Parsing windows events for sumologic's collector can be a challenge, one common solution is to use regexes but those are not performant and cause both lag for the customer and increase the cost for us.
However the data has a huge advantage in that it follows the same pattern depending on the windows event ID. The terraform configuration contains a set of FER that parse different windows events with the values expected by CSE.
- Generate, if you don't have one, an access id/key from sumologic, https://help.sumologic.com/Manage/Security/Access-Keys. Save them somewhere safe
- Set SUMOLOGIC_ENVIRONMENT to the region for the customer
- Set SUMOLOGIC_ACCESSID and SUMOLOGIC_ACCESSKEY to the id and key obtained it the step above.
- Run
terraform apply, it will ask you whether to create (or update) the rules.
I don't know why but the rules are always marked as having changes, but looking at the diff there's nothing changing.
If the customer already had FERs and we want to migrate to this set of rules then I recommend doing the following:
- Change the prefix for all fields from
EventDatatoEventDataNew. - Create the new rules
- Verify all the required fields with EventDataNew are correct.
- Change the prefix for all fields from
EventDataNewtoEventData. - Update the rules and disabled the existing rules