Skip to main content
Sumo Logic

Forward Data from an Installed Collector

You can set up one or more data forwarding destinations and configure an installed collector to send log data from specified sources to those destinations. The collector will send the data to external destinations at the same time it sends data to Sumo.

You can forward data using the following protocols.

  • Syslog (TCP and UDP)—Send log data to a syslog server.
  • HTTP REST API—Send log data to a web services endpoint.
  • Hitachi Data Systems HTTP REST API—Send log data to Hitachi Content Platform (HCP).

Configure Data Forwarding from an Installed Collector

Follow the steps below to set up a collector to forward log data to an external destination.

You can set up installed collector Data Forwarding when you first configure sources or at a later time. If you apply rules at a later time, keep in mind that they are not applied retroactively.

Configure Data Forwarding Destinations

To set up destinations

  1. Choose Manage Data > Settings > Data Forwarding (Manage > Data Forwarding in the classic UI).
  2. Click + to add a new destination.
  3. Select one of these options for Destination Type
    • Hitachi
    • Generic REST
    • Syslog
  4. Enter a name to identify the destination.
  5. (Generic REST and Hitachi) URL. Enter a URL to access the destination.
  6. (Generic REST and Hitachi) Object id. (optional) Enter a path name or other file format and include any of the following variables: 
    {day} Replace with the day of the year in the yyyy-MM-dd format.
    {hour} Replace with hour in day (0-23).
    {minute} Replace with minute in hour.
    {second} Replace with second in hour.
    {uuid} Replace with a unique, randomly generated identifier (UUID)
  7. (Generic REST and Hitachi) Enter Username and Password to access the destination. You must have administrator privileges for the collector.
  8. (syslog) Protocol. Select the protocol (TCP or UDP) for sending the syslog messages.
  9. (syslog) Port. Enter the port for sending the syslog messages.
  10. (syslog) Token. Enter the token to prepend when forwarding a message via syslog. The token uses the following special variables:
    {file} Maps to the name of the originating file, when applicable. 
    {hostname} Name of the host that originated the message.
    {category} Category of the source that collected this message.
  11. Click Save to save the information and add the new destination to the list.

Configure processing rules for data forwarding

In this procedure, you define one or more processing rules that define the data from a Source that you want to send to the external destination.  

There are several methods you can use to configure processing rules: 

To configure processing rules for data forwarding using the web application

  1. Go to Manage Data > Collection > Collection (Manage > Collection and click Collectors and Sources in the classic UI).
  2. Search for the source that you want to configure, and click the Edit link for the source.
    The source must be associated with an installed collector.
  3. Scroll down to the Processing Rules section and click the arrow to expand the section.
  4. Click Add Rule.
  5. Enter a name to define the rule.
  6. In the Filter field, enter the regular expression that determines how the rule is applied. For example, the regular expression ,*ERROR*, matches all messages that contain ERROR.
  7. Select Forward messages that match as the rule type. This option is visible only if you have defined at least one data forwarding destination, as described in the previous section. 
  8. Select the Destination from the drop-down menu. 
  9. Click Apply.
    • The new rule is listed along with any other previously defined processing rules.
  10. Click Add Rule if you want to another rule.
  11. Click Save to save the rules you defined and start forwarding data that matches the rules.