})
Workday is a cloud-based enterprise resource planning (ERP) system that enables organizations to manage their financial, human resources, payroll, and procurement processes in one central platform. It offers a range of features such as analytics, reporting, and workflow automation to help businesses make informed decisions and streamline their operations. Workday is a comprehensive solution for businesses looking to improve their efficiency, productivity, and financial management.
The Sumo Logic source integration for Workday facilitates retrieving sign-on logs and activity logs from the Workday API.
:::note
Upgrade the Workday source to the latest version 3.x.x for seamless data collection experience. Older versions may be discontinued, so upgrading ensures continued support and the latest improvements. For upgrade instructions, see [Cloud-to-Cloud Source Versions](/docs/send-data/hosted-collectors/cloud-to-cloud-integration-framework/cloud-to-cloud-source-versions/)
:::
## Data collected
| Polling Interval | Data |
| :--- | :--- |
| 10 mins | Activity Logs |
| 10 mins | Sign On Logs |
## Setup
### Prerequisite
These instructions assume that the Security Administrator, System Auditor, and Report Administrator security groups are assigned to the user who will be configuring data collection in the Workday portal. Make sure the account used does not belong to an employee otherwise custom reports created by the user may no longer be available when they leave the organization.
Sumo Logic collects logs from Workday via a script that calls the Workday APIs. As part of the script configuration, you need to first configure log types that need to be collected, and these logs are then forwarded to Sumo Logic’s HTTPS source.
By default, the collection starts from the current date and time, but this setting is also configurable.
### Vendor configuration
This section demonstrates how to configure the Workday portal to integrate with Sumo Logic’s collection scripts. Configuring the Workday portal involves the following steps:
#### Step 1: Register the API client
1. To register the API client, access the **Register API Client** **for Integrations** task, and provide the following parameters:
* **Client Name.** Sumo Logic Workday Collector
* **Non-Expiring Refresh Tokens.** Yes
* **Scope.** System, Integration, and Tenant Non-Configurable scopes are *required*.
2. Click **OK**.
3. Copy the **Client Secret** and **Client ID** before you navigate away from the page and store it securely. If you lose the **Client Secret**, you can generate a new one using the **Generate New API Client Secret** task.
4. Click **Done**.
5. To generate a refresh token, access the **View API Clients** task and copy the below two parameters from the top of the page:
* **Workday REST API Endpoint.** The endpoint to use for access to the resources in your tenant.
* **Token Endpoint**. The endpoint used to exchange an authorization code for a token (if you configure an authorization code grant).
6. Go to the **API Clients for Integrations** tab, hover on the **“Sumo Logic Workday Collector API”** client, and click on the three-dot kebab action button.
7. In the new pop up window, click **API Client > Manage Refresh Token for Integrations**.
8. In the **Manage Refresh Token for Integrations** window, select **“SumoLogic_ISU”** in the **Workday Account** field and click **OK**.
9. In the newly opened window, select the **Generate New Refresh Token** checkbox and click **OK**.
10. Copy the value of the **Refresh Token** column from the opened window and click **Done**.
#### Step 2: Enable your tenant to send data
1. To enable your Tenant to send data, access the **Edit Tenant Setup - System** task and ensure that the **Enable User Activity Logging** checkbox is selected.
2. Access the **Edit Tenant Setup - Security** task and ensure that the **OAuth 2.0 Clients Enabled** checkbox is selected.
#### Step 3: Create a Custom sign on report
For customers that do not make use of the Recruiting Functional Area, the standard Candidate Signon report may not be available. The alternative is to create a new custom report with **Data Source = “All System Account Signons”** and **Data Source Filter** = **“Workday System Account Signons in Range”**. You can configure the fields using [Excel](https://appdev-readme-resources.s3.amazonaws.com/Workday/Signons_and_Attempted_Signons_-_Copy.xlsx).
1. Go to **Copy Standard Report to Custom Report** task to create a Customs SignOn Report.
2. Select **Candidate Signons and Attempted Signons** in **Standard Report** **Name** dropdown and click **OK**.
3. In the new window, select **Optimized for Performance** checkbox, edit the report **Name** to **Custom Signons and Attempted Signons Report** and click **OK**.
4. In the next window, edit the **Data Source Filter** field and select **Workday System Account Signons in Range** filter.
5. Go to the **Columns** tab and click the **+** button to add the following new fields:
* Operating System
* Password Changed
* Request Originator
* SAML Identity Provider
* Forgotten Password Reset Request
* Multi-Factor Type
* Is Device Managed
* UI Client Type
* Browser Type
* Device is Trusted
6. Remove the text in the **Column Heading Override** column, for **Field > Session ID** and **Field > System Account**. After configuring all the fields you can verify all the fields using the [Excel](https://appdev-readme-resources.s3.amazonaws.com/Workday/Signons_and_Attempted_Signons_-_Copy.xlsx).
7. If you're configuring Workday Source, go to the **Prompts** tab and look for the **Do Not Prompt at Runtime** column under the **Prompts Defaults** table. Make sure that checkboxes are disabled for the **From_Moment** and **To_Moment** rows.})
8. Go to the **Advanced** tab and click the **Enable As Web Service** checkbox under **Web Service Options**.
9. Go to the **Share** tab, enable **Share with specific users and groups** option, add **SumoLogic_ISU** in the **Authorized Users** field, and click **OK**.
