Skip to main content
Sumo Logic

JSON Parameters for Installed Sources

This topic describes JSON Source parameters for installed Collectors. See the following topics for additional information:

Source types for installed collectors

Each Source can have its own unique fields in addition to the generic fields listed in Use JSON to configure sources. The sourceType field determines the type of Source (and the associated parameters). The next table lists the valid field types. The sections that follow list the unique parameters for each and associated JSON examples.

Log sources for installed collectors

Field Type Type Value
Local File Source LocalFile
Remote File Source RemoteFileV2
Local Windows Event Log Source LocalWindowsEventLog
Remote Windows Event Log Source RemoteWindowsEventLog
Local Windows Performance Source dLocalWindowsPerfMon
Remote Windows Performance Source RemoteWindowsPerfMon
Syslog Source Syslog
Script Source Script
Docker Log Source DockerLog
Docker Stats Source DockerStats

Metric sources for installed collectors

Field Type Type Value
Host metrics Source SystemStats
Graphite Source Graphite

Log source parameters for installed collectors

Local file source

In addition to the common parameters, the following parameters are for local file source. 

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   LocalFile not modifiable
pathExpression String Yes   A valid path expression (full path) of the file to collect. For files on Windows systems (not including Windows Events), enter the absolute path including the drive letter. Escape special characters and spaces with a backslash (\). If you are collecting from Windows using CIFS/SMB, see Prerequisites for Windows Log Collection. Use a single asterisk wildcard [*] for file or folder names. Example:[var/foo/*.log]. Use two asterisks [**]to recurse within directories and subdirectories. Example:  [var/**/*.log]. modifiable
blacklist String Array No [ ] Comma-separated list of valid path expressions from which logs will not be collected. 
Example: "blacklist":["/var/log/**/*.bak","/var/oldlog/*.log"]
modifiable
encoding String No UTF-8 Defines the encoding form. Default is "UTF-8"; options include "UTF-16""UTF-16BE""UTF-16LE". modifiable

Local File Source JSON example with cutoffTimestamp:

{
   "api.version":"v1",
   "sources":[{
    "name":"Test-Chef",
    "category":"Chef",
    "automaticDateParsing":true,
    "multilineProcessingEnabled":false,
    "useAutolineMatching":false,
    "forceTimeZone":false,
    "timeZone":"UTC",
    "filters":[],
    "cutoffTimestamp":1426057200000,
    "encoding":"UTF-8",
    "pathExpression":"/home/ubuntu/chef*.log",
    "blacklist":[],
    "sourceType":"LocalFile"
  }]
}

  Local File Source JSON example with cutoffRelativeTime:

{
   "api.version":"v1",
   "sources":[{
      "name":"db_log",
      "description":"the database logs",
      "category":"test/database_log",
      "automaticDateParsing":false,
      "multilineProcessingEnabled":false,
      "useAutolineMatching":false,
      "forceTimeZone":true,
      "timeZone":"America/Los_Angeles",
      "filters":[],
      "cutoffRelativeTime":"-1h",
      "encoding":"UTF-8",
      "pathExpression":"/var/log/db.log",
      "blacklist":[],
      "sourceType":"LocalFile"
    }]
}

Remote file source

In addition to the common parameters, the following parameters are for remote file source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   RemoteFileV2 not modifiable
remoteHosts List Yes   Host name of remote machine. Make sure to enclose IP addresses in brackets. Example: ["192.168.0.1","10.0.1.16",
"192.168.1.234"]
.
modifiable
remotePort Int Yes   Port of remote machine (SSH) modifiable
remoteUser String Yes   User account to connect with the remote machine. modifiable
remotePassword String Yes   Password used to connect to remote machine. Required only when authMethod is set to "password". modifiable
keyPath String Yes   Path to SSH key used to connect to the remote machine. Required only when authMethod is set to "key". modifiable
keyPassword String No Null Password to SSH key to connect to the remote machine, required only with authMethod is set to "password". modifiable
pathExpression String Yes   Path expression of the files to collect. modifiable
authMethod String Yes   Authentication method used to connect to the remote machine. Options are "password" to connect with a password, or "key" to connect with an SSH key. modifiable
blacklist List No [ ] List of valid path expression to skip. Default is [ ]. modifiable

Remote file source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"RemoteFileV2",
         "name":"Example1",
         "remoteHosts":[
            "192.168.0.1",
            "10.0.1.16",
            "192.168.1.234"
         ],
         "remotePort":22,
         "remoteUser":"user",
         "remotePassword":"password",
         "keyPath":"",
         "keyPassword":"",
         "pathExpression":"/var/log/somelog.log",
         "authMethod":"password",
         "blacklist":[
            "/var/log/*.out.log",
            "/var/log/*.tmp.log"
         ]
      }
   ]
}

