Skip to main content
Sumo Logic

Forwarding Data from Sumo Logic to S3

This page has instructions for configuring Sumo Logic to forward raw log data from a Partition or Scheduled View to an S3 bucket. After Data Forwarding is configured, you should start to see file objects posted within your configured bucket.


  • Administrator role on the Partition where you want to set up forwarding.
  • Follow the instructions on Grant Access to an AWS Product to grant Sumo permission to send data to the destination S3 bucket.
  • Dedicated Partition or Scheduled View to push to AWS S3.

Forwarding interval

Raw messages are buffered during data ingest for either approximately 5 minutes or until 100MB of data is received, whichever is first. Then the buffered data is written to a new CSV file and forwarded. 

Format of forwarded data

For information on the file format of the posted objects, see File Format for Data Forwarding to an Amazon S3 Bucket.

Configure an S3 data forwarding destination

  1. In Sumo Logic, choose Manage Data > Logs > Data Forwarding.
  2. Click + to add a new destination.
  3. Select Amazon S3 for Destination Type.
  4. Configure the following:
    • Destination Name. Enter a name to identify the destination.
    • Bucket Name. Enter the exact name of the S3 bucket.
    • Description. You can provide a meaningful description of the connection.
    • Access Method. Select Role-based access or Key access based on the AWS authentication you are providing. Role-based access is preferred, this was completed in the prerequisite step Grant Sumo Logic access to an AWS Product.
      • For Role-based access enter the Role ARN that was provided by AWS after creating the role. 
        data forwarding Role ARN input blur.png
      • For Key access enter the Access Key ID and Secret Access Key. See AWS Access Key ID and AWS Secret Access Key for details.
    • S3 Region. Select the S3 region or keep the default value of Others. The S3 region must match the appropriate S3 bucket created in your Amazon account.
    • Enable S3 server-side encryption. Select the check box if you want the forwarded data to be encrypted.  For more information, see Protecting Data Using Server-Side Encryption with Amazon S3-Managed Encryption Keys (SSE-S3) in AWS help.
    • Active. Select this check box to enable Data Forwarding for the entire S3 bucket. To start Data Forwarding you will also need to enable forwarding for the desired indexes, as described below in this topic.
  5. Click Save.

If Sumo Logic is able to verify the S3 credentials, the destination will be added to the list of destinations, and you can start Data Forwarding for specific Partitions or Scheduled Views, as described in the following section in this topic. See Error and alert conditions in this topic for examples of errors that can occur.

Start Data Forwarding to S3 

This section has instructions for enabling data forwarding for an existing Partition or Scheduled View.

  1. In Sumo Logic, go to Manage Data > Logs > Partitions, or Manage Data > Logs > Scheduled Views, depending on whether you want to forward data from a Partition or a Scheduled View.
  2. Click the three-dot icon to the right of the Partition or View for which you want to enable data forwarding and select Edit Data Forwarding. The screenshot below is the Partitions page.
    edit forwarding rule.png
  3. On the Edit Data Forwarding page, click the Enable Data Forwarding checkbox.
  4. Select the forwarding destination. You can choose a previously configured destination, or click New Amazon S3 Destination to set up a new one. If you select the new option, you’ll see all of the settings to add a new Data Forwarding destination. See the previous procedure in this topic for instructions on configuring the settings.
    Edit DataForwarding.png
  5. For File Format, you can enter a path name or other file format and include any of the following variables: 

    {index}  Replaced with the name of the partition or scheduled view
    {day}  Replaced with the day of the year in the yyyy-MM-dd format
    {hour}  Replaced with the hour of the day (0-23)
    {minute} Replaced with the minute of the hour
    {second} Replaced with the second of the minute
    {uuid} Replaced with a unique, randomly generated identifier (UUID)

    If you leave this field blank, the default format {index}_{day}_{hour}_{minute}_{second} is used.

  6. Click Save to save your changes and start forwarding data. 

Error and alert conditions

An error or alert condition can occur with S3 data forwarding destination for the following reasons:

  • If Sumo Logic is not able to verify the S3 credentials when the destination is saved, an error message indicates that the credentials were rejected by Amazon. If this occurs, verify Access Key ID, Secret Access Key and the bucket configuration, re-select the Active check box, and save again.
  • Errors and alerts that are generated after the destination has been successfully saved and started are shown on the Partitions page. 
    data forwarding status icons.png 
  • Hover over the icon to display the message.
    data forwarding icon message.png 
  • In this example, Sumo Logic has disabled data forwarding due to errors in connecting to the S3 bucket. This occurs if the Amazon account or credentials change so that Sumo Logic is no longer able to authenticate to the bucket.