Show search and navigation.

 

Setting up Sumo Logic Log Delivery

Applies To:
HTTP LargeThis platform has been optimized to cache and deliver static content (e.g., HTML, CSS, JavaScript, ISO, multimedia, and software downloads, etc.) over HTTP or HTTPS.
HTTP SmallLegacy. If you are currently serving traffic over this platform, then you may continue to do so. However, we recommend that you serve your traffic over our more robust HTTP Large platform.
ADNThe Application Delivery Network platform has been optimized to deliver dynamic content (e.g., login credentials, account information, etc.) over HTTP or HTTPS. Typically, user-specific and database-driven content are served over this platform.
Real-Time Log DeliveryDelivers near real-time log data to your web server, an AWS S3 bucket, an Azure Block Blob, Splunk Enterprise, Sumo Logic, or Datadog.

RTLD may automatically deliver compressed log data to Sumo Logic by submitting HTTPS POST requests to it. Sumo Logic will collect these requests as they are pushed from the CDN. Each request contains a compressed JSON document that describes one or more log entries.

Learn more: RTLD CDN | RTLD Rate Limiting | RTLD WAF

The format for log data delivered to Sumo Logic is JSON Lines. This log format does not provide information that uniquely identifies a set of log data. As a result, there is no way to check for gaps in sequence numbers when attempting to identify missing log data.

To create a log delivery profile

  1. Set up Sumo Logic to listen for CDN log data in JSON format.

    1. Log in to Sumo Logic.

    2. Click Setup Wizard.

    3. Click Set Up Streaming Data.

    4. Click Your Custom App.

    5. Click HTTP Source.

    6. In the Source Category option, type the name of the tag that will be applied to CDN log data. This tag may be used to search for CDN log data within Sumo Logic.

    7. Click Continue. An HTTP Source for CDN log data will be created.
    8. Copy the URL associated with this HTTP Source.

  2. Navigate to the Real-Time Log Delivery CDN | Rate Limiting | WAF page. From the main menu, navigate to More and then find Real-Time Log Delivery under Analytics. Select either CDN, WAF, or RL.

  3. Click Add Profile.
  4. From the Log Delivery Method option, select Sumo Logic.
  5. In the Sumo Logic URL option, paste the URL associated with the HTTP Source created in step 1.

  6. From the Downsample the Logs option, determine whether all or downsampledReduces the amount of log data that will be delivered. For example, you may choose to only deliver 1% of your log data. log data will be delivered.

    • All Log Data: Verify that the Downsample the Logs option is disabled.

    • Downsampled Log Data: Downsample logs to 0.1%, 1%, 25%, 50%, or 75% of total log data by enabling the Downsample the Logs option and then selecting the desired rate from the Downsampling Rate option.

      Use this capability to reduce the amount of data that needs to be processed or stored by Sumo Logic.
      RTLD CDN Only: Downsampling log data also reduces usage charges for this service.

  7. Log delivery setup varies according to whether you are delivering log data for CDN traffic, threats identified by WAF, or rate limited requests.

    ClosedTo set up RTLD CDN
    1. From the Log Delivery section, mark each delivery platform for which real-time log data may be delivered.

    2. From the Filter by Edge CNAME section, perform one of the following steps:

      • Filter log data by one or more edge CNAME(s)

        1. Determine whether log data will be filtered to include or exclude requests to the selected edge CNAME(s) by selecting either Matches or Does Not Match, respectively.

        2. Select one or more edge CNAMEs from the option directly to the right of the above option.

          Filter the list by typing the entire or partial hostname. For example, typing co will filter the list to include all hostnames that contain co (e.g., cdn.example.com and corp.example.org).

      • Upload all log data regardless of edge CNAME

        Verify that an edge CNAME has not been defined within this section.

    3. From the Filter by User Agent option, perform one of the following steps:

    4. From the Filter by Status Code section, perform one of the following steps:

      • Filter log data by status code

        Mark each status code class (e.g., 2xx or 3xx) for which log data will be delivered. Clear all other status code classes.

      • Upload all log data regardless of status code

        Clear all status code classes (e.g., 2xx and 3xx).

    5. From the Log file contains the following fields section, perform the following steps:

      1. Add the request headers, response headers, and cookies that will be logged for each request from the Custom Request Headers, Custom Response Headers, and Custom Cookies options.

        You may either select or type the name of the desired headers and/or cookies. Click on the list to add additional headers or cookies. Remove a header or cookie by clicking on its x.

        Although other settings take effect quickly, it may take up to 90 minutes before data for custom request/response headers and cookies is logged.

      2. Click Expand All.
      3. Mark each field that will be reported for each request submitted to the CDN.
      4. Clear each field for which log data should not be reported.

      Add or clear all of the fields associated with a category by marking or clearing the category's header.

    ClosedTo set up RTLD Rate Limiting

    1. From the Filter by Edge CNAME section, perform one of the following steps:

      • Filter log data by one or more edge CNAME(s)

        1. Determine whether log data will be filtered to include or exclude requests to the selected edge CNAME(s) by selecting either Matches or Does Not Match, respectively.

        2. Select one or more edge CNAMEs from the option directly to the right of the above option.

          Filter the list by typing the entire or partial hostname. For example, typing co will filter the list to include all hostnames that contain co (e.g., cdn.example.com and corp.example.org).

      • Upload all log data regardless of edge CNAME

        Verify that an edge CNAME has not been defined within this section.

