Sumo Logic Cheatsheet
Sumo Logic ist eine Cloud-native Maschinendatenanalyseplattform, die Echtzeit-Einsichten in Anwendungs-, Infrastruktur- und Sicherheitsdaten liefert. Als Software-as-a-Service (SaaS)-Lösung ermöglicht Sumo Logic Unternehmen die Erfassung, Suche und Analyse von massiven Mengen strukturierter und unstrukturierter Daten über ihren gesamten Technologiestapel hinweg und bietet umfassende Sichtbarkeit für operative Intelligenz, Sicherheitsüberwachung und Business Analytics.
Überblick
Kernarchitektur
Sumo Logic arbeitet auf einer multi-tenanten, cloud-nativen Architektur, die für massive Skala und Echtzeit-Verarbeitung konzipiert ist. Die Plattform besteht aus mehreren Schlüsselkomponenten, die zusammenarbeiten, um umfassende Datenanalysefähigkeiten bereitzustellen.
Die Datenerfassungsschicht nutzt leichte Kollektoren, die als installierte Kollektoren auf einzelnen Systemen oder gehosteten Kollektoren eingesetzt werden können, die über HTTP-Endpunkte Daten empfangen. Diese Kollektoren unterstützen eine Vielzahl von Datenquellen einschließlich Log-Dateien, Metriken, Spuren und benutzerdefinierte Anwendungen durch APIs und Webhooks.
Die Datenverarbeitungsmaschine führt Echtzeitparsing, Anreicherung und Indexierung eingehender Datenströme durch. Die proprietäre Suchtechnologie von Sumo Logic ermöglicht eine Sub-Sekunden-Abfrageleistung über Datenblätter hinweg, während maschinelle Lernalgorithmen Muster, Anomalien und Trends in den Daten automatisch erkennen.
Schlüsselmerkmale
```bash
Core Platform Capabilities
- Real-time log analytics and search
- Metrics monitoring and alerting
- Security information and event management (SIEM)
- Application performance monitoring (APM)
- Infrastructure monitoring
- Compliance and audit reporting
- Machine learning and predictive analytics
- Custom dashboards and visualizations ```_
Datenerhebung und -quellen
Installierte Sammler
```bash
Download and install collector (Linux)
wget https://collectors.sumologic.com/rest/download/linux/64 -O SumoCollector.sh
sudo bash SumoCollector.sh -q -Vsumo.accessid=
Install as service
sudo /opt/SumoCollector/collector install sudo /opt/SumoCollector/collector start
Check collector status
sudo /opt/SumoCollector/collector status
View collector logs
tail -f /opt/SumoCollector/logs/collector.log ```_
Gehostete Sammler
```bash
Create HTTP source endpoint
curl -X POST https://api.sumologic.com/api/v1/collectors/
Send data to HTTP endpoint
curl -X POST https://endpoint.collection.sumologic.com/receiver/v1/http/
Datensammlung
```bash
Configure local file source
\\{ "source": \\{ "name": "Application Logs", "category": "prod/app/logs", "pathExpression": "/var/log/myapp/*.log", "sourceType": "LocalFile", "multilineProcessingEnabled": true, "useAutolineMatching": true \\} \\}
Configure remote file source
\\{ "source": \\{ "name": "Remote Syslog", "category": "prod/system/syslog", "protocol": "UDP", "port": 514, "sourceType": "Syslog" \\} \\} ```_
Suche Sprache und Abfragen
Grundlegende Suche Syntax
```bash
Simple keyword search
error
Field-based search
_sourceCategory=prod/web/access
Time range search
_sourceCategory=prod/web/access|where _messageTime > now() - 1h
Boolean operators
error AND (database OR connection) error NOT timeout (status_code=500 OR status_code=404)
Wildcard searches
error connection user_id=12345 ```_
Erweiterte Suche Operationen
```bash
Parse and extract fields
_sourceCategory=prod/web/access |parse " * * [] \" * \" * * \"\" \"\"" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size, referer, user_agent
Regular expression parsing
_sourceCategory=prod/app/logs
|parse regex "(?
