How to Ship Cloudflare logs to Sumo Logic with Lambda

2 min read Original article ↗

How It Works

First, you’re going to want to create a new HTTP source to ingest the Cloudflare logs. Set the source category, host, etc. at SumoLogic to make the configuration of the Lambda function easier.

Next, create a new Serverless function:

$ mkdir -p ~/cloudflareToSumoLogic$ cd ~/cloudflareToSumoLogic$ serverless create \
    --name cloudflareToSumoLogic \
    --template aws-nodejs \
    --path ~/cloudflareToSumoLogic

Let’s walk through the serverless.yml configuration file:

functions:
    # This is the name of the Lambda function
  cloudflareToSumoLogic:
    # This is the name of the handler; this is the "main"
    # function called by Lambda
    handler: index.handler    # This function was written to be run every one minute
    # Any adjustments will require code changes...
    events:
      - schedule: rate(1 minute)    # Required environment variables:
    environment:
      # Grab this URL from the Sumo Logic source you just created
      SUMO_ENDPOINT: ...
      # Get these values from the Cloudflare admin UI
      CLOUDFLARE_ZONE_ID: ...
      CLOUDFLARE_AUTH_EMAIL: ...
      CLOUDFLARE_AUTH_KEY: ...

Finally, you’re going to need the function:

Now, try it out!

$ serverless invoke local -f cloudflareToSumoLogicstartTime: 2017-02-11T15:07:00.000Z
endTime: 2017-02-11T15:08:00.000ZcloudflareOpts: { method: 'GET',
  hostname: 'api.cloudflare.com',
  path: '/client/v4/zones/.../logs/requests?start=1486825620&end=1486825680',
  headers:
   { 'X-Auth-Email': '...',
     'X-Auth-Key': '...' } }res.statusCode:  200res.headers:  { date: 'Sat, 11 Feb 2017 15:38:40 GMT',
  'content-type': 'application/json',
  'transfer-encoding': 'chunked',
  connection: 'close',
  'set-cookie': [ '__cfduid=...; expires=Sun, 11-Feb-18 15:38:39 GMT; path=/; domain=.cloudflare.com; HttpOnly' ],
  vary: 'Accept-Encoding',
  'x-cf-request-id': '00000000-0000-0000-0000-000000000000',
  'strict-transport-security': 'max-age=31536000',
  'served-in-seconds': '0.355',
  server: 'cloudflare-nginx',
  'cf-ray': '...-ORD' }Log events: 659

Everything look good? It’s time to deploy:

$ serverless deployServerless: Packaging service...
Serverless: Uploading CloudFormation file to S3...
Serverless: Uploading service .zip file to S3 (9.45 KB)...
Serverless: Updating Stack...
Serverless: Checking Stack update progress...
.....................
Serverless: Stack update finished...
Serverless: Removing old service versions...Service Information
service: cloudflareToSumoLogic
region: us-east-1
api keys:
  None
endpoints:
  None
functions:
  cloudflareToSumoLogic

Analyzing Ingested Logs in Sumo Logic

Press enter or click to view image in full size

Now that your logs are being ingested every minute, you can run the following query and you should be able to start seeing results like the screenshot above:

_sourceCategory=...
| json auto
| toLong(num(timestamp)) as timestamp
| timestamp as _messageTime
| fields - timestamp
| fields - _raw

Replace _sourceCategory with the HTTP source category that you created earlier for your Cloudflare logs. This snippet parses the JSON lines automatically, translates the log timestamp timestamp to a time object, replaces the _messageTime with the log timestamp, then remove the raw JSON object and its ingest timestamp.