    2. From the Filter by Country section, perform one of the following steps:

      • Filter log data by one or more countries:

        1. Determine whether log data will be filtered to include or exclude requests to the selected countries by selecting either Matches or Does Not Match, respectively.

        2. Select one or more countries from the option directly to the right of the above option.

          Filter the list by typing the entire or partial country name. For example, typing un will filter the list to include all countries that contain un (e.g., United States and United Kingdom).

      • Upload all log data regardless of country of origin:

        Verify that a country has not been defined within this section.

    3. From the Filter by User Agent option, perform one of the following steps:

    4. From the Filter by Client IP option, perform one of the following steps:

      • Filter log data by one or more IP addresses:

        1. Determine whether log data will be filtered to include or exclude requests to the selected IP addresses by selecting either Matches or Does Not Match, respectively.
        2. Type one or more IP addresses within the option directly to the right of the above option.

      • Upload all log data regardless of IP address:

        Verify that an IP address has not been defined within this section.

    5. From the Filter By Action Type option, perform one of the following steps:

      • Filter log data by one or more enforcement action(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected enforcement action(s) by selecting either Matches or Does Not Match, respectively.

        2. Select or type the name for one or more enforcement action(s).

      • Upload all log data regardless of enforcement action:

        Verify that an enforcement action has not been defined within this section.

    6. From the Filter By Request Method option, perform one of the following steps:

      • Filter log data by one or more request method(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected request method(s) by selecting either Matches or Does Not Match, respectively.
        2. Select or type the name for one or more request method(s).

      • Upload all log data regardless of request method:

        Verify that a request method has not been defined within this section.

    7. From the Filter By Scope Name option, perform one of the following steps:

      • Filter log data by one or more security application manager(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected security application manager(s) by selecting either Matches or Does Not Match, respectively.

        2. Select or type the name for one or more security application manager(s).

      • Upload all log data regardless of security application manager:

        Verify that a security application manager(s) has not been defined within this section.

    8. From the Filter By Action Limit ID option, perform one of the following steps:

      • Filter log data by one or more rate rule(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected rate rules(s) by selecting either Matches or Does Not Match, respectively.

        2. Type the name for one or more rate rule(s).

      • Upload all log data regardless of rate rule:

        Verify that a rate rule has not been defined within this section.

    9. From the Filter By URL Regex option, perform one of the following steps:

    10. From the Log file contains the following fields section, perform the following steps:

      1. Mark each field that will be reported for each request submitted to the CDN.
      2. Clear each field for which log data should not be reported.
    ClosedTo set up RTLD WAF

    1. From the Filter by Edge CNAME section, perform one of the following steps:

      • Filter log data by one or more edge CNAME(s)

        1. Determine whether log data will be filtered to include or exclude requests to the selected edge CNAME(s) by selecting either Matches or Does Not Match, respectively.

        2. Select one or more edge CNAMEs from the option directly to the right of the above option.

          Filter the list by typing the entire or partial hostname. For example, typing co will filter the list to include all hostnames that contain co (e.g., cdn.example.com and corp.example.org).

      • Upload all log data regardless of edge CNAME

        Verify that an edge CNAME has not been defined within this section.

    2. From the Filter by Country section, perform one of the following steps:

      • Filter log data by one or more countries:

        1. Determine whether log data will be filtered to include or exclude requests to the selected countries by selecting either Matches or Does Not Match, respectively.

        2. Select one or more countries from the option directly to the right of the above option.

          Filter the list by typing the entire or partial country name. For example, typing un will filter the list to include all countries that contain un (e.g., United States and United Kingdom).

      • Upload all log data regardless of country of origin:

        Verify that a country has not been defined within this section.

    3. From the Filter by User Agent option, perform one of the following steps:

    4. From the Filter By Security Application Manager option, perform one of the following steps:

      • Filter log data by one or more security application manager(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected security application manager(s) by selecting either Matches or Does Not Match, respectively.

        2. Select or type the name for one or more security application manager(s).

      • Upload all log data regardless of security application manager:

        Verify that a security application manager(s) has not been defined within this section.

    5. From the Filter By Access Rule option, perform one of the following steps:

      • Filter log data by one or more access rule(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected access rule(s) by selecting either Matches or Does Not Match, respectively.

        2. Select or type the name for one or more access rule(s).

      • Upload all log data regardless of access rule:

        Verify that an access rule has not been defined within this section.

    6. From the Filter By Custom Rule option, perform one of the following steps:

      • Filter log data by one or more custom rule(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected custom rule(s) by selecting either Matches or Does Not Match, respectively.

        2. Select or type the name for one or more custom rule(s).

      • Upload all log data regardless of custom rule:

        Verify that a custom rule has not been defined within this section.

    7. From the Filter By Managed Rule option, perform one of the following steps:

      • Filter log data by one or more managed rule(s):

        1. Determine whether log data will be filtered to include or exclude requests to the selected managed rule(s) by selecting either Matches or Does Not Match, respectively.

        2. Select or type the name for one or more managed rule(s).

      • Upload all log data regardless of managed rule:

        Verify that a managed rule has not been defined within this section.

    8. From the Log file contains the following fields section, perform the following steps:

      1. Mark each field that will be reported for each request submitted to the CDN.
      2. Clear each field for which log data should not be reported.

  8. Set the Log Delivery Enabled option to the "on" position.

  9. Click Save.
More Information