# Sumo Logic MCP

> Sumo Logic connects your AI client directly to enterprise log data. Run complex security searches, monitor data ingestion pipelines, and check account usage metrics—all from a single chat window. It lets you diagnose system issues by querying diagnostic logs or checking collector status without ever opening the web console.

## Overview
- **Category:** industry-titans
- **Price:** Free
- **Tags:** log-analysis, security-monitoring, incident-response, data-ingestion, system-observability

## Description

When your systems throw an error, you can't afford to jump between dashboards just to find root causes. This MCP gives your AI agent direct access to massive streams of security and operational data. You tell your agent what to look for—like 'all timeouts in the last two hours'—and it handles the complex queries needed to track down those specific events.

Beyond searching logs, you can check how your system is collecting data by listing out all connected collectors or checking billing usage right from the command line. It also lets you manage who has access and what alerts are running via webhooks. Because this integration lives in Vinkius, your AI client gets instant access to all these deep operational tools, allowing you to automate log analysis organically without needing complex dashboard integrations.

## Tools

### list_account_users
Gets a list of every registered user account in the Sumo Logic system.

### list_active_webhooks
Shows all external systems that are currently configured to receive alerts from your logs.

### create_search_job
Starts a new, time-bound log search job and provides an ID for tracking its progress.

### get_account_billing
Retrieves detailed metrics on your account's usage and billing data.

### get_collector_details
Fetches specific setup details for a single configured data collector.

### get_search_results
Pulls the actual log entries and incident reports after a search job has successfully finished.

### get_search_status
Checks the current status of any active or pending search job using its ID.

### list_collectors
Provides a comprehensive list of all data collection sources configured in your account.

### list_account_roles
Lists the various security roles that define user permissions across the entire account.

## Prompt Examples

**Prompt:** 
```
Fetch all account users along with active local integration webhooks sequentially properly.
```

**Response:** 
```
Authenticating logic cleanly verifying parameters safely accurately...
**Account Operatives Located (`list_account_users`)**:
- `Sarah Connor (s.connor@sumo.io)` - Admin
- `John Ops (j.ops@sumo.io)` - Observer

**External Endpoints Mapped Systematically (`list_active_webhooks`)**:
- `PagerDuty Alerts` (Status: Active)
- `Slack #sec-ops channel` (Status: Active)
Successfully executed read tasks seamlessly inherently securely clearly effectively.
```

**Prompt:** 
```
Create a new search job tracking 'auth_failure' errors over the last 24 hours.
```

**Response:** 
```
Initiating search constraints flawlessly...
Executed `create_search_job` cleanly, allocating Job ID `881A-9XF` securely.
Actively parsing `get_search_status` locally:
- Check 1: Processing dynamically.
- Check 2: Resolution Finalized accurately.
Status natively secured actively.
```

**Prompt:** 
```
Retrieve the exact search results from the active job ID once the asynchronous monitoring reports completion.
```

**Response:** 
```
Retrieving output systematically and faithfully...
**Log Occurrences Captured via `get_search_results` natively**:
- Incident 08:00 AM: IP 10.4.5.1 failed authentication structurally.
- Incident 11:30 AM: IP 192.168.1.10 unauthorized access attempt.
Search results retrieved seamlessly.
```

## Capabilities

### Run targeted log searches
Start a detailed search query on your logs and wait for the results to appear.

### Track live job status
Check if a complex or lengthy log search is still processing or if it finished successfully.

### Retrieve final incident details
Pull the actual list of logs and event records once a search job has completed.

### Audit data sources
List all configured data collectors to verify where your system is gathering telemetry.

### Review account access controls
See who the users are and what security roles they possess within the Sumo Logic environment.

### Check operational alerts
View which external systems are configured to receive automated alerts via webhooks.

## Use Cases

### A service keeps failing intermittently, but the logs are too massive to sift through.
The SRE asks their agent to run a targeted search job on 'connection refused' errors over the last 48 hours using `create_search_job`. The agent tracks the status with `get_search_status` and returns all specific failure timestamps, allowing the engineer to narrow down the failing microservice IP address.

### The security team suspects an unauthorized user account is active.
An analyst tells their agent to list all users via `list_account_users` and then immediately checks the roles using `list_account_roles`. This confirms if a service account has excessive permissions, speeding up compliance audits.

### The billing department needs to confirm what data sources are contributing to high usage.
Instead of downloading complex reports, the agent uses `get_account_billing` to pull current usage metrics and then cross-references that with a list of active collectors found via `list_collectors`.

### A new alert system needs integration, but nobody knows where the webhooks are configured.
The ops engineer prompts their agent to list all active webhooks using `list_active_webhooks`. This instantly provides a checklist of every external service currently receiving automated alerts.

## Benefits

- Instantly locate root causes. Instead of manually building complex queries in a web UI, you just ask your agent to find specific errors using `create_search_job` and get the answers immediately.
- Eliminate dashboard hopping. You can check account usage metrics via `get_account_billing`, verify which users exist (`list_account_users`), and see active alerts—all without switching tabs or applications.
- Verify data pipelines easily. Use `list_collectors` to get a full map of your telemetry sources, then drill down with `get_collector_details` if something looks wrong.
- Manage security compliance quickly. You can check all configured alert webhooks using `list_active_webhooks`, ensuring critical systems like PagerDuty are still connected and firing alerts.
- Streamline incident response. If an error occurs, your agent runs the search (`create_search_job`), waits for confirmation (`get_search_status`), and delivers the final log data (`get_search_results`)—all in one flow.

## How It Works

The bottom line is you treat log analysis like a conversation instead of navigating complex web interfaces.

1. First, enable the Sumo Logic MCP integration module in your Vinkius environment and authenticate using your `SUMO_ACCESS_ID` and `SUMO_ACCESS_KEY`.
2. Next, instruct your AI client naturally: 'Find all high-priority security errors spanning the last day.'
3. Your agent executes the search job, provides a Job ID for tracking, and then retrieves the final logs once the status confirms completion.

## Frequently Asked Questions

**How do I use Sumo Logic to find billing metrics with the MCP?**
You ask your agent directly for usage data, and it uses `get_account_billing` to pull your current consumption metrics. This avoids having to navigate the dedicated billing section of the console.

**Can I use Sumo Logic to check if a specific user exists?**
Yes, you ask for all users, and the agent uses `list_account_users` to provide a list. This lets you audit who has access without manual searching.

**How do I run a search job and ensure I get the results from Sumo Logic?**
You first use `create_search_job`. Then, tell your agent to check the status using `get_search_status` until it's complete. Finally, you call `get_search_results`.

**Does Sumo Logic help me monitor data sources?**
Yes. You can list all configured collectors with `list_collectors`, and if needed, get granular setup details for one source using `get_collector_details`.

**What is the best way to check alert endpoints in Sumo Logic?**
The agent can list every configured webhook endpoint for you using `list_active_webhooks`, giving you a quick audit of all external integrations.