Slack Source
This topic describes the Slack Source, part of Sumo Logic's Cloud-to-Cloud Integration Framework.
This source is available in all deployments, including the Fed deployment.
Data collected
| Polling Interval | Data |
|---|---|
| 24 hours | Web Team Info |
| 24 hours | Web Users List |
| 24 hours | Conversations List |
| 5 mins | Web Team Access Logs |
| 5 mins | Messages |
| 5 mins | Audit Logs |
The Slack Source uses the following Slack APIs to ingest web and audit events.
The source collects the following API endpoints and routes.
| API | Req Scope | Route | Free | Standard | Plus | Enterprise |
|---|---|---|---|---|---|---|
| Web API | admin | team.accessLogs | Collected | Collected | Collected | Collected |
| Web API | team:read | team.info | Collected | Collected | Collected | Collected |
| Web API | team.billableInfo | Collected | Collected | Collected | Collected | |
| Web API | users:read | users.list | Collected | Collected | Collected | Collected |
| Web API | channels:read | conversations.list | Collected | Collected | Collected | Collected |
| Web API | channels:history | conversations.replies | Collected | Collected | Collected | Collected |
| Web API | channels:history | conversations.history | Collected | Collected | Collected | Collected |
| Web API | admin.teams:read | admin.teams.list | N/A | N/A | N/A | Collected |
| Audit API | auditlogs:read | audit-logs | N/A | N/A | N/A | Collected |
Each Slack API endpoint specifies a tier rate limit limiting the C2C in the number of calls it can make to Slack.
Setup
Vendor configuration
The Slack source can collect data from Slack's Web API and Audit API. The Web API is used to collect standard channel, user, and message information from a specific workspace. The Audit API is used to collect security audit events across the entire account including all workspaces, but it requires a Slack Enterprise Grid license. Each API collects different information; collect from both if you have a Slack Enterprise Grid license.
We recommend creating a Slack App for each Slack Workspace you want to monitor. This requires a Sumo Logic Slack C2C per Slack Workspace. If you have a Slack Enterprise Grid account, you can create an additional Slack app, install it on the Enterprise Grid instead of a Workspace and create another Sumo Logic C2C to monitor your Enterprise Grid audit logs from the Audit API.
Process overview
- Create the Slack App with the correct permissions.
- Install the Slack app on a specific workspace to monitor Web API logs or install the app on the Enterprise Grid to monitor Audit API logs.
- Install the Sumo Logic Slack C2C using your credentials from the installed Slack App.
Create Slack App with Permissions
- Navigate to the Slack Apps page.
- Click Create New App.
![Create a new Slack app button]](/img/send-data/slack-create-app-button.png)
- Select From scratch if asked how you would like to configure your Slack app.
![From Scratch App]](/img/send-data/slack-create-app-from-scratch.png)
- Provide a App Name for your Slack App and select the Workspace you want to monitor and install the Slack App in.
The Sumo Logic collector will monitor logs from your workspace you select here. If you want to install the app on the
Enterprise Grid instead of a workspace to monitor the Audit API logs, select a workspace for now, and you will see
instructions later for migrating it.
![App Name and Workspace Assignment]](/img/send-data/slack-create-app-name.png)
- Click Create App.
- You are now presented with the basic information about your Slack app. Click Permissions in the Add features and functionality section.
![App Name and Workspace Assignment]](/img/send-data/slack-basic-info-permissions.png)
- Scroll down to the Scopes section add multiple User Token Scopes depending on your Slack account type.
![App Name and Workspace Assignment]](/img/send-data/slack-scope-add.png)
Use the table below to reference the required scope permissions you need to add depending on the Slack API you want to collect along with your Slack account type:
| Slack API | Slack Account Type | Required Scopes |
|---|---|---|
| Web API | Free Plan | admin, team:read, users:read, users:read.email, channels:read, channels:history |
| Web API | Pro | admin, team:read, users:read, users:read.email, channels:read, channels:history |
| Web API | Business+ | admin, team:read, users:read, users:read.email, channels:read, channels:history |
| Web API | Enterprise Grid Plan | admin, team:read, users:read, users:read.email, channels:read, channels:history |
| Audit API | Enterprise Grid Plan | auditlogs:read |
Install the Slack App on a Workspace for Web API Logs
Only follow these steps if you are installing a Slack App on a specific workspace to monitor Web API logs. Please ensure you have followed the prior steps for creating the Slack app with the appropriate permissions before continuing to this section.
- On the app settings page, click Install App and the Install to Workspace button.
- Allow your new Slack App to monitor your workspace.
- Save the generated access token. This will be used by the Sumo Logic configuration for access.
