Integrating Sumo Logic

Sumo Logic is a cloud-native analytics Platform that provides real-time log management, monitoring, and security analytics. It enables organizations to collect, search, and analyze machine data to gain operational and security insights.

This integration enables the Platform to forward JSON-formatted audit event logs to Sumo Logic in real time using HTTPS webhooks. By implementing this integration, administrators can centralize Platform security events in Sumo Logic for correlation and analysis, providing visibility into privileged access activities, authentication events, and security operations.

This integration is agentless and requires no installed software. The Platform must be able to send outbound HTTPS traffic (port 443) to the Sumo Logic collector endpoint.

Prerequisites

Before integrating Sumo Logic with the Platform, ensure the following requirements are met.

Platform

  • The Platform is properly provisioned and configured in your environment.

  • You have administrator permissions for managing webhooks in the Platform.

  • Firewall and network rules allow outbound HTTPS traffic (port 443) from the Platform to Sumo Logic collector endpoints.

Sumo Logic

  • An active Sumo Logic account with appropriate permissions.

  • Manage Collectors role capability to create hosted collectors and sources.

  • Sumo Logic must be accessible via HTTPS on port 443.

Configuration

To enable the integration between Sumo Logic and the Platform, complete the following configuration tasks:

Step 1: Configure Sumo Logic

Before configuring the Platform webhook, you must set up a Sumo Logic Hosted Collector and HTTP Source to receive the incoming event data.

Create a Hosted Collector

  1. Log in to the Sumo Logic console.

  2. Navigate to Data ManagementData CollectionCollection.

  3. Click Add Collector.

  4. Select Hosted Collector.

  5. Configure the collector with the following settings:

    • Name: Enter a descriptive name (for example, Platform Collector).

    • Description: (Optional) Enter a description such as "Receives audit events from the Platform".

    • Category: (Optional) Enter a source category (for example, security/delinea).

  6. Click Save.

For more information about hosted collectors, see Configure a Hosted Collector in the Sumo Logic documentation.

Add an HTTP Logs and Metrics Source

  1. On the Collection page, click Add Source next to your newly created Hosted Collector.

  2. Select HTTP Logs and Metrics.

  3. Configure the source with the following settings:

    • Name: Platform Audit Logs

    • Description: Webhook endpoint for Platform audit events

    • Source Category: webhook/delinea/platform (or your preferred category)

    • Source Host: (Optional) delinea-platform

    • Timestamp Parsing: Enabled (selected by default)

  4. (Optional) If you have Cloud SIEM enabled, select the Forward to SIEM checkbox to send data to Cloud SIEM.

  5. Configure the following HTTP headers for the source:

    • Content-Type: application/json (standard header for JSON-formatted event data)

    • X-Sumo-Category: (Optional) Set to the Source Category value configured in step 3 (for example, webhook/delinea/platform). This header improves log parsing and categorization in Sumo Logic.

  6. Click Save.

  7. Copy the generated HTTP Source URL and save it securely. You will need this URL when configuring the webhook on the Platform.

The HTTP Source URL follows this format: https://endpointX.collection.usX.sumologic.com/receiver/v1/http/<unique_token> where X values and the token are unique to your Sumo Logic environment.

The HTTP Source URL is a unique, presigned endpoint. Keep this URL confidential as it provides direct ingestion access to your Sumo Logic account.

To access the Source URL later, navigate to the Collection page, find your source, and click Show URL.

For more information about HTTP sources, see HTTP Logs and Metrics Source in the Sumo Logic documentation.

Step 2: Configure a Webhook in the Platform

With the Sumo Logic endpoint ready, configure the Platform to forward audit events via webhook.

  1. Log in to the Platform.

  2. Navigate to SettingsGeneral settingsWebhooks.

  3. Click Create Webhook. The Create Webhook page opens.

  4. Complete the following fields:

    • Name: Sumo Logic Audit Logs (or a descriptive name of your choice)

    • Endpoint URL: Paste the Sumo Logic HTTP Source URL copied in Step 1: Configure Sumo Logic.

