Skip to main content


Thumbnail icon

The Sumo Logic App for Acquia provides visibility into the key components of the Acquia platform with preconfigured dashboards for Apache, Varnish, PHP, FPM and Drupal.

Sumo Logic provides instant visibility across the critical components of the Acquia Platform, helping organizations become more proactive in their site monitoring as well as reducing the mean time to identify and resolve issues.

Log types

Sumo Logic analyzes the following required Acquia data for more efficient monitoring:

Log samples

This section provides sample log messages for the following log types that are required Acquia data for more efficient monitoring.

Apache access log - - [04/Jan/2017:23:20:38 +0000] "GET /contact_us HTTP/1.1" 404 10117 "-"
" bot version 1.4 (" hosting_site=alphabeta pid=26731 request_time=10186417 forwarded_for="," request_id="v-00000zzz-d2d4-11e6-9bed-0aeea9eaf9af" location=""
Apache error log
[Fri Aug 18 20:40:36.849360 2017] [access_compat:error] [pid 11069]
[client] AH01797: client denied by server configuration:
Drupal request log
[03/Feb/2017:00:14:36 +0000] POST /dashboard
http_code=302 query= uid=154496 php_pid=30961 php_time=0.203 queue_wait=0
Drupal watchdog log
Aug 18 21:22:01 alphabeta:|1503091321|
custom_module||||0||Warning: Invalid
argument supplied for foreach() in views_join->build_join
FPM access log
- -  25/Sep/2018:17:02:35 +0000 "GET /index.php" 200 memory_kb=6144 %cpu=9.16 duration_ms=218.423
FPM error log
[04-Jan-2017 18:45:13] NOTICE: [pool alphabeta] child 20069 exited with code
0 after 3832.234353 seconds from start
PHP error log
[04-Jan-2017 14:29:27 America/New_York] PHP Fatal error:  Allowed memory
size of 367001600 bytes exhausted (tried to allocate 352591872 bytes) in
/full/path/to/module/notification.php on line 504
Varnish Request log
"time":"[12/Dec/2018:23:59:59 +0000]",
"user_agent":"Browser Name Here",

Sample queries

This section provides examples for Drupal request, Apache access, and PHP error queries.

Drupal request
_sourceCategory=Labs/Acquia drupal-requests
| parse "<133>1 * * *.* - - - [*] * * * http_code=* query=* uid=* php_pid=* php_time=* queue_wait=*
request_id=\"*\"" as timestamp,lb,host,logtype,time,appurl,method,url,http_code,query,uid,php_id,
| timeslice 1m
| count by _timeslice, http_code
| transpose row _timeslice column http_code as *
Apache access
_sourceCategory=Labs/Acquia apache-access
| parse " - - - * - - [*] \"* * HTTP/1.1\" * * \"*\" \"*\" vhost=* host=* hosting_site=* pid=*
request_time=* forwarded_for=\"*\" request_id=\"*\" location=\"*\"" as src_ip,timestamp,method,
| where !(status_code matches "2*")
PHP error
_sourceCategory=Labs/Acquia php-errors
| parse "* * * * - - - [*] *: * request_id=\"*\"" as head,systime,env,host,time,type,message,
| count as count by Type, message
| sort by count

Collecting Logs for the Acquia App

This section provides instructions for configuring log collection from Acquia and sending those logs to Sumo Logic for monitoring and analysis in the Acquia App predefined dashboards and searches.

Sumo Logic enables you to collect logs from Acquia, with the ability to configure the log types to be collected. The logs are then forwarded to a Sumo Logic Cloud Syslog Source.

Step 1: Configure a collector

This section walks you through the process of creating a new Sumo Logic hosted collector.

To create a new Sumo Logic hosted collector, do the following:

  1. In the main Sumo Logic menu, select Manage Data > Collection > Collection.
  2. Click Add Collector.
  3. Click Hosted Collector.
  4. Provide a Name for the Collector.
  5. A description is optional.
  6. Category. Enter any string to tag the logs collected from this Collector. This Source Category value is stored in a searchable metadata field called _sourceCategory. See our Best Practices: Good Source Category, Bad Source Category.
  7. Click the +Add Field link in the Fields section to define the fields you want to associate, each field needs a key and value.
    • green check circle.png A green circle with a check mark is shown when the field exists in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist in the Fields table schema. In this case, an option to automatically add the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema it is ignored, known as dropped.
  8. Assign to a Budget allows you to assign an ingest budget to the Collector. The dropdown displays your ingest budgets in the following format:
<budget name> (<field value>) (<allocated capacity>)
  1. Time Zone. Set the default time zone when it is not extracted from the log timestamp. Time zone settings on Sources override a Collector time zone setting.
  2. Review your input and when finished click Save.

