Sumo Wrestling Your Logs with Sumo Logic
Rating: 7 out of 10
February 05, 2016
DA
Vetted Review
Verified User
1 year of experience
Sumo Logic was being used by developers, system engineers, management, and InfoSec as a primary log aggregation tool. It was replacing the Splunk deployment in our enterprise because it was cheaper, hosted by Sumo Logic, and helped bring larger visibility to the enterprise (as we were able to ingest larger amounts of logs than we had before). As a result, many developer teams that did not initially have the insight into their applications were able to get instant access to how things were running on their systems.
- Sumo Logic allowed for our InfoSec team to ingest logs from our CDN directly, in real-time, instead of massive compressed archives that were sent every two-hours (the only alternative at the time). Sumo Logic had an app for these logs, that allowed us to easily get an immediate payoff from the data, with canned dashboard and saved searches.
- Sumo Logic has a fairly extensive REST API when it comes to log sources, source configurations, dashboard data, searches, etc. Their wiki for the API is usually kept up to date.
- Sumo Logic, during the period of time I had used their product, had added the ability to configure agents via configuration files. This allowed customers to configure their endpoints, and modify the endpoints, with configuration management tools like Chef / Puppet / Salt. Beforehand, the only option was to always make changes either via the web portal or REST API.
- The solutions engineers were extremely helpful, and easily reachable when issues would occur.
- Users at our company found it easy to get started, working on new dashboards, scheduled searches, and alerting. The alerting worked well with our third-party paging tool.
Cons
- Sumo Logic, during the period that I used their product (up until at least November 2015), did not have a User / RBAC API. This made it very difficult to manage users (we had about 100 users). Even though they had SAML integration, allowing us to utilize a single-sign on solution, we would have to do manual reviews of user accounts in Sumo Logic on a regular basis. There was no export feature, so it became a matter of copy/pasting all users from the web portal, and creating a spreadsheet out of the data. This was a big pain, as we were all about automation. I had been told that a User / RBAC REST API would be made available sometime during Q1 - Q1 2016.
- The user who creates any saved search queries, alerts, reports, or dashboards, is the only user that is able to edit them. In a collaborative environment, or larger enterprise, this brings a level of difficulty. For example, if an alert breaks and is spamming an inbox/pager, it cannot be edited or stopped unless done specifically by the user who created it. The RBAC has not been improved enough to allow groups/teams/organizations to have ownership over them (as of November 2015).
- If you are to delete a user account in Sumo Logic, as your account is setup to allow a specific amount of user accounts in addition to the storage limits agreed in contract, all of the work they had created for teams -- dashboards, scheduled searches, alerting, reporting, etc. -- all become unpublished and unscheduled. They all become inherited by the user that deletes their account. This may create a mess, as this may now completely stop many useful reports/alerts/dashboards that were being taken care of initially. As a result, deletion of a user who is no longer having access to Sumo Logic (due to leaving the company, or leaving a team the needs access), requires a complete review of everything the user has saved in order to see whether anything needs to be rescheduled for alerting/reporting or republished for dashboard viewing. This is all as of November 2015.
- Purging log data can be extremely difficult. Sumo Logic stores data in a WORM (Write Once, Read Many) type of database. This is done for security reasons, and the database also stores it's data in an encrypted form. If you wish for any data to be removed for any reason, such as PHI / PII / etc. information, you have to wipe out absolutely all data within a time range that Sumo Logic has ever gathered for you. This does not just include the source of the data you are trying to purge, but would include all log data from all sources that you have (even if separately indexed, or partitioned). I am unsure of whether this is still the fact, or if this has at least narrowed down to partition/index, or source.
- In the web portal, Sumo Logic has icons for agents that are working -- green/yellow if I remember right. Source hosts would always show a big green checkmark for health, even if certain sources were completely failing. If Sumo Logic agents are logging errors that logs can't be collected (permissions, some agent issue, etc.), there wasn't a way to visibly see there was an issue unless you were looking for it in logs. This resulted in periods of time where we did not receive logs from many sources. This is hard to alert on, as we found we would have to create a scheduled search of Sumo Logic agent logs that looked for as many error/warning messages as we could, that we knew about. This was incredibly difficult, and unmanageable.