JSON parsing
_sourceCategory=prod/api/logs |json field=_raw "user_id" as user_id |json field=_raw "action" as action |json field=_raw "timestamp" as event_time
CSV parsing
sourceCategory=prod/data/csv |csv _raw extract 1 as user_id, 2 as action, 3 as timestamp ```
Aggregation und Statistik
```bash
Count operations
_sourceCategory=prod/web/access |parse " * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |count by status_code
Sum and average
_sourceCategory=prod/web/access |parse " * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |sum(size) as total_bytes, avg(size) as avg_bytes by src_ip
Timeslice aggregation
_sourceCategory=prod/web/access |parse " * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |timeslice 1m |count by _timeslice, status_code
Percentile calculations
sourceCategory=prod/app/performance |parse "response_time=*" as response_time |pct(response_time, 50, 90, 95, 99) by service_name ```
Datentransformation
```bash
Field manipulation
_sourceCategory=prod/web/access |parse " * * [] \" * \" * " as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |if(status_code matches "2", "success", "error") as result_type |if(size > 1000000, "large", "normal") as file_size_category
String operations
_sourceCategory=prod/app/logs |parse "user=*" as user_id |toUpperCase(user_id) as user_id_upper |toLowerCase(user_id) as user_id_lower |substring(user_id, 0, 3) as user_prefix
Date and time operations
sourceCategory=prod/app/logs |parse "timestamp=*" as event_time |parseDate(event_time, "yyyy-MM-dd HH:mm:ss") as parsed_time |formatDate(parsed_time, "yyyy-MM-dd") as date_only |formatDate(parsed_time, "HH:mm:ss") as time_only ```
Metriken und Überwachung
Sammlung von Metriken
```bash
Host metrics collection
\\{ "source": \\{ "name": "Host Metrics", "category": "prod/infrastructure/metrics", "sourceType": "SystemStats", "interval": 60000, "hostName": "web-server-01" \\} \\}
Custom metrics via HTTP
curl -X POST https://endpoint.collection.sumologic.com/receiver/v1/http/
Application metrics
curl -X POST https://endpoint.collection.sumologic.com/receiver/v1/http/
TYPE http_requests_total counter
http_requests_total\\{method=\"GET\",status=\"200\"\\} 1234 http_requests_total\\{method=\"POST\",status=\"201\"\\} 567" ```_
Metrics Queries
```bash
Basic metrics query
metric=cpu.usage.percent host=web-01|avg by host
Time series aggregation
metric=memory.usage.percent |avg by host |timeslice 5m
Multiple metrics correlation
(metric=cpu.usage.percent OR metric=memory.usage.percent) host=web-01 |avg by metric, host |timeslice 1m
Metrics with thresholds
metric=disk.usage.percent |where %"disk.usage.percent" > 80 |max by host, mount_point ```_
Alerting und Notifications
```bash
Create scheduled search alert
\\{ "searchName": "High Error Rate Alert", "searchDescription": "Alert when error rate exceeds 5%", | "searchQuery": "sourceCategory=prod/web/access | parse \" * * [] \\" * \\" * \" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size | where status_code matches \"5\" | count as error_count | if(error_count > 100, \"CRITICAL\", \"OK\") as alert_level | where alert_level = \"CRITICAL\"", | "searchSchedule": \\{ "cronExpression": "0 /5 * * * ? ", "displayableTimeRange": "-5m", "parseableTimeRange": \\{ "type": "BeginBoundedTimeRange", "from": \\{ "type": "RelativeTimeRangeBoundary", "relativeTime": "-5m" \\} \\} \\}, "searchNotification": \\{ "taskType": "EmailSearchNotificationSyncDefinition", "toList": ["admin@company.com"], "subject": "High Error Rate Detected", "includeQuery": true, "includeResultSet": true, "includeHistogram": true \\} \\} ```
Sicherheit und SIEM Fähigkeiten
Sicherheitsanalyse
```bash
Failed login detection
_sourceCategory=prod/security/auth |parse "user= action= result= src_ip=" as user, action, result, src_ip |where action = "login" and result = "failed" |count by user, src_ip |where _count > 5
Suspicious network activity
_sourceCategory=prod/network/firewall |parse "src= dst= port= action=" as src_ip, dst_ip, dst_port, action |where action = "blocked" |count by src_ip, dst_port |sort by _count desc
Malware detection
sourceCategory=prod/security/antivirus |parse "file= threat= action=*" as file_path, threat_name, action |where action = "quarantined" |count by threat_name |sort by _count desc ```
Threat Intelligence Integration
```bash
IP reputation lookup
_sourceCategory=prod/web/access |parse " * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |lookup type="ip" input="src_ip" output="reputation", "country", "organization" |where reputation = "malicious"
Domain reputation analysis
_sourceCategory=prod/dns/logs |parse "query= response=" as domain, ip_address |lookup type="domain" input="domain" output="category", "reputation" |where category contains "malware" or reputation = "suspicious"
File hash analysis
sourceCategory=prod/security/endpoint |parse "file_hash= file_name=" as file_hash, file_name |lookup type="hash" input="file_hash" output="malware_family", "first_seen" |where isNotNull(malware_family) ```
Compliance und Audit
```bash
PCI DSS compliance monitoring
_sourceCategory=prod/payment/logs |parse "card_number= transaction_id= amount=" as card_number, transaction_id, amount |where card_number matches "****" |count by _timeslice(1h)
