Sending logs from SentinelOne to Sumo Logic will require configuring SentinelOne to send logs to Sumo Logic via a Cloud Syslog Source.
Step 1. Configure a Hosted Collector in Sumo Logic:
- In Sumo Logic select Manage Data > Collection > Collection.
- Click Add Collector.
- Click Hosted Collector.
- In the Add Collector dialog box, type a Name for the Collector as well as an optional Description, Category, and Time Zone.
- Then click Save.
After the Collector has been created, it will appear on the Collection page as a Hosted Collector.
Step 2. Add a Cloud Syslog Source to your Hosted Collector:
- Click Add Source next to your Hosted Collector.
- Select Cloud Syslog.
- Enter a name to display for this source in Sumo. A description is optional.
- (Optional) For Source Host and Source Category, enter any string to tag the output collected from this source.
- Click Save.
See the following help documentation for more information on creating and configuring a Cloud Syslog Source
The token information used later in the SentinelOne configuration will be displayed in a read-only dialog box after saving your Cloud Syslog Source configuration.
Step 3. Download the Sumo Logic server certificate file:
- Download the Sumo Logic root certificate from the following location.
- From a terminal window navigate to the path of the downloaded certificate file and run the following command to convert the .crt file to a .pem file, which will be used later in the setup process.
openssl x509 -inform der -in DigiCertHighAssuranceEVRootCA.crt -out DigiCertHighAssuranceEVRootCA.pem
Step 4. Configure SentinelOne to send Syslog to the Sumo Logic Syslog Source:
- From the SentinelOne Management Console, click SETTINGS > INTEGRATIONS > SYSLOG.
- Enable Syslog.
- Enter the Sumo Logic Syslog Host URL and port number supplied from the Sumo Logic Cloud Syslog configuration.
- Select the option for Use TLS Secure Connection.
- In Certificate, next to Server certificate, click Upload and browse to the certificate .pem file created in Step 3.
- In Formatting:
* Information format - Select CEF2.
* SIEM Token - Paste the Cloud Syslog Source Token provided by Sumo Logic in Step 2.
- Click Test to verify the configuration.
- Click Save.
SentinelOne should now be configured to send log data to Sumo Logic via your Cloud Syslog Source. After a few minutes, you can verify you are receiving log by running a search using the Collector name configured in step 1.