10. Click **Done**. You can also test it by clicking the **Run** button.
11. To get the Report URL, search for **Custom Signons and Attempted Signons Report** in the search bar and run the report.
12. Click the **Actions** button and go to **Web Service > View URLs**.
13. Click **OK** and copy the URL from **JSON** link. You will need this later while configuring the collection. From the URL, remove any query parameters like json, From Moment and To Moment. The report URL should look like this `https://wd2-impl-services1.workday.com/ccx/service/customreport2/[**Classic UI**](/docs/get-started/sumo-logic-ui-classic). In the main Sumo Logic menu, select **Manage Data > Collection > Collection**. 2. On the Collectors page, click **Add Source** next to a Hosted Collector. 3. Select for and select **Workday**. 4. Enter a **Name** to display for the Source in the Sumo Logic web application. The **description** is optional. 5. For **Source Category** (Optional), enter any string to tag the output collected from the Source. Category [metadata](/docs/search/get-started-with-search/search-basics/built-in-metadata/) is stored in a searchable field called `_sourceCategory`. 6. **Forward to SIEM**. Check the checkbox to forward your data to [Cloud SIEM](/docs/cse/).
}){kind=small}
A green circle with a checkmark is shown when the field exists in the Fields table schema.
* }){kind=small}
An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, you'll see an option to automatically add or enable the nonexistent fields to the Fields table schema. If a field is sent to Sumo Logic but isn’t present or enabled in the schema, it’s ignored and marked as **Dropped**.
8. **Client ID**. Paste the Client ID copied from vendor configuration [Step 1](#step-1-register-the-api-client).
9. **Client Secret**. Paste the Client Secret copied from [Step 1](#step-1-register-the-api-client).
10. **Refresh Token URL**. Paste the Token endpoint copied from [Step 1](#step-1-register-the-api-client).
11. **Refresh Token**. Paste the generated Refresh Token copied from [Step 1](#step-1-register-the-api-client).
12. **SignOn Report URL**. Paste the SignOn Report URL from the vendor configuration [Step 3](#step-3-create-a-custom-sign-on-report).
13. **REST API URL**. Take the Workday Rest API endpoint copied in [Step 1](#step-1-register-the-api-client) and modify it to match the format `https://Options: Now(0) or 24 hours ago(1). | | | pollingIntervalMinutes | Integer | No | 10 | How frequently the integration should poll to Workday.
Options: 10m, 15m, 30m, 1h, 24h. | | ### JSON example ```json reference https://github.com/SumoLogic/sumologic-documentation/blob/main/static/files/c2c/workday/example.json ``` ### Terraform example ```sh reference https://github.com/SumoLogic/sumologic-documentation/blob/main/static/files/c2c/workday/example.tf ``` ## Troubleshooting After you configure your Source, you should check the status of the source in the Collectors page. If the Source is not functioning as expected, you may see an error next to the Source Category column as shown below:
})
The following section details how you can resolve various errors.
#### Error 400 | Bad Request: invalid_grant
- An invalid or expired refresh token is provided.
- Existing token is deleted or a new one is generated hence making the existing one invalid.
To resolve this, generate a new refresh token and update the C2C configuration.
#### Error 400 | Bad Request: invalid_request
- An invalid tenant name is provided in the token URL.
To resolve this, provide the correct "tenant name".
#### Error 401 | Unauthorized: invalid_client
- Invalid client id or client secret is provided.
- A new client secret is generated, making the existing one invalid.
- The **OAuth 2.0 Clients Enabled** checkbox under the **Edit Tenant Setup - Security** task is disabled.
To resolve this:
1. Provide the correct "client id" and "client secret".
1. Enable the **The OAuth 2.0 Clients Enabled** checkbox. Refer to the **Workday App > OAuth 2.0 Clients Enabled** section described in [Step 2](#step-2-enable-your-tenant-to-send-data).
#### Error 403 | Forbidden: permission denied
- Token will be generated successfully in this case but Activity Logs API will return 403 forbidden error.
- This is due to `System scope` is not provided to the API client.
To resolve this, enable the `System scope`. Refer to the **Workday App > API Client** section described in [Step 1](#step-1-register-the-api-client).
#### Error 404 | Not Found: invalid_request
- An invalid path parameter is provided in the token URL. For example, `/oauth/` instead of `/oauth2/`.
To resolve this, provide the correct "token URL".
#### Error 404 | Not Found: invalid_request
- An invalid path parameter is provided in the Activity Logs URL. For example, `/v2` instead of `/v1`.
To resolve this, provide the correct "Activity Logs URL".
#### Error | 503: Service Unavailable
- An invalid tenant name is provided in the Activity Logs URL.
- An invalid hostname is provided in the token or Activity Logs URL. For example, `wd5-impl-services1.workday.com` instead of `wd2-impl-services1.workday.com`.
To resolve this, provide the correct "tenant name" and "hostname".
#### Error | received sign-on report log time outside time filter window. create a custom sign on report as per the setup instructions
- Custom sign on report is not created as per the instructions
To resolve this, [create a custom sign on report](#step-3-create-a-custom-sign-on-report) and configure the source accordingly.
## FAQ
:::info
Click [here](/docs/c2c/info) for more information about Cloud-to-Cloud sources.
:::