Sumo Logic Cheatsheet¶
Sumo Logic ist eine Cloud-native Maschinendatenanalyseplattform, die Echtzeit-Einsichten in Anwendungs-, Infrastruktur- und Sicherheitsdaten liefert. Als Software-as-a-Service (SaaS)-Lösung ermöglicht Sumo Logic Unternehmen die Erfassung, Suche und Analyse von massiven Mengen strukturierter und unstrukturierter Daten über ihren gesamten Technologiestapel hinweg und bietet umfassende Sichtbarkeit für operative Intelligenz, Sicherheitsüberwachung und Business Analytics.
Überblick¶
Kernarchitektur¶
Sumo Logic arbeitet auf einer multi-tenanten, cloud-nativen Architektur, die für massive Skala und Echtzeit-Verarbeitung konzipiert ist. Die Plattform besteht aus mehreren Schlüsselkomponenten, die zusammenarbeiten, um umfassende Datenanalysefähigkeiten bereitzustellen.
Die Datenerfassungsschicht nutzt leichte Kollektoren, die als installierte Kollektoren auf einzelnen Systemen oder gehosteten Kollektoren eingesetzt werden können, die über HTTP-Endpunkte Daten empfangen. Diese Kollektoren unterstützen eine Vielzahl von Datenquellen einschließlich Log-Dateien, Metriken, Spuren und benutzerdefinierte Anwendungen durch APIs und Webhooks.
Die Datenverarbeitungsmaschine führt Echtzeitparsing, Anreicherung und Indexierung eingehender Datenströme durch. Die proprietäre Suchtechnologie von Sumo Logic ermöglicht eine Sub-Sekunden-Abfrageleistung über Datenblätter hinweg, während maschinelle Lernalgorithmen Muster, Anomalien und Trends in den Daten automatisch erkennen.
Schlüsselmerkmale¶
```bash
Core Platform Capabilities¶
- Real-time log analytics and search
- Metrics monitoring and alerting
- Security information and event management (SIEM)
- Application performance monitoring (APM)
- Infrastructure monitoring
- Compliance and audit reporting
- Machine learning and predictive analytics
- Custom dashboards and visualizations ```_
Datenerhebung und -quellen¶
Installierte Sammler¶
```bash
Download and install collector (Linux)¶
wget https://collectors.sumologic.com/rest/download/linux/64 -O SumoCollector.sh
sudo bash SumoCollector.sh -q -Vsumo.accessid=
Install as service¶
sudo /opt/SumoCollector/collector install sudo /opt/SumoCollector/collector start
Check collector status¶
sudo /opt/SumoCollector/collector status
View collector logs¶
tail -f /opt/SumoCollector/logs/collector.log ```_
Gehostete Sammler¶
```bash
Create HTTP source endpoint¶
curl -X POST https://api.sumologic.com/api/v1/collectors/
Send data to HTTP endpoint¶
curl -X POST https://endpoint.collection.sumologic.com/receiver/v1/http/
Datensammlung¶
```bash
Configure local file source¶
\\{ "source": \\{ "name": "Application Logs", "category": "prod/app/logs", "pathExpression": "/var/log/myapp/*.log", "sourceType": "LocalFile", "multilineProcessingEnabled": true, "useAutolineMatching": true \\} \\}
Configure remote file source¶
\\{ "source": \\{ "name": "Remote Syslog", "category": "prod/system/syslog", "protocol": "UDP", "port": 514, "sourceType": "Syslog" \\} \\} ```_
Suche Sprache und Abfragen¶
Grundlegende Suche Syntax¶
```bash
Simple keyword search¶
error
Field-based search¶
_sourceCategory=prod/web/access
Time range search¶
_sourceCategory=prod/web/access|where _messageTime > now() - 1h
Boolean operators¶
error AND (database OR connection) error NOT timeout (status_code=500 OR status_code=404)
Wildcard searches¶
error* connection user_id=12345* ```_
Erweiterte Suche Operationen¶
```bash
Parse and extract fields¶
_sourceCategory=prod/web/access |parse "* * * [] \" * \" * * \"\" \"*\"" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size, referer, user_agent
Regular expression parsing¶
_sourceCategory=prod/app/logs
|parse regex "(?
