--- title: Sumo Logic alerting aliases: [ "/docs/sumo-logic/" ] --- runZero integrates with ((Sumo Logic)) to help you visualize your asset data. This helps you track your progress on reducing risk in your asset inventory over time. Setting up the connection between Sumo Logic and runZero requires: 1. [Creating a Sumo Logic HTTP Source](#sumo-logic-http-source) 2. [Creating a runZero alert template](#sumo-logic-alert-template) 3. [Creating a rule in runZero](#sumo-logic-rule) 4. [Handling runZero data in Sumo Logic](#sumo-logic-handling) 5. [Creating a Sumo Logic dashboard (optional)](#sumo-logic-dashboard) ## Step 1: Create a Sumo Logic HTTP Source {#sumo-logic-http-source} 1. After logging in to Sumo Logic, navigate to **Manage Data** > **Collection**. 2. Click **Add Collector** select **Hosted Collector**, provide a name, such as `runZero Collector` and click **save**. 3. If prompted to add a data source, click **OK**. Otherwise, find your Collector in the list and click **Add Source**. 4. Select the [**HTTP Logs and Metrics**](https://help.sumologic.com/docs/send-data/hosted-collectors/http-source/logs-metrics/) source, provide a name, such as `runZero Alerts`, and then click **save**. 5. Copy the URL provided to use in [step 2](#sumo-logic-alert-template). ## Step 2: Create a runZero alert template {#sumo-logic-alert-template} 1. Create an [alert template](https://console.runzero.com/alerts/template/create/) in runZero and provide the following details: * **Name**: Name for template * **Template type**: JSON * **Subject line for message**: Leave empty * **Body of message**: The following JSON example will include the rule name and the search URL in the alert message body ```plaintext {"rule_name":"{{rule.name}}","search_url":"{{search.url}}","found": "{{search.found}}", "assets_new": "{{scan.assets_new}}"} ``` 2. Create an [alert channel](https://console.runzero.com/alerts/channel/create/) in runZero and provide the following details: * **Name**: Name for alert channel * **Channel type**: Webhook * **Webhook URL**: The webhook URL you copied from Sumo Logic ## Step 3: Create a rule in runZero {#sumo-logic-rule} Now that you have your alert template and channel created, you will want to identify the triggers to alert on. Some common examples are: * Asset query results - When there is a match on a query in runZero after a scan completes * New assets found - When a scan completes with new assets * Agent offline - When your runZero Explorer stops checking in to the console * Task failed - When a task fails for any reason. We will use the **asset query results** selection as an example for the rest of the steps. Review [example queries](docs/search-query-examples.md) for ideas on what queries you could create. 1. Create a [new alert rule](https://console.runzero.com/alerts/rule/create/). 2. Select `asset-query-results` and click **Configure rule**. 3. Input values for the rule: * **Name**: name of the rule. * **Conditions**: optional parameters that will trigger the alert when all conditions match. * **Query**: The query the assets must match. * **Number of matches**: The numeric comparison logic for the **value**. * **Value**: The threshold of matches to trigger the rule. * **Limit to organization**: Allows you to limit the alert to a specific organization. * **Limit to site**: Allows you to limit the alert to a specific site. * **Action**: `Notify` * **Notification channel**: Name of the alert channel you created in step 2. * **Notification template**: Name of the alert template you created in step 2. ## Step 4: Handle runZero data in Sumo Logic {#sumo-logic-handling} ### This search will display the raw runZero data ```code _source="runZero Alerts" and _collector="runZero" ``` ### This search will show alerts matching the runZero rule name ```code _source="runZero Alerts" and _collector="runZero" | json field=_raw "found" nodrop | json field=_raw "rule_name" nodrop | where rule_name = "" ``` ### This search will create a graph of the data matching the runZero rule name ```code _source="runZero Alerts" and _collector="runZero" | json field=_raw "assets_new" nodrop | toLong(assets_new) | json field=_raw "found" nodrop | json field=_raw "search_url" nodrop | json field=_raw "rule_name" nodrop | where rule_name = "" | timeslice 1m | sum(found) by _timeslice | order by _timeslice ``` ## Step 5: Create a dashboard in Sumo Logic (optional) {#sumo-logic-dashboard} Now that you know how to look at the data in Sumo Logic and make a graph, you can follow these steps to create a dashboard. You will first create four rules in runZero, then you will import the [Sample Sumo Logic Dashboard](#sumo-logic-dash) below. ## Create the runZero rules You will follow the same actions from step 3 to create each of these rules using the form inputs provided. ### Assets running a TLS service * **Rule type**: asset-query-results * **Name**: `Assets running a TLS service - Sumo` * **Query**: `alive:t protocol:tls` * **Number of matches**: is greater than 0 * **Notification channel**: alert channel created in [Step 2](#sumo-logic-alert-template) * **Notification template**: alert template created in [Step 2](#sumo-logic-alert-template) ### Multihomed assets - Sumo * **Rule type**: asset-query-results * **Name**: `Multihomed assets - Sumo` * **Query**: `alive:t AND multi_home:t` * **Number of matches**: is greater than 0 * **Notification channel**: alert channel created in [Step 2](#sumo-logic-alert-template) * **Notification template**: alert template created in [Step 2](#sumo-logic-alert-template) ### Assets with OpenSSL - Sumo * **Rule type**: asset-query-results * **Name**: `Assets with OpenSSL - Sumo` * **Query**: `alive:t product:openssl` * **Number of matches**: is greater than 0 * **Notification channel**: alert channel created in [Step 2](#sumo-logic-alert-template) * **Notification template**: alert template created in [Step 2](#sumo-logic-alert-template) ### New assets to Sumo Logic * **Rule type**: new-assets-found * **Name**: `New assets to Sumo Logic` * **Number of matches**: is greater than 0 * **Notification channel**: alert channel created in [Step 2](#sumo-logic-alert-template) * **Notification template**: alert template created in [Step 2](#sumo-logic-alert-template) ## Sample Sumo Logic Dashboard {#sumo-logic-dash} 1. Navigate to the library in Sumo Logic. 