Sumo Logic connector
The Sumo Logic connector is a P0 production connector that forwards Arbitex audit events to Sumo Logic via the HTTP Source endpoint. Events are sent as NDJSON (newline-delimited JSON) with Sumo-specific metadata headers for source categorization.
How it works
Section titled “How it works”- Events are accumulated in an internal buffer (up to 100 events or 5 seconds, whichever comes first).
- Batches are sent as NDJSON to the HTTP Source URL via
POST. Each event is a single JSON object on its own line. - Authentication is embedded in the HTTP Source URL itself — no separate
Authorizationheader is required. - Metadata headers identify the source in Sumo Logic:
X-Sumo-Category— source category (default:arbitex/audit)X-Sumo-Name— source name (default:arbitex-platform)X-Sumo-Host— source host (system hostname)
- On HTTP 429 or 503, the connector retries with exponential backoff (up to
max_retriesattempts). - Failed batches are written to a dead letter JSONL file.
- The health check sends an empty POST to the HTTP Source URL. A 200 response reports Healthy; a 4xx response reports Degraded (typically an expired or invalid URL).
Configuration
Section titled “Configuration”| Variable | Required | Default | Description |
|---|---|---|---|
SUMO_HTTP_SOURCE_URL | Yes | — | Sumo Logic HTTP Source endpoint URL. Authentication is embedded in the URL by Sumo Logic. |
SUMO_SOURCE_CATEGORY | No | arbitex/audit | Source category metadata. Used for partitioning and field extraction rules. |
SUMO_SOURCE_NAME | No | arbitex-platform | Source name metadata. |
SUMO_SOURCE_HOST | No | system hostname | Source host metadata. Defaults to the running system’s hostname. |
SUMO_BATCH_SIZE | No | 100 | Maximum events per batch send. |
SUMO_FLUSH_INTERVAL | No | 5 | Maximum seconds between buffer flushes. |
SUMO_MAX_RETRIES | No | 3 | Maximum retry attempts on transient failures. |
SUMO_DEAD_LETTER_PATH | No | /var/log/arbitex/sumo_dead_letter.jsonl | Path for dead letter JSONL fallback. |
Sumo Logic setup
Section titled “Sumo Logic setup”Step 1 — Create a Hosted Collector
Section titled “Step 1 — Create a Hosted Collector”- Log in to the Sumo Logic portal.
- Go to Manage Data → Collection → Collection.
- Click Add Collector.
- Select Hosted Collector and give it a name (e.g.,
arbitex-audit). - Click Save.
Step 2 — Add an HTTP Source
Section titled “Step 2 — Add an HTTP Source”- In the collector you just created, click Add Source.
- Select HTTP Logs & Metrics.
- Configure the source:
- Name:
arbitex-ocsf - Source Category:
arbitex/audit(should matchSUMO_SOURCE_CATEGORY) - Enable Multiline Processing: Off (Arbitex sends one JSON object per line)
- Content Type:
application/x-ndjson
- Name:
- Click Save.
- Copy the Source URL that Sumo Logic displays — this is your
SUMO_HTTP_SOURCE_URL. The URL contains the collector authentication token. Treat it as a secret.
Step 3 — Configure the connector
Section titled “Step 3 — Configure the connector”Set the environment variable:
SUMO_HTTP_SOURCE_URL="https://endpoint4.collection.us2.sumologic.com/receiver/v1/http/ZaVnC4dhaV2..."SUMO_SOURCE_CATEGORY="arbitex/audit"SUMO_SOURCE_NAME="arbitex-platform"Step 4 — Create a field extraction rule (recommended)
Section titled “Step 4 — Create a field extraction rule (recommended)”Sumo Logic can parse the OCSF JSON automatically using a field extraction rule:
- Go to Manage Data → Logs → Field Extraction Rules.
- Click Add Rule.
- Configure:
- Rule Name:
Arbitex OCSF Parser - Scope:
_sourceCategory=arbitex/audit - Parse Expression:
json field=_raw "class_uid","time","severity_id","message","actor.user.uid","actor.user.org_uid","api.operation"
- Rule Name:
- Click Save.
After the rule is active, OCSF fields are available as indexed fields in Log Search and Dashboards.
HTTP Source URL security
Section titled “HTTP Source URL security”The Sumo Logic HTTP Source URL contains embedded authentication credentials. Treat it with the same care as an API key:
- Store it as a secret (Kubernetes secret, HashiCorp Vault, AWS Secrets Manager) — do not commit it to source control.
- The URL can be regenerated in the Sumo Logic portal if it is compromised: go to the HTTP Source settings and click Regenerate URL. Update
SUMO_HTTP_SOURCE_URLin your deployment after regeneration.
Verifying the connector
Section titled “Verifying the connector”In the Arbitex admin UI, go to Admin → SIEM. The Sumo Logic connector row shows:
- Healthy — empty POST to the HTTP Source URL returned 200
- Degraded — HTTP Source returned a 4xx (URL may be expired or invalid)
- Error — connection failed
- Not configured —
SUMO_HTTP_SOURCE_URLis not set
Click Send test event to send a synthetic OCSF event. In Sumo Logic Log Search:
_sourceCategory=arbitex/audit api.operation=siem_test_eventThe event should appear within a few seconds.
Log Search queries
Section titled “Log Search queries”Once the field extraction rule is active:
# All DLP security findings_sourceCategory=arbitex/audit class_uid=2001
# Auth events for a specific user_sourceCategory=arbitex/audit class_uid=3002 actor.user.uid=usr_01HZ_ALICE
# High-severity events_sourceCategory=arbitex/audit severity_id>=4
# Prompt events_sourceCategory=arbitex/audit api.operation=prompt_sentDead letter recovery
Section titled “Dead letter recovery”Failed batches are written to /var/log/arbitex/sumo_dead_letter.jsonl. Each line:
{ "event": { ... }, "error": "HTTP 503: Service Unavailable", "connector": "sumo_logic", "timestamp": 1741564800.0}To replay after the collector is restored:
jq -c '.event' /var/log/arbitex/sumo_dead_letter.jsonl \ | curl -s -X POST "$SUMO_HTTP_SOURCE_URL" \ -H "Content-Type: application/x-ndjson" \ -H "X-Sumo-Category: arbitex/audit" \ -H "X-Sumo-Name: arbitex-platform" \ --data-binary @-See also
Section titled “See also”- SIEM integration overview — OCSF event format and connector comparison
- Elasticsearch SIEM connector — Bulk API-based connector
- Datadog Logs connector — Logs Intake API v2 connector