LogicMonitor can use the SumoLogic API to query for the count of log messages that match certain criteria, and then graph and alert on them. There is a standard datasource, SumoLogic_Logs_Per_device, that tracks the amount of log messages sent per device in each 10 minute period, and alerts on usual increases. To enable this datasource, you need to change the AppliesTo field, to associate it with all servers and devices that are sending data to SumoLogic.

e.g. change the AppliesTo field to: (isLinux() || isCisco() || isNetscaler() || isJuniper()) && system.displayname !~ "console"in order to check the volume of logs for all Linux, Cisco, Netscaler and Juniper devices, but not their consoles.

You also need to supply credentials to access the SumoLogic API. We suggest setting up Access Keys for this purpose within SumoLogic.

  1. In the Sumo Logic Web Application click your user name, then choose Preferences.
  2. Next to My Access Keys, click Create.

You should then use the Access Keys to set the properties sumo.api.user and sumo.api.pass on the top level of your device tree. This will cause those properties to be inherited by all devices, so that the credentials can be used by the datasource when associated with any device.

You should now be tracking the number of messages logged on all devices, and alerted to unusual increases.  You should adjust the default threshold to your environment.

You can also use this datasource as a base to modify for your own specific queries.