After the Collector has been set up, it appears on the Collection page as a Hosted Collector.

Step 2: Configure a source

This task shows you how to configure a cloud syslog source for Acquia log collection.


It's helpful to know the options you'll need to set before starting a procedure. When you're configuring a cloud syslog source, be sure to specify the following configurations:

  • Source:
    • Name. (Required) A name is required, the Description is optional.
    • Source Category. (Required) The Source Category metadata field is a fundamental building block to organize and label Sources. Example: Acquia. For more information, see Best Practices.
  • Advanced
    • Enable Timestamp Parsing. True
    • Time Zone. Logs are in UTC by default
    • Timestamp Format. Auto Detect

Be sure to copy and paste your token in a secure location. You'll need this when you configure Syslog Settings.

Sumo Logic SSL certificate

In the procedure below, you'll configure a Cloud Syslog Source. This will generate a Sumo Logic token and the endpoint hostname. Then you'll set up TLS by downloading a cert to your server. Download the DigiCert certificate from one of the following locations:

Configuring a cloud syslog source

Cloud syslog configuration requires a token that is automatically generated when you configure a cloud syslog source. The token allows Sumo to distinguish your log messages from those of other customers. The token is tied to the source, but not to any specific user.

Include the token as the Structured ID in every syslog message that is sent to Sumo Logic. The token is removed by Sumo Logic during ingestion and is not included with your syslog message in search results.

The token is deleted if you delete the source. To change a token, use the Regenerate Token option as described in the following procedure.

To configure a cloud syslog source, do the following:

  1. In Sumo Logic, select Manage Data > Collection > Collection.
  2. On the Collection page, click Add Source next to a Hosted Collector. See Set up a Hosted Collector for information on adding Hosted Collectors.
  3. Select Cloud Syslog.
  4. Enter a Name to display for this source in Sumo. Description is optional.
  5. (Optional) For Source Host and Source Category, enter any string to tag the output collected from this source. (Category metadata is stored in a searchable field called _sourceCategory).
  6. Fields. Click the +Add Field link to add custom log metadata Fields. Define the fields you want to associate. Each field needs a name (key) and value.
    • green check circle.png A green circle with a check mark is shown when the field exists and is enabled in the Fields table schema.
    • orange exclamation point.png An orange triangle with an exclamation point is shown when the field doesn't exist, or is disabled, in the Fields table schema. In this case, an option to automatically add or enable the nonexistent fields to the Fields table schema is provided. If a field is sent to Sumo that does not exist in the Fields schema or is disabled it is ignored, known as dropped.
  7. Set any of the following under Advanced:
    • Enable Timestamp Parsing. This option is selected by default. If it's deselected, no timestamp information is parsed.
    • Time Zone. There are two options for Time Zone. You can use the time zone present in your log files, and then choose an option in case time zone information is missing from a log message. Or, you can have Sumo Logic completely disregard any time zone information present in logs by forcing a time zone. It's important to have the proper time zone set, no matter which option you choose. If the time zone of logs cannot be determined, Sumo Logic assigns the UTC time zone; if the rest of your logs are from another time zone your search results will be affected.
    • Timestamp Format. By default, Sumo will automatically detect the timestamp format of your logs. However, you can manually specify a timestamp format for a source. See Timestamps, Time Zones, and Time Ranges, and Date Formats.
  8. Create any Processing Rules you'd like for the new source.
  9. Click Save. The token information is displayed in a read-only dialog box, shown below.
  10. Click Copy to copy the information for use in the syslog client. The information is copied in the following format:
Token: 9HFxoa6+lXBmvSM9koPjGzvTaxXDQvJ4POE/WCURPAo+w4H7PmZm8H3mSEKxPl0Q@41123, Host:, TCP TLS Port: 6514

The number 41123 in the token is the Sumo Private Enterprise Number (PEN). There are two options for including the token. You can include it in the structured data field or in the message body.

