Choosing a Sumo Logic Collector and Source

To send your data to Sumo Logic, you have a few options. We have two types of installed agents and offer a collector fully hosted by us.

Sumo Logic Collectors

OpenTelemetry Distribution (Installed Agent)

Distribution of OpenTelemetry is the next-generation agent for data collection. It is built entirely on OpenTelemetry Collector.

The Sumo Logic Distribution for OpenTelemetry Collector is built with the opentelemetry-collector-builder and provides a single unified agent to send Logs, Metrics, Traces, and Metadata for Observability to Sumo Logic.

Refer to Sumo Logic Distribution for OpenTelemetry Collector documentation for more information.

It's supported on Linux, macOS, Windows, and Kubernetes environments and can use any of the following Sources:

• Local File
• Host/Process Metrics
• HTTP Traces
• Streaming Metrics
• Syslog
• Telegraf Input Plugins

For full details on limitations, what's supported, and what's different see our comparison documentation.

Installed Collectors (Installed Agent)

Installed Collectors are lightweight and efficient. You can choose to install a small number of Collectors to minimize maintenance or to keep your topology simple. Alternatively, you can choose to install many Collectors on many machines to distribute the bandwidth impact across your network rather than having it centralized.

Installed Collectors are deployed in your environment, on a local machine, a machine in your organization, or even an Amazon Machine Image (AMI). Installed Collectors require a software download and installation. Upgrades to Collector software are released regularly by Sumo Logic.

Consider having an Installed Collector on a dedicated machine when:

• You need to collect data with a Source only available on Installed Collectors.
• You are running a very high-bandwidth network with high logging levels.
• You want a central collection point for many Sources.

Consider having more than one Installed Collector if:

• You expect the Collector to ingest from at least 500 separate files.
• Your hardware has memory or CPU limitations.
• You expect combined logging traffic for one Collector to be higher than 15,000 events per second.
• Your network clusters or regions are geographically separated.
• You prefer to install many Collectors, for example, one per machine to collect local files.

To help design your deployment see how Installed Collectors work and Best Practices: Local and Centralized Data Collection.

For details on system requirements, see Installed Collector requirements.

Compare Installed Collectors and OpenTelemetry Collectors​

The Installed Collector and OpenTelemetry Collector are two popular collectors used for collecting metrics, traces, and logs from various sources. While both collectors have their own unique features and advantages, there are some key differences between them.

Installed Collector. The Installed Collector is a standalone agent that runs on Linux, MacOS, Kubernetes, and Windows platforms. It supports a wide range of sources, including Local File, Syslog, Host/Process Metrics, Streaming Metrics, Transaction Tracing, and many more. It also provides support for remote management and configuration, Ingest Budgets, Collector Management API, and CPU targets.

OpenTelemetry Collector. The OpenTelemetry Collector is a single-agent management solution that runs on Linux, MacOS, Kubernetes, and Windows platforms. It supports sources such as Local File, Syslog, Host/Process Metrics, Streaming Metrics, and Transaction Tracing. However, it does not provide support for remote management or configuration, Ingest Budgets, Collector Management API, or CPU targets.

When to Choose Installed Collector vs. OpenTelemetry Collector

The following table shows the comparison between the Installed Collector and OpenTelemetry Collector based on their supported platforms and sources, and their ideal use cases.

Collector Type	Supported Platforms	Supported Sources	Ideal Use Cases
Installed Collector	Linux, MacOS, Kubernetes, Windows	Local File, Syslog, Host/Process Metrics, Streaming Metrics, Transaction Tracing, All Telegraf Input Plugins, Windows Log Event Receiver, Windows Performance Counters Receiver, Script Sources, Script Actions, Docker Stats / Logs, Remote File, Windows Active Directory Source, Remote Windows Event Log Source	Remote management and configuration, Ingest Budgets, Collector Management API (e.g. for Health Events or CRUD operations), CPU target
OpenTelemetry Collector	Linux, MacOS, Kubernetes, Windows	Local File, Syslog, Host/Process Metrics, Streaming Metrics, Transaction Tracing	Single agent management, scale issues with FluentD on Kubernetes Collection, no remote management or configuration, no Ingest Budgets, no Collector Management API, no CPU target

Source Specific Configurations

The OpenTelemetry Collector offers two approaches for Syslog processing:

• Syslog Receiver
• TCPlog/UDPlog Receiver and Sumo Logic Syslog Processor.

