feature req: set log entry Host to SUMO_COLLECTOR_NAME

[nergdron]

so, when I set SUMO_COLLECTOR_NAME to my docker host's hostname, it correctly overrides the generated collector name to "collector_container-$(SUMO_COLLECTOR_NAME)". however, all the log entries still list the Host: field as being the initial 12 chars of the sumo collector container id. this is confusing, since it shows this container id even for other containers. would be much more useful if it defaulted to the docker host's hostname, or at least to the value of SUMO_COLLECTOR_NAME if set.

[maimaisie]

Hi @nergdron, thank you for reporting this issue. You are seeing the container id of the collector as the host because in this case the collector is running as a container and the hostname becomes the container id.

You can actually override the sourceHost of your logs by following this doc: https://help.sumologic.com/03Send-Data/Sources/01Sources-for-Installed-Collectors/Docker-Sources#Configure_sourceCategory_and_sourceHost_using_variables

[nergdron]

right, I guess my point is just that it then gets reported as the hostname for all containers it's logging for, not just itself, which instantly makes the host field incorrect for all other containers. so I think the default behaviour for the collector container should be to use the docker host's hostname rather than the container_id.

As well, I don't really understand how to change the configuration based on the doc you linked. It tells you what variables you can use to construct a new sourceHost, but none of them seem to be the docker host's hostname. as well, it's not clear where this configuration needs to be entered if I want to do it automatically at container start time. docker container hosts are typically being run in ASGs, so anything that requires manually editing the collector in the sumologic web interface is instantly out.

[maimaisie]

so I think the default behaviour for the collector container should be to use the docker host's hostname rather than the container_id.

Agreed. Currently the host field is populated when the collector gets your logs (unless it's overwritten by collector or source-level metadata) which happens inside the container. Unfortunately the collector does not have knowledge on whether it is running inside a container or as a service on the host. So when the collector tries to get the host name and attach to your logs, it can only get the host name of the container.

I made a code change so that you can overwrite the collector host field the same way you set the collector name, or if not specified it will use the container host name. This change will go out in the next release.

In the meantime, a workaround is to overwrite the host field on the sources. You can modify the source configuration and use environment variables to set the host to the docker host's hostname. If you are using the default docker sources that comes with the latest image, the configuration is specified here: https://github.com/SumoLogic/sumologic-collector-docker/blob/master/docker-sources/sumo-sources.json

You would need to add the hostName field for your sources, for example:

{
            "name": "Docker-logs",
            "category": "docker",
            "hostName": "${ENVIRONMENT_VAR_HOSTNAME}"
            "allContainers": true,
            "collectEvents": true,
            "uri": "unix:///var/run/docker.sock",
            "specifiedContainers": [],
            "multilineProcessingEnabled": false,
            "sourceType": "DockerLog"
 }

and set the environment variable ENVIRONMENT_VAR_HOSTNAME to be your docker hostname. Or you can say "hostName": "{{container.ID}}" if you want the field to be the corresponding container ID of the container where your logs are coming from.

If you want more help on source configuration, this doc should help: https://help.sumologic.com/03Send-Data/Sources/03Use-JSON-to-Configure-Sources/JSON-Parameters-for-Installed-Sources

[nergdron]

sounds good, thanks! is there a schedule for the next release, or is it just sortof "when it's ready"? :)

[maimaisie]

Hi @nergdron, this change just missed the QE cycle for the upcoming collector release this week, so it will go into the next release in early April.

[nergdron]

cool, thanks for the update!

[maimaisie]

Hi @nergdron, we have released new images with this feature in DockerHub. You can specify the SUMO_COLLECTOR_HOSTNAME env variable now to overwrite the host name. Please let us know if you encounter any issues.