Support

Find answers to questions about the Sumo Logic service

Sending Logs from Journald to Sumo Logic

Follow



If you have an existing Collector and Syslog Source on your host you can use the following to forward messages from journald to that Source. 

1.)  In /etc/systemd/system directory create a new "unit" file called sumocollector.service with the following contents. 

[Unit]
Description=Send Journalctl to Sumo

[Service]
TimeoutStartSec=0
ExecStart=/bin/sh -c '/usr/bin/journalctl -f | /usr/bin/ncat --udp localhost 514'
Restart=always
RestartSec=5s
[Install]
WantedBy=multi-user.target

2.) Update the "ExecStart" command to point the output to your Sumo Logic Syslog Source. Assuming the Collector is on the local host and your Syslog source is configured to use UDP on port 514 the above template should work as is, however here is another example that would forward on TCP to a remote host on port 1514

ExecStart=/bin/sh -c '/usr/bin/journalctl -f | /usr/bin/ncat 192.168.1.2 1514'


3.) Run the following commands to enable and start the service


$ sudo systemctl enable /etc/systemd/system/sumocollector.service
$ sudo systemctl start sumocollector.service



(Note: Restarts of this service will be handled by systemd)

Once these commands are run your data should start to be forwarded appropriately to Sumo Logic from the collector via your Syslog Source. You can run the following command to view the local logs and ensure the new unit has started.

$ journalctl -f -u sumocollector.service
Have more questions? Submit a request

Comments