The following table shows the comparison of source specific configurations between the Installed Collector and OpenTelemetry Collector.

Feature/Capability	OpenTelemetry Syslog Receiver	TCPlog/UDPlog Receiver and Sumo Logic Syslog Processor
Accepts logs	RFC3164 and RFC5424 formats	Any format
Field Parsing	Collector side	Not on collector side
Protocol Verification	Strict parsing; logs sent to the wrong endpoint will not be parsed	No protocol verification; all formats are treated the same
Recommendation	Sending logs using a certain RFC protocol	Compatibility with the current Installed Collector behavior is needed

Overall, OpenTelemetry Collector is the preferred option if you need a single agent to collect data from multiple sources, want to avoid managing multiple agents, or face scale issues with FluentD on Kubernetes Collection. If you require remote management and configuration or use an unsupported source or platform, the Installed Collector may be a better fit.

For more information, refer to the OpenTelemetry documentation.

Hosted Collectors

Hosted Collectors reside in the Cloud allowing for seamless collection from Amazon Web Services, Google, Microsoft, and many other Cloud services.

Unlike Installed Collectors, Hosted Collectors don't require installation or activation, nor do Hosted Collectors have physical requirements since they're hosted by Sumo Logic in AWS.

Because there are no performance issues to consider, you can configure as many Sources as you'd like, up to 1,000, for a single Hosted Collector. Consider setting up more than one Hosted Collector if you'd like to tag different data types with different metadata.

See how to configure a Hosted Collector and all of the available Sources supported on Hosted Collectors.

Logging levels

The more sensitive the logging level settings are for your applications and devices, the more logs will be sent to the Sumo Logic Cloud. In order to maximize the value of your log collection and analysis, set the logging level as high as you can without negatively impacting the CPU utilization of the machine where the Collector is running. The more searchable data you collect, the more information you have for forensic analysis and troubleshooting.

If you have additional questions, a Sumo Logic sales representative can help determine specific recommendations for your installation.

Compare Installed and Hosted Collectors

Depending on the method you'd like to collect logs, and the types of logs you'd like to collect, Sumo Logic has two types of Collectors you can choose from. Learn how to choose your collector that's right for your environment through our video, "Choosing Your Collector Type".

The following table shows the major differences between them.

Installed Collector	Hosted Collector
Installed on a system within your deployment locally or remotely. Sources collect data available in your deployment. Easy to troubleshoot based on Collector logs. Supports using Local Configuration File Management so you can use JSON files to configure Sources.	Hosted by Sumo Logic. Agentless: no software to install or activate on a system in your deployment. Hosts Sources to collect seamlessly from AWS, Google, and Microsoft products. Can receive logs and metrics uploaded via a URL.

Sumo Logic Sources

Sources are the environments that Sumo Logic Collectors connect to collect data from your site. Each Source is configured to collect files in a specific way, depending on the type of Collector you're using.

• Sources for Installed Collectors are configured on Installed Collectors.
• Sources for Hosted Collectors are hosted along with the Collector in Amazon Web Services (AWS), Microsoft, or other hosting services.

When registering a Collector, you also have the option of configuring the Collector using a Source JSON file.

note

The maximum number of Sources allowed on a Collector is 1,000.

Allowlisting Sources that collect from AWS 

If you're configuring a Source that collects from Amazon Web Services (AWS), you may need to allowlist AWS IP addresses. AWS makes current IP address ranges available in JSON format. Amazon advises that this file changes several times a week.

In particular, you'll need to allowlist the IP address associated with your Sumo Logic endpoint.  For example, if your deployment is in the U.S., you'll need to allowlist the us-east region IP addresses.  See Sumo Logic Endpoints and Firewall Security for information on determining your endpoint.

For details on how the file is updated, its use, its syntax, and to download the JSON file, refer to the AWS documentation