If you are using Sumo Logic, you can forward alerts from the StackRox Kubernetes Security Platform to Sumo Logic. This guide explains how to integrate the StackRox Kubernetes Security Platform with Sumo Logic.
Integrating with Sumo Logic requires version 2.4.22 or newer. If you are on an older version, see the Upgrade StackRox page for upgrade instructions.
To forward alerts from the StackRox Kubernetes Security Platform to Sumo Logic:
- Add a new Custom App in Sumo Logic, set HTTP source, and get the HTTP URL. See Configure Sumo Logic.
- Use the HTTP URL to integrate Sumo Logic with the StackRox Kubernetes Security Platform. See Configure the StackRox Kubernetes Security Platform.
- Identify policies for which you want to send notifications, and update the notification settings for those policies. See Configure policy notifications.
Use the Setup Wizard to set up Streaming Data and get the HTTP URL.
- Log in to your Sumo Logic Home page and select Setup Wizard.
- Move your cursor over to Set Up Streaming Data and select Get Started.
- On the Select Data Type page, select Your Custom App.
- On the Set Up Collection page, select HTTP Source.
- Enter a name for Source Category (we recommend using “stackrox”) and select Continue.
- Copy the generated URL.
Create a new integration in the StackRox Kubernetes Security Platform by using the HTTP URL.
- Navigate to Platform Configuration > Integrations.
- Under the Plugins section, select Sumo Logic.
- Select the New Integration icon.
- Enter a name for Integration Name.
- Enter the generated HTTP URL in the HTTP Collector Source Address box.
- Select Test (checkmark icon) to test that the integration with Sumo Logic is working.
- Select Create (save icon) to create the configuration.
- Navigate to Platform Configuration > System policies.
- Select the check boxes for one or more policies for which you want to send alerts.
- Select Enable Notifications or Actions > Enable Notification (depends upon the StackRox Kubernetes Security Platform version you are using).
- In the Enable Notifications dialog, select the check box for the Sumo Logic notifier (same as the Integration Name). If you haven’t configured any other integrations, you’ll see the message No notifiers configured!.
- Select Enable.
To view the StackRox Kubernetes Security Platform alerts in Sumo Logic:
- Log in to your Sumo Logic Home page and select Log Search.
- In the search box, enter
_sourceCategory=stackrox. Make sure to use the same Source Category name that you entered while Configuring Sumo Logic.
- Select the time and then select Start.
The StackRox Kubernetes Security Platform sends notifications on an opt-in basis. To receive notifications, you must first assign a notifier to the policy.
Notifications are only sent once for a given alert. If you have assigned a notifier to a policy, you won’t receive a notification unless a violation generates a new alert. The StackRox Kubernetes Security Platform creates a new alert when:
- a policy violation occurs for the first time in a deployment, or
- a runtime-phase policy violation occurs in a deployment after you resolved the previous runtime alert for that policy in that deployment.
We're happy to help! Reach out to us to discuss questions, issues, or feature requests.