Install the Slack App on the Enterprise Grid for Audit API Logs
Only follow these steps if you are installing a Slack App on the Enterprise to monitor Audit API logs. Make sure you have followed the prior steps for creating the Slack app with the appropriate permissions before continuing to this section. A Slack Enterprise Grid account is required.
- On the app settings page, click OAuth & Permissions.
- Scroll down to Redirect URLs. Add a new redirect URL as
https://localhostand click Save URLs.
- Go to Manage Distribution > Share Your App with Other Workspaces
- Open the Remove Hard Coded Information section on the same page and check the
I’ve reviewed and removed any hard-coded information checkbox. Click the Activate Public Distribution button.
- Copy the shareable link and ensure the permissions are correct from the prior table.
- Open a new tab in your browser, paste the URL and press Enter.
- Select the dropdown menu in the upper right corner and choose the correct organization.
- Click Allow.
- Ignore the error message and copy the Code in the URL field, as shown in the following example.
- Get the client ID and client secret from the Basic information of your Slack app. Replace the
<CODE>,<CLIENT_ID>and<CLIENT_SECRET>variables in the following URL.
https://slack.com/api/oauth.v2.access?code=<CODE>&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET> - Open a new browser tab and paste the URL from the previous step into the URL field, then press Enter.
- From the response, save the token value from the field
access_tokenas it will be used for the Sumo source.
Source configuration
When you create a SailPoint Source, you add it to a Hosted Collector. Before creating the Source, identify the Hosted Collector you want to use or create a new Hosted Collector. For instructions, see Create a Hosted Collector.
To configure a Duo Source:
- In Sumo Logic, select Manage Data > Collection > Collection.
- On the Collectors page, click Add Source next to a Hosted Collector.
- Search for and select Slack.
- Enter a Name for the Source. The Description is optional.
- (Optional) For Source Category, enter any string to tag the output collected from the Source. Category metadata is stored in a searchable field called
_sourceCategory. - (Optional) Fields. Click the +Add Field link to define the fields you want to associate, each field needs a name (key) and value.
A green circle with a check mark is shown when the field exists in the Fields table schema.
An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
- API Auth Bearer Token. Enter the Slack App access token from the previous steps.
- Slack API Collection. Select the Slack collection API you want to collect logs from (Web or Audit).
- Polling Interval in Minutes. Enter the frequency in minutes for collecting the data. Default is 5 mins.
JSON example
{
"ok": true,
"access_token": "xoxp-1236544616-Example-Access-Token5bf71298dad60d941f2a44b371",
"scope": "admin,identify,channels:history,groups:history,im:history,channels:read,team:read,users:read,users:read.email,auditlogs:read",
"user_id": "WA7PQK3U5",
"team_id": "EFSFVS",
"enterprise_id": "EASFEF",
"team_name": "Test Slack App"
}
Terraform example
resource "sumologic_cloud_to_cloud_source" "slack" {
collector_id = sumologic_collector.collector.id
schema_ref = {
type = "Slack"
}
config = jsonencode({
"ok": true,
"access_token": "xoxp-1236544616-Example-Access-Token5bf71298dad60d941f2a44b371",
"scope": "admin,identify,channels:history,groups:history,im:history,channels:read,team:read,users:read,users:read.email,auditlogs:read",
"user_id": "WA7PQK3U5",
"team_id": "EFSFVS",
"enterprise_id": "EASFEF",
"team_name": "Test Slack App"
})
}
resource "sumologic_collector" "collector" {
name = "my-collector"
description = "Just testing this"
}
Limitation
While ingesting web events, this source supports a maximum of 16,000 active Slack channels, exceeding this limit may cause the source to return a FIRST-PARTY-GENERIC error type. Archived Slack channels are not supported while ingesting the web events.
Troubleshoot
Collecting real-time Slack messages from Slack channels and understanding the C2C polling interval is a common question.
The C2C is limited in the number of API calls it can make to the Slack API documented in the Slack API rate limits page. The C2C will gather a list of your non-archived Slack channels and collect new messages from each channel for the polling interval. The default polling interval is 5 minutes. The rate limits on the Slack API for these endpoints use their "Web API Tier 3" limit, which is 50 requests per minute.
This means if you have 1000 active Slack channels, it will take the C2C a minimum of 20 minutes to iterate through all the channels checking for new messages. The poll cycle will not start again until last one finishes. Let's say the poll cycle starts at 10:00 and does not complete until 10:20, then the next poll cycle will start immediately at 10:20. Additionally more time may be added if the C2C has to paginate to gather more than 1000 Slack messages from a single channel.
Each page adds to the overall number of API calls needed and adds time due to the Slack API rate limits. Sumo Logic recommends you archive any Slack channels no longer used. This will prevent the C2C from checking for new messages in channels without activity.
FAQ
Click here for more information about Cloud-to-Cloud sources.