Skip to main content
Sumo Logic

JSON Parameters for Installed Sources

This topic describes JSON Source parameters for installed Collectors. See the following topics for additional information:

Source types for installed Collectors

Each Source can have its own unique fields in addition to the generic fields listed in Use JSON to Configure Sources. The sourceType field determines the type of Source (and the associated parameters). The next table lists the valid field types. The sections that follow list the unique parameters for each and associated JSON examples.

Log Sources for installed Collectors

Field Type Type Value
Local File Source LocalFile
Remote File Source RemoteFileV2
Local Windows Event Log Source LocalWindowsEventLog
Remote Windows Event Log Source RemoteWindowsEventLog
Local Windows Performance Source LocalWindowsPerfMon
Remote Windows Performance Source RemoteWindowsPerfMon
Syslog Source Syslog
Script Source Script
Docker Log Source DockerLog
Docker Stats Source DockerStats

Metric Sources for installed Collectors

Field Type Type Value
Host metrics Source SystemStats
Graphite Source Graphite

Log Source parameters for installed Collectors

Local File Source 

In addition to the common parameters, the following parameters are for Local File Source.

Parameter Type Required? Default Description Access
sourceType string Yes   LocalFile not modifiable

pathExpression

String

Yes

 

A valid path expression (full path) of the file to collect.

For files on Windows systems (not including Windows Events), enter the absolute path including the drive letter. Escape special characters and spaces with a backslash (\). If you are collecting from Windows using CIFS/SMB, see Prerequisites for Windows Log Collection.

Use a single asterisk wildcard [*] for file or folder names. Example:[var/foo/*.log]. Use two asterisks [**]to recurse within directories and subdirectories. Example:  [var/**/*.log].

modifiable

blacklist

String array

No

[ ]

Comma-separated list of valid path expressions from which logs will not be collected. 
Example: "blacklist":["/var/log/**/*.bak","/var/oldlog/*.log"]

modifiable

encoding

String

No

UTF-8

Defines the encoding form. Default is "UTF-8"; options include "UTF-16""UTF-16BE""UTF-16LE".

modifiable

Local File Source JSON example with cutoffTimestamp:

{
   "api.version":"v1",
   "sources":[{
    "name":"Test-Chef",
    "category":"Chef",
    "automaticDateParsing":true,
    "multilineProcessingEnabled":false,
    "useAutolineMatching":false,
    "forceTimeZone":false,
    "timeZone":"UTC",
    "filters":[],
    "cutoffTimestamp":1426057200000,
    "encoding":"UTF-8",
    "pathExpression":"/home/ubuntu/chef*.log",
    "blacklist":[],
    "sourceType":"LocalFile"
  }]
}

 

Local File Source JSON example with cutoffRelativeTime:

{
   "api.version":"v1",
   "sources":[{
      "name":"db_log",
      "description":"the database logs",
      "category":"test/database_log",
      "automaticDateParsing":false,
      "multilineProcessingEnabled":false,
      "useAutolineMatching":false,
      "forceTimeZone":true,
      "timeZone":"America/Los_Angeles",
      "filters":[],
      "cutoffRelativeTime":"-1h",
      "encoding":"UTF-8",
      "pathExpression":"/var/log/db.log",
      "blacklist":[],
      "sourceType":"LocalFile"
    }]
}

Remote File Source

In addition to the common parameters, the following parameters are for Remote File Source.

Parameter Type Required? Default Description Access
sourceType string Yes   RemoteFileV2 not modifiable
remoteHosts List Yes   Host name of remote machine. Make sure to enclose IP addresses in brackets. Example: ["192.168.0.1","10.0.1.16",
"192.168.1.234"]
.
modifiable
remotePort Int Yes   Port of remote machine (SSH) modifiable
remoteUser String Yes   User account to connect with the remote machine. modifiable
remotePassword String Yes   Password used to connect to remote machine. Required only when authMethod is set to "password". modifiable
keyPath String Yes   Path to SSH key used to connect to the remote machine. Required only when authMethod is set to "key". modifiable
keyPassword String No null Password to SSH key to connect to the remote machine, required only with authMethod is set to "password". modifiable
pathExpression String Yes   Path expression of the files to collect. modifiable
authMethod String Yes   Authentication method used to connect to the remote machine. Options are "password" to connect with a password, or "key" to connect with an SSH key. modifiable
blacklist List No [ ] List of valid path expression to skip. Default is [ ]. modifiable

 

Remote File Source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"RemoteFileV2",
         "name":"Example1",
         "remoteHosts":[
            "192.168.0.1",
            "10.0.1.16",
            "192.168.1.234"
         ],
         "remotePort":22,
         "remoteUser":"user",
         "remotePassword":"password",
         "keyPath":"",
         "keyPassword":"",
         "pathExpression":"/var/log/somelog.log",
         "authMethod":"password",
         "blacklist":[
            "/var/log/*.out.log",
            "/var/log/*.tmp.log"
         ]
      }
   ]
}

Local Windows Event Log Source

In addition to the common parameters, the following parameters are for Local Windows Event Log Source.