JSON parsing¶
_sourceCategory=prod/api/logs |json field=_raw "user_id" as user_id |json field=_raw "action" as action |json field=_raw "timestamp" as event_time
CSV parsing¶
sourceCategory=prod/data/csv |csv _raw extract 1 as user_id, 2 as action, 3 as timestamp ```
Aggregation und Statistik¶
```bash
Count operations¶
_sourceCategory=prod/web/access |parse "* * * [] \" * *\" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |count by status_code
Sum and average¶
_sourceCategory=prod/web/access |parse "* * * [] \" * *\" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |sum(size) as total_bytes, avg(size) as avg_bytes by src_ip
Timeslice aggregation¶
_sourceCategory=prod/web/access |parse "* * * [] \" * *\" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |timeslice 1m |count by _timeslice, status_code
Percentile calculations¶
sourceCategory=prod/app/performance |parse "response_time=*" as response_time |pct(response_time, 50, 90, 95, 99) by service_name ```
Datentransformation¶
```bash
Field manipulation¶
_sourceCategory=prod/web/access |parse "* * * [] \" * \" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |if(status_code matches "2", "success", "error") as result_type |if(size > 1000000, "large", "normal") as file_size_category
String operations¶
_sourceCategory=prod/app/logs |parse "user=*" as user_id |toUpperCase(user_id) as user_id_upper |toLowerCase(user_id) as user_id_lower |substring(user_id, 0, 3) as user_prefix
Date and time operations¶
sourceCategory=prod/app/logs
|parse "timestamp=*" as event_time
|parseDate(event_time, "yyyy-MM-dd HH
ss") as parsed_time
|formatDate(parsed_time, "yyyy-MM-dd") as date_only
|formatDate(parsed_time, "HHss") as time_only
```
Metriken und Überwachung¶
Sammlung von Metriken¶
```bash
Host metrics collection¶
\\{ "source": \\{ "name": "Host Metrics", "category": "prod/infrastructure/metrics", "sourceType": "SystemStats", "interval": 60000, "hostName": "web-server-01" \\} \\}
Custom metrics via HTTP¶
curl -X POST https://endpoint.collection.sumologic.com/receiver/v1/http/
Application metrics¶
curl -X POST https://endpoint.collection.sumologic.com/receiver/v1/http/
TYPE http_requests_total counter¶
http_requests_total\\{method=\"GET\",status=\"200\"\\} 1234 http_requests_total\\{method=\"POST\",status=\"201\"\\} 567" ```_
Metrics Queries¶
```bash
Basic metrics query¶
metric=cpu.usage.percent host=web-01|avg by host
Time series aggregation¶
metric=memory.usage.percent |avg by host |timeslice 5m
Multiple metrics correlation¶
(metric=cpu.usage.percent OR metric=memory.usage.percent) host=web-01 |avg by metric, host |timeslice 1m
Metrics with thresholds¶
metric=disk.usage.percent |where %"disk.usage.percent" > 80 |max by host, mount_point ```_
Alerting und Notifications¶
```bash
Create scheduled search alert¶
\\{ "searchName": "High Error Rate Alert", "searchDescription": "Alert when error rate exceeds 5%", "searchQuery": "sourceCategory=prod/web/access|parse \"* * * [] \\" * \\" * *\" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size|where status_code matches \"5\"|count as error_count|if(error_count > 100, \"CRITICAL\", \"OK\") as alert_level|where alert_level = \"CRITICAL\"", "searchSchedule": \\{ "cronExpression": "0 */5 * * * ? *", "displayableTimeRange": "-5m", "parseableTimeRange": \\{ "type": "BeginBoundedTimeRange", "from": \\{ "type": "RelativeTimeRangeBoundary", "relativeTime": "-5m" \\} \\} \\}, "searchNotification": \\{ "taskType": "EmailSearchNotificationSyncDefinition", "toList": ["admin@company.com"], "subject": "High Error Rate Detected", "includeQuery": true, "includeResultSet": true, "includeHistogram": true \\} \\} ```