Local Windows event log source

In addition to the common parameters, the following parameters are for local Windows event log source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   LocalWindowsEventLog not modifiable
logNames List Yes   List of Windows log types to collect. For example, "Security"or  "Application".  To obtain the list of available logs on a given machine, use the PowerShell command Get-WinEvent -ListLog * or the legacy command wevtutil el. We do not support "Analytic" or "Debug" ETW logs. modifiable
renderMessages Boolean No True Flag indicating if full event messages are collected (true) or just core event metadata (false) modifiable

Local Windows event log source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"LocalWindowsEventLog",
         "name":"Example1",
         "renderMessages":true,
         "logNames":[
            "Security",
            "Application"
         ]
      }
   ]
}

Remote Windows event log source

In addition to the common parameters, the following parameters are for remote Windows event log source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   RemoteWindowsEventLog not modifiable
domain String Yes   Windows domain from which logs will be created. modifiable
username String Yes   User name needed to connect to the remote machine. modifiable
password String Yes   Password needed to connect to the remote machine. modifiable
hosts List Yes   List of hosts to collect from. modifiable
logNames List Yes   List of Windows log types collected. modifiable
renderMessages Boolean No True Flag indicating if full event messages are collected ("true") or just core event metadata ("false") modifiable

Remote Windows event log source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"RemoteWindowsEventLog",
         "name":"Example1",
         "domain":"mydomain",
         "username":"user",
         "password":"password",
         "renderMessages":true,
         "hosts":[
            "myremotehost1",
            "myremotehost2"
         ],
         "logNames":[
            "Security",
            "Application"
         ]
      }
   ]
}

Local Windows performance source 

In addition to the common parameters, the following parameters are for local Windows performance source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   LocalWindowsPerformance not modifiable
wmiQueries List Yes   List of queries to be executed. Each query is an object with two fields: name and query modifiable

Example response:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"LocalWindowsPerformance",
         "name":"Example1",
         "wmiQueries":[
            {
               "name":"query_1",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Processor"
            },
            {
               "name":"query_2",
               "query":"select * from NonExistence"
            }
         ]
      }
   ]
}

Remote Windows performance source 

In addition to the common parameters, the following parameters are for remote Windows performance source.

Parameter Type Required? Description Access
name String Yes The name of the source. Example:"SourceName"  modifiable
sourceType String Yes RemoteWindowsPerformance not modifiable
domain String Yes Windows domain from which logs will be created. modifiable
remoteUser String Yes User name needed to connect to the remote machine.  
remotePassword String Yes Password needed to connect to the remote machine.  
remoteHosts List Yes List of hosts to collect from.  
wmiQueries List Yes List of queries to be executed. Each query in an object with two fields: name and query  

Remote Windows performance source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"RemoteWindowsPerformance",
         "name":"Example1",
         "domain":"mydomain",
         "remoteUser":"user",
         "remotePassword":"password",
         "remoteHosts":[
            "myremotehost1",
            "myremotehost2"
         ],
         "wmiQueries":[
            {
               "name":"query_1",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Processor"
            },
            {
               "name":"query_2",
               "query":"select * from NonExistence"
            }
         ]
      }
   ]
}

Windows performance metric example

This example shows how to use WMI queries to collect performance metrics from Windows systems.

{
   "api.version":"v1",
   "sources":[
      {
         "name":"Windows Performance",
         "sourceType":"LocalWindowsPerfMon"
         "automaticDateParsing":false,
         "multilineProcessingEnabled":false,
         "useAutolineMatching":false,
         "forceTimeZone":false,
         "filters":[],
         "cutoffTimestamp":0,
         "encoding":"UTF-8",
         "interval":300000,
         "wmiQueries":[
            {
               "name":"CPU",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Processor"
            },
            {
               "name":"Logical Disk",
               "query":"select * from Win32_PerfFormattedData_PerfDisk_LogicalDisk"
            },
            {
               "name":"Physical Disk",
               "query":"select * from Win32_PerfFormattedData_PerfDisk_PhysicalDisk"
            },
            {
               "name":"Memory",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Memory"
            },
            {
               "name":"Network",
               "query":"select * from Win32_PerfFormattedData_Tcpip_NetworkInterface"
            }
         ]
      }
   ]
}

Syslog source

In addition to the common parameters, the following parameters are for Syslog source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   Syslog not modifiable
protocol String Yes   Protocol that syslog should use.  Both UDP and TCP are supported. modifiable
port Integer Yes   Port that syslog should use to connect to the machine.  Recommended ports: 514 or 1514 modifiable

Syslog source JSON example: 

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"Syslog",
         "name":"Example1",
         "protocol":"UDP",
         "port":514
      }
   ]
}

Script source

In addition to the common parameters, the following parameters are for script source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   Script not modifiable
commands List Yes [ ] List of command line arguments. modifiable
file String No null Path to script file to run modifiable
workingDir String No null Working directory for commands/script. modifiable
timeout Long No 0 Script timeout (in milliseconds). By default, this is set to 0. modifiable
script String No null Script contents (if no file is provided). modifiable
cronExpression String Yes   Schedule for running the script. Must be a valid Quartz cron expression. modifiable