Parameter Type Required? Default Description Access
sourceType  string Yes   LocalWindowsEventLog not modifiable
logNames List Yes   List of Windows log types to collect. For example, "Security"or  "Application".  To obtain the list of available logs on a given machine, use the PowerShell command Get-WinEvent -ListLog * or the legacy command wevtutil el. We do not support "Analytic" or "Debug" ETW logs. modifiable
renderMessages boolean No true Flag indicating if full event messages are collected (true) or just core event metadata (false) modifiable

Local Windows Event Log Source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"LocalWindowsEventLog",
         "name":"Example1",
         "renderMessages":true,
         "logNames":[
            "Security",
            "Application"
         ]
      }
   ]
}

Remote Windows Event Log Source

In addition to the common parameters, the following parameters are for Remote Windows Event Log Source.

Parameter Type Required? Default Description Access
sourceType  string Yes   RemoteWindowsEventLog not modifiable
domain String Yes   Windows domain from which logs will be created. modifiable
username String Yes   User name needed to connect to the remote machine. modifiable
password String Yes   Password needed to connect to the remote machine. modifiable
hosts List Yes   List of hosts to collect from. modifiable
logNames List Yes   List of Windows log types collected. modifiable
renderMessages boolean No true Flag indicating if full event messages are collected ("true") or just core event metadata ("false") modifiable

Remote Windows Event Log Source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"RemoteWindowsEventLog",
         "name":"Example1",
         "domain":"mydomain",
         "username":"user",
         "password":"password",
         "renderMessages":true,
         "hosts":[
            "myremotehost1",
            "myremotehost2"
         ],
         "logNames":[
            "Security",
            "Application"
         ]
      }
   ]
}

 

Local Windows Performance Source 

In addition to the common parameters, the following parameters are for Local Windows Performance Source.

Parameter Type Required? Default Description Access
sourceType  string Yes   LocalWindowsPerformance not modifiable
wmiQueries list yes   List of queries to be executed. Each query is an object with two fields: name and query modifiable

Example response:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"LocalWindowsPerformance",
         "name":"Example1",
         "wmiQueries":[
            {
               "name":"query_1",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Processor"
            },
            {
               "name":"query_2",
               "query":"select * from NonExistence"
            }
         ]
      }
   ]
}

Remote Windows Performance Source 

In addition to the common parameters, the following parameters are for Remote Windows Performance Source.

Parameter Type Required? Description Access
sourceType  string Yes RemoteWindowsPerformance not modifiable
domain String Yes Windows domain from which logs will be created. modifiable
remoteUser String Yes User name needed to connect to the remote machine.  
remotePassword String Yes Password needed to connect to the remote machine.  
remoteHosts List Yes List of hosts to collect from.  
wmiQueries List Yes List of queries to be executed. Each query in an object with two fields: name and query  

Remote Windows Performance Source JSON example:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"RemoteWindowsPerformance",
         "name":"Example1",
         "domain":"mydomain",
         "remoteUser":"user",
         "remotePassword":"password",
         "remoteHosts":[
            "myremotehost1",
            "myremotehost2"
         ],
         "wmiQueries":[
            {
               "name":"query_1",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Processor"
            },
            {
               "name":"query_2",
               "query":"select * from NonExistence"
            }
         ]
      }
   ]
}

Windows performance metric example

This example shows how to use WMI queries to collect performance metrics from Windows systems.

{
   "api.version":"v1",
   "sources":[
      {
         "name":"Windows Performance",
         "sourceType":"LocalWindowsPerfMon"
         "automaticDateParsing":false,
         "multilineProcessingEnabled":false,
         "useAutolineMatching":false,
         "forceTimeZone":false,
         "filters":[],
         "cutoffTimestamp":0,
         "encoding":"UTF-8",
         "interval":300000,
         "wmiQueries":[
            {
               "name":"CPU",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Processor"
            },
            {
               "name":"Logical Disk",
               "query":"select * from Win32_PerfFormattedData_PerfDisk_LogicalDisk"
            },
            {
               "name":"Physical Disk",
               "query":"select * from Win32_PerfFormattedData_PerfDisk_PhysicalDisk"
            },
            {
               "name":"Memory",
               "query":"select * from Win32_PerfFormattedData_PerfOS_Memory"
            },
            {
               "name":"Network",
               "query":"select * from Win32_PerfFormattedData_Tcpip_NetworkInterface"
            }
         ]
      }
   ]
}

Syslog Source

In addition to the common parameters, the following parameters are for Syslog Source.

Parameter Type Required? Default Description Access
sourceType  string Yes   Syslog not modifiable
protocol String Yes   Protocol that syslog should use.  Both UDP and TCP are supported. modifiable
port Integer Yes   Port that syslog should use to connect to the machine.  Recommended ports: 514 or 1514 modifiable

Syslog Source JSON example: 

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"Syslog",
         "name":"Example1",
         "protocol":"UDP",
         "port":514
      }
   ]
}

Script Source

In addition to the common parameters, the following parameters are for Script Source.