GDPR data access logging
_sourceCategory=prod/app/audit |parse "user= action= data_type= record_id=" as user, action, data_type, record_id |where data_type = "personal_data" and action = "access" |count by user, data_type
SOX financial controls
sourceCategory=prod/financial/system |parse "user= action= amount= approval_status=" as user, action, amount, approval_status |where amount > 10000 and approval_status != "approved" |count by user, action ```
Dashboards und Visualisierungen
Dashboard Creation
```bash
Create dashboard via API
curl -X POST https://api.sumologic.com/api/v1/dashboards \
-H "Authorization: Basic
Diagrammtypen und Konfigurationen
```bash
Time series chart
\\{ "visualSettings": \\{ "general": \\{ "mode": "timeSeries", "type": "line" \\}, "series": \\{ "A": \\{ "color": "#1f77b4" \\} \\} \\} \\}
Bar chart
\\{ "visualSettings": \\{ "general": \\{ "mode": "distribution", "type": "bar" \\} \\} \\}
Pie chart
\\{ "visualSettings": \\{ "general": \\{ "mode": "distribution", "type": "pie" \\} \\} \\}
Single value display
\\{ "visualSettings": \\{ "general": \\{ "mode": "singleValue", "type": "svp" \\} \\} \\} ```_
API Integration und Automatisierung
REST API Authentication
```bash
Generate access credentials
curl -X POST https://api.sumologic.com/api/v1/accessKeys \
-H "Authorization: Basic
Use access key for authentication
ACCESS_ID="your_access_id" ACCESS_KEY="your_access_key" CREDENTIALS=$(echo -n "$ACCESS_ID:$ACCESS_KEY"|base64)
Test API connection
curl -X GET https://api.sumologic.com/api/v1/collectors \ -H "Authorization: Basic $CREDENTIALS" ```_
Suche Job Management
```bash
Create search job
curl -X POST https://api.sumologic.com/api/v1/search/jobs \
-H "Authorization: Basic
Check search job status
curl -X GET https://api.sumologic.com/api/v1/search/jobs/
Get search results
curl -X GET https://api.sumologic.com/api/v1/search/jobs/
Delete search job
curl -X DELETE https://api.sumologic.com/api/v1/search/jobs/
Content Management
```bash
Export content
curl -X POST https://api.sumologic.com/api/v2/content/
Import content
curl -X POST https://api.sumologic.com/api/v2/content/folders/
List folder contents
curl -X GET https://api.sumologic.com/api/v2/content/folders/
Leistungsoptimierung
Queroptimierung
```bash
Use specific source categories
_sourceCategory=prod/web/access # Good * # Avoid - searches all data
Limit time ranges
_sourceCategory=prod/web/access|where _messageTime > now() - 1h # Good _sourceCategory=prod/web/access # Avoid - searches all time
Use early filtering
_sourceCategory=prod/web/access |where status_code = "500" # Good - filter early |parse " * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size
Optimize parsing
sourceCategory=prod/web/access |parse " * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |where status_code = "500" # Less efficient - parse then filter ```
Datenvolumenverwaltung
```bash
Monitor data volume
_index=sumologic_volume |where _sourceCategory matches "*" |sum(sizeInBytes) as totalBytes by _sourceCategory |sort by totalBytes desc
Set up data volume alerts
_index=sumologic_volume |where _sourceCategory = "prod/web/access" |sum(sizeInBytes) as dailyBytes |where dailyBytes > 10000000000 # 10GB threshold
Optimize collection
\\{ "source": \\{ "name": "Optimized Log Source", "category": "prod/app/logs", "pathExpression": "/var/log/myapp/.log", "sourceType": "LocalFile", "filters": [ \\{ "filterType": "Exclude", "name": "Exclude Debug Logs", "regexp": ".DEBUG.*" \\} ] \\} \\} ```_
Fehlerbehebung und Best Practices
Gemeinsame Themen
```bash
Check collector connectivity
curl -v https://collectors.sumologic.com/receiver/v1/http/
Verify data ingestion
_sourceCategory=
Debug parsing issues
_sourceCategory=prod/app/logs |limit 10 |parse "timestamp=*" as event_time |where isNull(event_time)
Monitor search performance
index=sumologic_search_usage |where query_user = "your_username" |avg(scan_bytes), avg(execution_time_ms) by query_user ```
Sicherheit Best Practices
```bash
Implement role-based access control
\\{ "roleName": "Security Analyst", "description": "Read-only access to security logs", "filterPredicate": "_sourceCategory=prod/security/*", "capabilities": [ "viewCollectors", "searchAuditIndex" ] \\}
Set up audit logging
_index=sumologic_audit |where event_name = "SearchQueryExecuted" |count by user_name, source_ip |sort by _count desc
Monitor privileged access
index=sumologic_audit |where event_name matches "Admin" |count by user_name, event_name |sort by _count desc ```
Leistungsüberwachung
```bash
Monitor search performance
_index=sumologic_search_usage |avg(scan_bytes) as avg_scan_bytes, avg(execution_time_ms) as avg_execution_time |sort by avg_execution_time desc
Track data ingestion rates
_index=sumologic_volume |timeslice 1h |sum(messageCount) as messages_per_hour by _timeslice |sort by _timeslice desc
Monitor collector health
sourceCategory=sumo/collector/health |parse "status=*" as collector_status |count by collector_status, _sourceHost |where collector_status != "healthy" ```
Ressourcen
- Sumo Logic Dokumentation
- [Sumo Logic Community](LINK_5 -%20[Search%20Query%20Language%20Reference](_LINK_5 -%20(__LINK_5___)
- [Best Practices Guide](LINK_5