    • Description: Forwards Platform audit events to Sumo Logic for centralized monitoring

    • Webhook State: Select Enabled.

  5. Under Triggers, select the services and event levels to forward to Sumo Logic. The following table describes the available trigger settings:

    Setting Description
    Service Select the service(s) to receive notifications from (for example, Secret Management, Identity, Platform). Select All for comprehensive coverage.
    Level Choose severity levels: Info, Warning, and/or Error. For a full audit trail, select all three levels.
    Event Type Select specific event types for granular control, or leave as default for all events.
    Target (Optional) Add a specific target to filter events by entity.

  6. (Optional) If your Sumo Logic environment requires additional HTTP headers for categorization, add them under Custom Headers. For example:

    Key Value
    X-Sumo-Category webhook/delinea/platform
    X-Sumo-Name delinea-platform-audit

    The Sumo Logic HTTP Source URL is a presigned URL and does not typically require additional authentication headers.

  7. Click Save to create the webhook.

For more information about creating and managing webhooks, see Managing Webhooks.

Verification

After completing the configuration, verify that the Platform is successfully forwarding data to Sumo Logic.

Verify in the Platform

  1. Navigate to SettingsGeneral settingsWebhooks.

  2. Select the Sumo Logic webhook you created.

  3. Click Edit, then open the Actions drop-down menu.

  4. Select Test Webhook. Verify that the test returns a success status.

  5. Select View Webhook Logs to review delivery status. Select a log entry and click View Payload to inspect the JSON that was sent.

Verify in Sumo Logic

  1. Log in to the Sumo Logic console.

  2. Navigate to Log Search.

  3. Run the following query to search for Platform events:

    _sourceCategory="webhook/delinea/platform"

  4. Verify that events appear in the search results.

For real-time validation of incoming data, use the Sumo Logic Live Tail feature. For more information about querying and analyzing data in Sumo Logic, see the Sumo Logic documentation.

Webhook Payload Examples

The Platform delivers audit events as JSON payloads. The following examples show typical payloads that appear in Sumo Logic.

Authentication Event

{
				"AuditEventMessageId": "a6a7e50d-d64b-46db-9963-025a93e55381",
				"EventDateTime": "2025-10-06T16:02:08.9653521+00:00",
				"Action": {
				"Name": "Delinea.Identity.AuthSession.SessionStart",
				"Verb": "SessionStart"
				},
				"Actor": {
				"Name": "jdoe@company.com"
				},
				"Target": null,
				"ClientIPAddress": "10.xxx.4.160",
				"Source": {
				"Network": {
				"IpAddress": "::ffff:127.0.0.1"
				}
				}
		}

Secret Access Event

{
				"AuditEventMessageId": "b1c2d3e4-5678-90ab-cdef-1234567890ab",
				"EventDateTime": "2025-10-06T16:10:00+00:00",
				"Action": {
				"Name": "SecretViewed",
				"Verb": "View"
				},
				"Actor": {
				"Name": "jdoe"
				},
				"Target": {
				"secretId": "42",
				"secretName": "Database Credentials"
				},
				"ClientIPAddress": "10.xxx.4.160"
		}

Troubleshooting

The following table provides troubleshooting guidance for common issues you may encounter when integrating the Platform with Sumo Logic.

Issue Cause Solution
Webhook test fails Incorrect endpoint URL or network issue Verify the Sumo Logic HTTP Source URL is correct and that outbound HTTPS (port 443) is allowed from the Platform.
No data appears in Sumo Logic Webhook disabled or trigger mismatch Confirm the webhook state is Enabled. Check that trigger settings (Service, Level) match the events you expect to see.
Events delayed in Sumo Logic Normal ingestion latency Sumo Logic may have indexing delay. Use Live Tail for real-time validation of incoming data.
Partial events received Trigger filters too restrictive Review webhook trigger settings and expand Service/Level selections as needed.
HTTP 401/403 errors in webhook logs Authentication header misconfigured Verify any custom headers are correctly formatted. The Sumo Logic HTTP Source URL is a presigned URL and does not typically require additional authentication headers.