Script Source JSON Example: 

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"Script",
         "name":"Example1",
         "commands":[
            "/bin/bash"
         ],
         "file":"/usr/local/bin/getlogs.log",
         "workingDir":"/var/log",
         "timeout":60000,
         "script":"",
         "cronExpression":"0 * * * *"
      }
   ]
}

Docker log source

In addition to the common parameters, the following parameters are for Docker log source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   DockerLog  
uri String Yes   URI of the Docker daemon. modifiable
specifiedContainers List     Comma-separated list of Docker containers. Collection will be only from running containers.  If the list contains stopped containers, the source can start collecting from these containers if they are started later. modifiable
allContainers Boolean Yes   Flag indicating whether the Source includes all running containers (true) or only the containers listed in specifiedContainers (false). modifiable
certPath String *   Enter the path to the cert files on the local machine where the Collector is running. Required if the URI uses HTTPS. modifiable
collectEvents Boolean Yes   Must be set to true to collect the Docker logs.  

Example source JSON with all containers:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"DockerLog",
         "name":"Example1",
         "uri":"https://54.165.12.163:2376",
         "allContainers":true,
         "certPath":"/home/ec2-user/.docker/machine/machines/wmad-docker",
         "collectEvents":true
      }
   ]
}

Example source JSON with specified containers:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"DockerLog",
         "name":"Example1",
         "uri":"https://54.165.12.163:2376",
         "specifiedContainers":[
            "webserver",
            "mysql",
            "another-container"
         ],
         "allContainers":false,
         "certPath":"/home/ec2-user/.docker/machine/machines/wmad-docker",
         "collectEvents":true
      }
   ]
}

Docker stats source

In addition to the common parameters, the following parameters are for Docker stats source.

Parameter Type Required? Default Description Access
sourceType String Yes   DockerStats not modifiable
uri String Yes   URI of the Docker daemon. modifiable
specifiedContainers List     Comma-separated list of Docker containers. Collection will be only from running containers.  If the list contains stopped containers, the source can start collecting from these containers if they are started later. modifiable
allContainers Boolean Yes   Flag indicating whether the Source includes all running containers (true) or only the containers listed in specifiedContainers (false). modifiable
certPath String *   Enter the path to the cert files on the local machine where the Collector is running. Required if the URI uses HTTPS. modifiable
pollInterval Integer No Continous  (By default, polling occurs continuously, rather than on a periodic basis.) The frequency, in milliseconds, at which stats are polled.   modifiable

Example source JSON with all containers:

{
 "api.version":"v1",
 "source":{
   "name":"test",
   "category":"test",
   "automaticDateParsing":false,
   "multilineProcessingEnabled":false,
   "useAutolineMatching":false,
   "forceTimeZone":false,
   "filters":[],
   "cutoffTimestamp":0,
   "encoding":"UTF-8",
   "allContainers":true,
   "certPath":"",
   "uri":"unix:///var/run/docker.sock",
   "specifiedContainers":[],
   "pollInterval":60000,
   "sourceType":"DockerStats"
      }
   ]
}

Metric source parameters for installed collectors

Host metrics source 

In addition to the common parameters, the following parameters are for host metrics source. Host metrics are gathered by the open source SIGAR library

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   SystemStats not modifiable
metrics String Array No all metrics Comma-separated list of metrics to collect.
Example:  "metrics" : ["CPU_User", "CPU_Sys", "Mem_Used"] For a full list of available metrics, see Host Metrics Source for Installed Collectors. When omitted, all available host metrics will be collected.
modifiable
interval (ms) Integer Yes   Time interval in milliseconds of the metrics collection. We recommend 60 second granularity (60000). The Sumo Logic UI offers some pre-defined values (10s, 15s, 30s, 1m, 5m). modifiable
hostName String No   Host from which the metrics are collected. modifiable

Host metrics source JSON example: 

{
 "api.version": "v1",
 "sources": [{
   "sourceType" : "SystemStats",
   "name" : "Host_Metrics",
   "interval" : 60000,
   "hostName" : "my_host",
   "metrics" : ["CPU_User", "CPU_Sys", "Mem_Used"]
 }]
}

Graphite source 

In addition to the common parameters, the following parameters are for Graphite source.

Parameter Type Required? Default Description Access
name String Yes   The name of the source. Example:"SourceName"  modifiable
sourceType String Yes   Graphite not modifiable
protocol String Yes   Protocol that syslog should use.  Both UDP and TCP are supported.
For CollectD metrics, only TCP is supported.
modifiable
port Integer Yes   Port that the Collector should use to listen for Graphite metrics. Recommended port: 2003 modifiable

Graphite Source JSON example: 

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"Graphite",
         "name":"collectd",
         "protocol":"TCP",
         "port":2003
      }
   ]
}