2. Click the **options** button on the folder you'd like to import to and click `Import`. * **Name**: runZero Alert Metrics * **JSON**: Copy from the sample below 3. Click `Import` to see this dashboard under the folder it was imported to. ```json { "type": "DashboardV2SyncDefinition", "name": "runZero Asset Metrics", "description": "", "title": "runZero Asset Metrics", "theme": "Dark", "topologyLabelMap": { "data": {} }, "refreshInterval": 0, "timeRange": { "type": "BeginBoundedTimeRange", "from": { "type": "RelativeTimeRangeBoundary", "relativeTime": "-3d" }, "to": null }, "layout": { "layoutType": "Grid", "layoutStructures": [ { "key": "panelPANE-AC8FB3DCBD32DA48", "structure": "{\"height\":6,\"width\":12,\"x\":0,\"y\":0}" }, { "key": "panel3D084A3284252A4E", "structure": "{\"height\":6,\"width\":12,\"x\":12,\"y\":0}" }, { "key": "panelPANE-4389DBF794B13B44", "structure": "{\"height\":6,\"width\":12,\"x\":0,\"y\":6}" }, { "key": "panelPANE-FBE08549B2123A4A", "structure": "{\"height\":6,\"width\":12,\"x\":12,\"y\":6}" } ] }, "panels": [ { "id": null, "key": "panelPANE-AC8FB3DCBD32DA48", "title": "New assets found", "visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}", "keepVisualSettingsConsistentWithParent": true, "panelType": "SumoSearchPanel", "queries": [ { "transient": false, "queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"New Assets to Sumo Logic\"\n| timeslice 1m\n| sum(assets_new) by _timeslice\n| order by _timeslice", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, "metricsQueryData": null, "tracesQueryData": null, "spansQueryData": null, "parseMode": "Auto", "timeSource": "Message", "outputCardinalityLimit": 1000 } ], "description": "", "timeRange": null, "coloringRules": null, "linkedDashboards": [] }, { "id": null, "key": "panel3D084A3284252A4E", "title": "Multihomed assets found", "visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}", "keepVisualSettingsConsistentWithParent": true, "panelType": "SumoSearchPanel", "queries": [ { "transient": false, "queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| toLong(assets_new)\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"Multihomed Assets\" or rule_name = \"Multihomed Assets - Sumo\"\n| timeslice 1m\n| sum(found) by _timeslice\n| order by _timeslice", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, "metricsQueryData": null, "tracesQueryData": null, "spansQueryData": null, "parseMode": "Auto", "timeSource": "Message", "outputCardinalityLimit": 1000 } ], "description": "", "timeRange": null, "coloringRules": null, "linkedDashboards": [] }, { "id": null, "key": "panelPANE-4389DBF794B13B44", "title": "Assets with a TLS service", "visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}", "keepVisualSettingsConsistentWithParent": true, "panelType": "SumoSearchPanel", "queries": [ { "transient": false, "queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| toLong(assets_new)\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"Assets running a TLS service\" or rule_name = \"Assets running a TLS service - Sumo\"\n| timeslice 1m\n| sum(found) by _timeslice\n| order by _timeslice", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, "metricsQueryData": null, "tracesQueryData": null, "spansQueryData": null, "parseMode": "Auto", "timeSource": "Message", "outputCardinalityLimit": 1000 } ], "description": "", "timeRange": null, "coloringRules": null, "linkedDashboards": [] }, { "id": null, "key": "panelPANE-FBE08549B2123A4A", "title": "Assets running OpenSSL", "visualSettings": "{\"general\":{\"mode\":\"timeSeries\",\"type\":\"line\",\"displayType\":\"default\",\"markerSize\":5,\"lineDashType\":\"solid\",\"markerType\":\"none\",\"lineThickness\":1},\"title\":{\"fontSize\":14},\"axes\":{\"axisX\":{\"titleFontSize\":12,\"labelFontSize\":12},\"axisY\":{\"titleFontSize\":12,\"labelFontSize\":12,\"logarithmic\":false}},\"legend\":{\"enabled\":true,\"verticalAlign\":\"bottom\",\"fontSize\":12,\"maxHeight\":50,\"showAsTable\":false,\"wrap\":true},\"color\":{\"family\":\"Categorical Default\"},\"series\":{},\"overrides\":[]}", "keepVisualSettingsConsistentWithParent": true, "panelType": "SumoSearchPanel", "queries": [ { "transient": false, "queryString": "_source=\"runZero Alerts\" and _collector=\"runZero\"\n| json field=_raw \"assets_new\" nodrop\n| toLong(assets_new)\n| json field=_raw \"found\" nodrop\n| json field=_raw \"search_url\" nodrop\n| json field=_raw \"rule_name\" nodrop\n| where rule_name = \"Assets with OpenSSL\" or rule_name = \"Assets with OpenSSL - Sumo\"\n| timeslice 1m\n| sum(found) by _timeslice\n| order by _timeslice", "queryType": "Logs", "queryKey": "A", "metricsQueryMode": null, "metricsQueryData": null, "tracesQueryData": null, "spansQueryData": null, "parseMode": "Auto", "timeSource": "Message", "outputCardinalityLimit": 1000 } ], "description": "", "timeRange": null, "coloringRules": null, "linkedDashboards": [] } ], "variables": [], "coloringRules": [] } ```