In the following example, the token is in the structured data field.

<165>1 2015-01-11T22:14:15.003Z evntslog - ID47 [YOUR_TOKEN] msg

In the following example, the token is in the message body.

<165>1 2015-01-11T22:14:15.003Z evntslog - ID47 - YOUR_TOKEN msg

RFC 5424 limits the structured data field (SD-ID) to 32 characters, however our token is 64 characters long. If your logging client enforces this limit you will need to pass the token in the message body. 11. After configuring the source, you can perform these token operations from the Collectors and Sources page:

  • Click Show Token to display the token for a cloud syslog source at any time.
  • Click Regenerate Token if you need to generate a new token.

Step 3: Configure logging for Acquia

In order to start ingesting Acquia Cloud logs you must setup log forwarding in Acquia Cloud.

To configure Acquia log forwarding, follow the instructions in the Acquia documentation.

Installing the Acquia app

This section provides instructions on how to install the Acquia App, as well as examples of each of the dashboards. The app's pre-configured searches and dashboards provide easy-to-access visual insights into your data.

To install the app, do the following:

  1. Select App Catalog.
  2. In the Search Apps field, search for and then select your app.
    Optionally, you can scroll down to preview the dashboards included with the app.
  3. To install the app, click Install App.
  4. Click Next in the Setup Data section.
  5. In the Configure section of the respective app, complete the following fields.
    1. Key. Select either of these options for the data source.
      • Choose Source Category, and select a source category from the list for Default Value.
      • Choose Custom, and enter a custom metadata field. Insert its value in Default Value.
  6. Click Next. You will be redirected to the Preview & Done section.

Your app will be installed in the Installed Apps folder and dashboard panels will start to fill automatically.

Each panel slowly fills with data matching the time range query and received since the panel was created. Results will not immediately be available, updating with full graphs and charts over time.

Viewing Acquia dashboards

All dashboards have a set of filters that you can apply to the entire dashboard. Use these filters to drill down and examine the data to a granular level.

  • You can change the time range for a dashboard or panel by selecting a predefined interval from a drop-down list, choosing a recently used time range, or specifying custom dates and times. Learn more.
  • You can use template variables to drill down and examine the data on a granular level. For more information, see Filter with template variables.
  • Most Next-Gen apps allow you to provide the scope at the installation time and are comprised of a key (_sourceCategory by default) and a default value for this key. Based on your input, the app dashboards will be parameterized with a dashboard variable, allowing you to change the dataset queried by all panels. This eliminates the need to create multiple copies of the same dashboard with different queries.


The Acquia - Overview dashboard provides a high-level view of the activity and health of the environment. Dashboard panels display visual graphs and detailed information on visitor geographic locations, traffic volume and distribution, responses over time, as well as time comparisons for visitor locations and server hits.

Use this dashboard to:

  • Understand the traffic distribution across servers, to provide insights for resource planning through analysis of data volume and bytes served.
  • Gain insights into traffic origin locations by region to better allocate compute resources for regions according to their needs.
  • Monitor high severity threats and scan attacks.
  • Identify and troubleshoot configuration issues.
  • Identify ways to fine tune your product based on your data analysis.

Errors Overview

The Acquia - Errors Overview dashboard provides a high-level view of events by log level, time comparisons, and trends. The panels also show the geographic locations of clients and clients with critical messages, new connections and outliers, client requests, request trends, and request outliers.

Use this dashboard to:

  • Track errors by Drupal module.
  • Monitor Varnish cache hit and miss rates.
  • Track critical error messages from the various components of the Acquia stack.

FPM Overview

The Acquia - FPM Overview dashboard provides insights for analysis of the performance of FPM (FastCGI Process Manager) in the Acqauia environment, including memory and CPU usage, status codes and response time outliers.

Use this dashboard to:

  • Identify trends for consumed resources over time.
  • Monitor status codes over time.
  • Monitor response time latency.

Drupal Request Overview

The Acquia - Drupal Requests Overview dashboard provides insights for analysis of the performance of the Drupal platform. The panels show response time anomalies, response codes and breakdowns of slow urls and queries.

Use this dashboard to:

  • Review trends for slow URLs and slow queries
  • Monitor status codes over time
  • Monitor response time latency
Privacy Statement
Terms of Use

Copyright © 2024 by Sumo Logic, Inc.