Because Sumo Logic Collectors are lightweight but powerful, you can choose whether you want to configure your deployment with a one-Collector-to-many-Sources relationship, or a one-Collector-to-one-Source relationship. Sources can be configured to passively collect logs via syslog, or to actively collect remote files via SSH, Windows Event Logs via WMI, or to read from local files.

In general, you can install the Sumo Logic Collector on any standard server that you use for log aggregation or other network services. You will need only one Collector if all of your source data can be accessed from a single network location.

Consider installing the Collector on a dedicated machine if:

  • You are running a very high-bandwidth network with high logging levels.
  • Your other machines are running critical applications that could be negatively impacted by heavy traffic or additional I/O load introduced by the Collector.

Consider installing more than one Collector if:

  • You expect logging traffic to be higher than 15,000 events per second per Collector.
  • Your network clusters or regions are geographically separated.
  • You need to collect local data from a machine that is already running a critical application or admin tool, but you also need to collect more data from remote or syslog type sources. To avoid impacting your critical application, you can install one Collector to gather the local files, and then install a second Collector on another machine to collect the remote and syslog files.

For more information, see Design your deployment

Or send email to to discuss specific recommendations for your installation.

Collection Limitations

The maximum number of Collectors allowed per organization is 10,000.
The maximum number of Sources allowed on a Collector is 1,000.
The maximum number of Processing Rules allowed on a Source is 100.