We assume you are already familiar with Sumo Logic - a SaaS log management and analytics service. If not, check them out at: http://www.sumologic.com/
This integration is based on the Dome9->AWS SNS integration, with an extra step of forwarding the events from SNS into Sumo. All of the integration components are 100% hosted - so no script needed to be run / maintained by the end user.
Youll need to have access to CloudGuard Dome9, AWS and Sumo logic consoles.
Here are the steps:
- Connect your Dome9 events feed into SNS.
- Verify the Dome9-SNS integration by subscribing an email address to the SNS feed and generating some events in the Dome9 system (log-in / access leases...)
- In Sumo, add a new collector:
- Manage -> Collectors -> Add Collector
- Select 'Hosted Collector'
- Name it with something like 'Dome9 Audit'
- Add desc / category if needed.
- 'Add source' to the newly created collector:
- Type: HTTP
- Name: Dome SNS (or whatever)
- Check: Advanced->Enable 'One Message Per Request
- Copy the HTTP source address presented in the popup.
- Go To AWS SNS console, and select your Dome9 SNS topic. Click 'Create Subscription'
Endpoint: the Sumo endpoint you have just copied
- Click Subscribe. Now, SNS will send a confirmation message to Sumo.
- Go to Sumo Console. You should see the SNS confirmation message. (alternately, search string SubscriptionConfirmation can be used)
Expand this message and copy the SubscribeURL field.
- Open this URL in another browser window. You should see a confirmation message from SNS (in XML format)
- Verify in AWS SNS console that the new subscription status was changed from 'pending' state and now have a valid subscription ID.
- That's it, from now on every CloudGuard Dome9 Audit event will be visible on your Sumo account. Time to create alerts, reports and dashboards.