Sicherheit und SIEM Fähigkeiten¶
Sicherheitsanalyse¶
```bash
Failed login detection¶
_sourceCategory=prod/security/auth |parse "user=* action=* result=* src_ip=*" as user, action, result, src_ip |where action = "login" and result = "failed" |count by user, src_ip |where _count > 5
Suspicious network activity¶
_sourceCategory=prod/network/firewall |parse "src=* dst=* port=* action=*" as src_ip, dst_ip, dst_port, action |where action = "blocked" |count by src_ip, dst_port |sort by _count desc
Malware detection¶
sourceCategory=prod/security/antivirus |parse "file=* threat=* action=*" as file_path, threat_name, action |where action = "quarantined" |count by threat_name |sort by _count desc ```
Threat Intelligence Integration¶
```bash
IP reputation lookup¶
_sourceCategory=prod/web/access |parse "* * * [] \" * *\" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |lookup type="ip" input="src_ip" output="reputation", "country", "organization" |where reputation = "malicious"
Domain reputation analysis¶
_sourceCategory=prod/dns/logs |parse "query=* response=*" as domain, ip_address |lookup type="domain" input="domain" output="category", "reputation" |where category contains "malware" or reputation = "suspicious"
File hash analysis¶
sourceCategory=prod/security/endpoint |parse "file_hash=* file_name=*" as file_hash, file_name |lookup type="hash" input="file_hash" output="malware_family", "first_seen" |where isNotNull(malware_family) ```
Compliance und Audit¶
```bash
PCI DSS compliance monitoring¶
_sourceCategory=prod/payment/logs |parse "card_number=* transaction_id=* amount=" as card_number, transaction_id, amount |where card_number matches "****" |count by _timeslice(1h)
GDPR data access logging¶
_sourceCategory=prod/app/audit |parse "user=* action=* data_type=* record_id=*" as user, action, data_type, record_id |where data_type = "personal_data" and action = "access" |count by user, data_type
SOX financial controls¶
sourceCategory=prod/financial/system |parse "user=* action=* amount=* approval_status=*" as user, action, amount, approval_status |where amount > 10000 and approval_status != "approved" |count by user, action ```
Dashboards und Visualisierungen¶
Dashboard Creation¶
```bash
Create dashboard via API¶
curl -X POST https://api.sumologic.com/api/v1/dashboards \
-H "Authorization: Basic
Diagrammtypen und Konfigurationen¶
```bash
Time series chart¶
\\{ "visualSettings": \\{ "general": \\{ "mode": "timeSeries", "type": "line" \\}, "series": \\{ "A": \\{ "color": "#1f77b4" \\} \\} \\} \\}
Bar chart¶
\\{ "visualSettings": \\{ "general": \\{ "mode": "distribution", "type": "bar" \\} \\} \\}
Pie chart¶
\\{ "visualSettings": \\{ "general": \\{ "mode": "distribution", "type": "pie" \\} \\} \\}
Single value display¶
\\{ "visualSettings": \\{ "general": \\{ "mode": "singleValue", "type": "svp" \\} \\} \\} ```_
API Integration und Automatisierung¶
REST API Authentication¶
```bash
Generate access credentials¶
curl -X POST https://api.sumologic.com/api/v1/accessKeys \
-H "Authorization: Basic
Use access key for authentication¶
ACCESS_ID="your_access_id" ACCESS_KEY="your_access_key" CREDENTIALS=\((echo -n "\)ACCESS_ID:$ACCESS_KEY"|base64)
Test API connection¶
curl -X GET https://api.sumologic.com/api/v1/collectors \ -H "Authorization: Basic $CREDENTIALS" ```_
Suche Job Management¶
```bash
Create search job¶
curl -X POST https://api.sumologic.com/api/v1/search/jobs \
-H "Authorization: Basic
