Gyoji is a transparent HTTP(S) proxy that rewrites Sumo Logic Universal Collector requests on the fly so they can satisfy strict third-party API contracts (Check Point, Microsoft Graph, etc.). It injects authentication headers, reshapes payloads, and optionally auto-fetches logs after an authentication flow completes.

• Terminates TLS through Fluxzy and rewrites both request and response bodies in-flight (optionally via BouncyCastle).
• Normalizes Check Point CloudGuard OAuth calls and converts token responses into Sumo-friendly envelopes.
• Exchanges Microsoft Graph client credentials without exposing secrets inside collectors.
• Auto-fetches logs immediately after successful Check Point authentication, reducing the number of round-trips Sumo must issue.
• Emits structured JSON logs (ProxyLogger) so you can ingest telemetry into any SIEM or log aggregator.

Sumo Logic Collector ──► HTTPS Proxy (Gyoji) ──► Check Point Auth / Logs
                                    │
                                    └──► Microsoft Graph Token Endpoint

1. Sumo Logic is configured to egress via the Gyoji HTTP proxy.
2. Fluxzy inspects every outbound exchange; hosts that match Check Point or Microsoft Graph are rewritten.
3. Requests/responses that are not recognized are forwarded untouched.

• .NET 8.0 SDK (for local builds) or ASP.NET Core runtime if you only run published bits.
• Network egress from the proxy host to Check Point and Microsoft Graph endpoints.
• TLS certificates that the collector trusts (Gyoji uses system trust; install corporate roots if needed).

1. Clone and restore dependencies:

   git clone <repo-url>
   cd gyoji
   dotnet restore src/gyoji_proxy/gyoji_proxy.csproj

2. Export the required environment variables (see the table below) or copy .env.sample into place if you maintain one.
3. Run the proxy:

   dotnet run --project src/gyoji_proxy/gyoji_proxy.csproj

4. Point the Sumo Logic Universal Collector at the proxy by setting httpProxyHost/httpProxyPort (or the equivalent UI fields) so that calls destined for Check Point or Microsoft Graph traverse listen_address:listen_port.
5. Watch the structured logs for gyoji_listening and checkpoint_* events to confirm the listener is healthy.

Use curl with the proxy flag to verify the rewrite logic before involving a collector:

curl -x http://127.0.0.1:44344 \
     https://cloudinfra-gw.portal.checkpoint.com/auth/external \
     -d "client_id=<id>&client_secret=<secret>&auto_fetch_logs=true"

You should see a JSON body with access_token in the response.

Store secrets (client IDs/keys) in the collector configuration or a secrets manager, not inside the proxy host.

• The Function App consumes the strongly-typed Gyoji:Proxy:* settings (e.g., Gyoji:Proxy:CheckpointAuthUri). Any legacy GYOJI_* variables are still honored but should be phased out.
• config/azure_app_settings.mapping.json enumerates every legacy → modern key mapping so you can script az functionapp config appsettings set without guesswork.
• For local development, mirror these keys inside src/Gyoji.Proxy.Function/local.settings.json (the sample file already shows the required structure).
• To source secrets from Azure Key Vault, set Gyoji:KeyVault:Uri (or KEYVAULT_URI) and grant the Function's managed identity access to the vault. Optional overrides:
  • Gyoji:ManagedIdentity:ClientId / MANAGED_IDENTITY_CLIENT_ID
  • Gyoji:ManagedIdentity:TenantId / MANAGED_IDENTITY_TENANT_ID
• The host automatically layers Key Vault secrets on top of environment settings, so sensitive values (client secrets, API tokens) never reside in local.settings.json or App Settings.

1. Collector issues a form-encoded request (client_id, client_secret, optional auto_fetch_logs) through the proxy.
2. CheckpointFlow.TransformAuthRequest rewrites it into JSON (clientId, accessKey), strips sensitive query/body keys, and records the sanitized parameters in FlowStateStore.
3. CheckpointFlow.TransformAuthResponseAsync normalizes the upstream response so the collector receives a standard OAuth envelope.

If both the collector and proxy enable auto-fetching, CheckpointFlow immediately calls GYOJI_CHECKPOINT_LOG_URL with the newly minted access_token, merges any stored query/body parameters, injects x-av-req-id when csrf was present, and returns the log data as the response body. Timeouts are governed by GYOJI_UPSTREAM_TIMEOUT_SECONDS.

Requests that target GYOJI_GRAPH_TOKEN_URL are recast with the appropriate Content-Type, grant type, scope, and resource defaults (https://graph.microsoft.com/.default). The collector’s secrets never leave the proxy host outside of the proxied call.

• HTTP Source: Add or edit your Check Point or Microsoft Graph source and configure its “Proxy” settings to point to listen_address:listen_port. Gyoji only rewrites hosts that match the configured URIs, so other collector traffic passes through transparently.
• Certificate trust: Ensure the collector trusts the root CA used by the proxy (for outbound MITM) if you use custom certificates.
• Per-source options: Include auto_fetch_logs=true (snake or camel case) in the source request body to request immediate log retrieval after auth.

• Systemd: Wrap dotnet /path/to/gyoji_proxy.dll inside a service and set Environment= entries for each GYOJI_* variable.
• Containers: Publish with dotnet publish -c Release and bake the output into a minimal distroless or Alpine image. Expose listen_port and pass configuration as env vars.
• Scaling: Gyoji is stateful only for the lifetime of an exchange (stored in-memory). Run a single instance per collector cluster or front it with a TCP load balancer that provides session affinity if you must scale horizontally.

• Logs are JSON with timestamp, level, eventName, and a data payload. They are emitted to stdout/stderr, making them easy to ship via Fluent Bit, CloudWatch agents, etc.
• Notable events: gyoji_starting, gyoji_listening, checkpoint_auth_request_rewritten, checkpoint_auto_fetch_failed, microsoft_graph_request_transformed.
• Pair the proxy with a process supervisor that restarts on non-zero exits and scrape metrics (e.g., number of open sockets) via your platform tooling.

• Proxy never binds: Verify the port is free and you have permission to bind the requested address. Look for SocketException details in the logs.
• Collector still sees client_secret errors: Confirm traffic is actually egressing via Gyoji (tcpdump or curl -x). The proxy only rewrites hosts that exactly match the configured URIs.
• Auto-fetch silent failures: Increase GYOJI_UPSTREAM_TIMEOUT_SECONDS and inspect checkpoint_auto_fetch_failed logs for upstream HTTP status codes.
• TLS handshake problems: Enable GYOJI_USE_BOUNCY_CASTLE=true for newer cipher coverage, or update the system’s OpenSSL/Schannel stack.

With these steps you can test, operate, and extend Gyoji confidently in front of Sumo Logic collectors.