Because Sumo Logic Collectors are lightweight but powerful, you can choose whether you want to configure your deployment with a one-Collector-to-many-Sources relationship, or a one-Collector-to-one-Source relationship. Sources can be configured to passively collect logs via syslog, or to actively collect remote files via SSH, Windows Event Logs via WMI, or to read from local files.

In general, you can install the Sumo Logic Collector on any standard server that you use for log aggregation or other network services. You will need only one Collector if all of your source data can be accessed from a single network location.

Consider installing the Collector on a dedicated machine if:

  • You are running a very high-bandwidth network with high logging levels.
  • Your other machines are running critical applications that could be negatively impacted by heavy traffic or additional I/O load introduced by the Collector.

Consider installing more than one Collector if:

  • You expect logging traffic to be higher than 15,000 events per second per Collector.
  • Your network clusters or regions are geographically separated.
  • You need to collect local data from a machine that is already running a critical application or admin tool, but you also need to collect more data from remote or syslog type sources. To avoid impacting your critical application, you can install one Collector to gather the local files, and then install a second Collector on another machine to collect the remote and syslog files.

To help design your deployment see how Installed Collectors work

Or send email to to discuss specific recommendations for your installation.