Parameter Type Required? Default Description Access
sourceType  string Yes   Script not modifiable
commands List Yes [ ] List of command line arguments. modifiable
file String No null Path to script file to run modifiable
workingDir String No null Working directory for commands/script. modifiable
timeout Long No 0 Script timeout (in milliseconds). By default, this is set to 0. modifiable
script String No null Script contents (if no file is provided). modifiable
cronExpression String Yes   Schedule for running the script. Must be a valid Quartz cron expression. modifiable

Script Source JSON Example: 

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"Script",
         "name":"Example1",
         "commands":[
            "/bin/bash"
         ],
         "file":"/usr/local/bin/getlogs.log",
         "workingDir":"/var/log",
         "timeout":60000,
         "script":"",
         "cronExpression":"0 * * * *"
      }
   ]
}

Docker Log Source

In addition to the common parameters, the following parameters are for Docker Log Source.

Parameter

Type

Required?

Default

Description

Access

sourceType string Yes   DockerLog  

uri

string

Yes

 

URI of the Docker daemon.

modifiable

specifiedContainers

list

   

Comma-separated list of Docker containers. Collection will be only from running containers.  If the list contains stopped containers, the source can start collecting from these containers if they are started later.

modifiable

allContainers

boolean

Yes

 

Flag indicating whether the Source includes all running containers (true) or only the containers listed in specifiedContainers (false).

modifiable

certPath

string

*

 

Enter the path to the cert files on the local machine where the Collector is running. Required if the URI uses HTTPS.

modifiable

collectEvents boolean Yes   Must be set to true to collect the Docker logs.  

Example source JSON with all containers:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"DockerLog",
         "name":"Example1",
         "uri":"https://54.165.12.163:2376",
         "allContainers":true,
         "certPath":"/home/ec2-user/.docker/machine/machines/wmad-docker",
         "collectEvents":true
      }
   ]
}

Example source JSON with specified containers:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"DockerLog",
         "name":"Example1",
         "uri":"https://54.165.12.163:2376",
         "specifiedContainers":[
            "webserver",
            "mysql",
            "another-container"
         ],
         "allContainers":false,
         "certPath":"/home/ec2-user/.docker/machine/machines/wmad-docker",
         "collectEvents":true
      }
   ]
}

 

Docker Stats Source

In addition to the common parameters, the following parameters are for Docker Stats Source.

Parameter

Type

Required?

Default

Description

Access

sourceType

string

Yes

 

DockerStats

not modifiable

uri

string

Yes

 

URI of the Docker daemon.

modifiable

specifiedContainers

list

   

Comma-separated list of Docker containers. Collection will be only from running containers.  If the list contains stopped containers, the source can start collecting from these containers if they are started later.

modifiable

allContainers

boolean

Yes

 

Flag indicating whether the Source includes all running containers (true) or only the containers listed in specifiedContainers (false).

modifiable

certPath

string

*

 

Enter the path to the cert files on the local machine where the Collector is running. Required if the URI uses HTTPS.

modifiable

Example source JSON with all containers:

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"DockerStats",
         "name":"Example2",
         "uri":"https://54.165.12.163:2376",
         "allContainers":true,
         "certPath":"/home/ec2-user/.docker/machine/machines/wmad-docker"
      }
   ]
}

Metric Source parameters for installed Collectors

Host Metrics Source 

In addition to the common parameters, the following parameters are for Host Metrics Source. Host metrics are gathered by the open-source SIGAR library

Parameter Type Required? Default Description Access

sourceType

 string

Yes

 

SystemStats

not modifiable

metrics

string array

No

all metrics

Comma-separated list of metrics to collect.
Example: 

"metrics" : ["CPU_User", "CPU_Sys", "Mem_Used"]

For a full list of available metrics, see Host Metrics Source for Installed Collectors.

When omitted, all available host metrics will be collected.

modifiable

interval (ms)

Integer

Yes

 

Time interval in milliseconds of the metrics collection. We recommend 60 second granularity (60000).

The Sumo Logic UI offers some pre-defined values (10s, 15s, 30s, 1m, 5m).

modifiable

hostName

string

No

 

Host from which the metrics are collected.

modifiable

Host metrics Source JSON example: 

{
 "api.version": "v1",
 "sources": [{
   "sourceType" : "SystemStats",
   "name" : "Host_Metrics",
   "interval" : 60000,
   "hostName" : "my_host",
   "metrics" : ["CPU_User", "CPU_Sys", "Mem_Used"]
 }]
}

Graphite Source 

In addition to the common parameters, the following parameters are for Graphite Source.

Parameter Type Required? Default Description Access
sourceType  string Yes   Graphite not modifiable
protocol String Yes   Protocol that syslog should use.  Both UDP and TCP are supported.
For CollectD metrics, only TCP is supported.
modifiable
port Integer Yes   Port that the Collector should use to listen for Graphite metrics. Recommended port: 2003 modifiable

Graphite Source JSON example: 

{
   "api.version":"v1",
   "sources":[
      {
         "sourceType":"Graphite",
         "name":"collectd",
         "protocol":"TCP",
         "port":2003
      }
   ]
}