data through an HTTP webhook endpoint. This example deployment will illustrate how to do that with Sophos Linux Sensor (SLS) and Sumo Logic.

Follow Sumo Logic's Configure a Hosted Collector and Source guide to set up the new HTTP collector. If you are using the collector setup wizard, the default values are all that is needed. Shortly after you finish, you should receive an email from Sumo Logic letting you know that your index is ready. Be sure to copy the URL for your collection endpoint. Should you need to access the HTTP collector or regenerate it at any time, click Manage Data > Collection in the Sumo Logic console's sidebar and find the HTTP collector you created. You are now ready to start adding Alerts.

We will be configuring SLS to send its Alert JSON to an HTTP endpoint hosted by Sumo Logic. Once the data is received, it will be indexed and made available in your environment. If you don't already have a policy for testing SLS Alerts, copy and paste the following configuration into /etc/sophos/runtimedetections-rules.yaml:

alert_output:
  outputs:
    - type: webhook
      enabled: true
      url: $SUMO_LOGIC_URL

Wget Program Blacklist:
  policy: program
  enabled: true
  alertMessage: Unauthorized Program Execution
  priority: High
  rules:
  - match programName = "*/wget"
  - default ignore
  comments: Alert on usage of the wget command

Note

You must replace $SUMO_LOGIC_URL with the URL for your collection endpoint. For example, your webhook URL configuration might look like this:

url: https://collection.us2.sumologic.com/receiver/v1/http/Za41235c=

Restart SLS and generate an Alert by running wget on your machine. You should see a resulting Alert for Unauthorized Program Execution.