Check search job status¶
curl -X GET https://api.sumologic.com/api/v1/search/jobs/
Get search results¶
curl -X GET https://api.sumologic.com/api/v1/search/jobs/
Delete search job¶
curl -X DELETE https://api.sumologic.com/api/v1/search/jobs/
Content Management¶
```bash
Export content¶
curl -X POST https://api.sumologic.com/api/v2/content/
Import content¶
curl -X POST https://api.sumologic.com/api/v2/content/folders/
List folder contents¶
curl -X GET https://api.sumologic.com/api/v2/content/folders/
Leistungsoptimierung¶
Queroptimierung¶
```bash
Use specific source categories¶
_sourceCategory=prod/web/access # Good * # Avoid - searches all data
Limit time ranges¶
_sourceCategory=prod/web/access|where _messageTime > now() - 1h # Good _sourceCategory=prod/web/access # Avoid - searches all time
Use early filtering¶
_sourceCategory=prod/web/access |where status_code = "500" # Good - filter early |parse "* * * [] \" * *\" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size
Optimize parsing¶
sourceCategory=prod/web/access |parse "* * * [] \" * *\" * *" as src_ip, ident, user, timestamp, method, url, protocol, status_code, size |where status_code = "500" # Less efficient - parse then filter ```
Datenvolumenverwaltung¶
```bash
Monitor data volume¶
_index=sumologic_volume |where _sourceCategory matches "*" |sum(sizeInBytes) as totalBytes by _sourceCategory |sort by totalBytes desc
Set up data volume alerts¶
_index=sumologic_volume |where _sourceCategory = "prod/web/access" |sum(sizeInBytes) as dailyBytes |where dailyBytes > 10000000000 # 10GB threshold
Optimize collection¶
\\{ "source": \\{ "name": "Optimized Log Source", "category": "prod/app/logs", "pathExpression": "/var/log/myapp/.log", "sourceType": "LocalFile", "filters": [ \\{ "filterType": "Exclude", "name": "Exclude Debug Logs", "regexp": ".*DEBUG." \\} ] \\} \\} ```_
Fehlerbehebung und Best Practices¶
Gemeinsame Themen¶
```bash
Check collector connectivity¶
curl -v https://collectors.sumologic.com/receiver/v1/http/
Verify data ingestion¶
_sourceCategory=
Debug parsing issues¶
_sourceCategory=prod/app/logs |limit 10 |parse "timestamp=*" as event_time |where isNull(event_time)
Monitor search performance¶
index=sumologic_search_usage |where query_user = "your_username" |avg(scan_bytes), avg(execution_time_ms) by query_user ```
Sicherheit Best Practices¶
```bash
Implement role-based access control¶
\\{ "roleName": "Security Analyst", "description": "Read-only access to security logs", "filterPredicate": "_sourceCategory=prod/security/*", "capabilities": [ "viewCollectors", "searchAuditIndex" ] \\}
Set up audit logging¶
_index=sumologic_audit |where event_name = "SearchQueryExecuted" |count by user_name, source_ip |sort by _count desc
Monitor privileged access¶
index=sumologic_audit |where event_name matches "Admin" |count by user_name, event_name |sort by _count desc ```
Leistungsüberwachung¶
```bash
Monitor search performance¶
_index=sumologic_search_usage |avg(scan_bytes) as avg_scan_bytes, avg(execution_time_ms) as avg_execution_time |sort by avg_execution_time desc
Track data ingestion rates¶
_index=sumologic_volume |timeslice 1h |sum(messageCount) as messages_per_hour by _timeslice |sort by _timeslice desc
Monitor collector health¶
sourceCategory=sumo/collector/health |parse "status=*" as collector_status |count by collector_status, _sourceHost |where collector_status != "healthy" ```
Ressourcen¶
- Sumo Logic Dokumentation
- [Sumo Logic Community](LINK_5__
- [Search Query Language Reference](LINK_5_
- (LINK_5_)
- [Best Practices Guide](LINK_5