If you have a Syslog Source that is not ingesting messages, follow the steps below to find the problem:
Use netstat to verify that Sumo is listening on the port. Once the Syslog source is configured, verify on the collector host that there is a listen process on the configured port in the output of "netstat -nap". If there is no Sumo process listening on the configured protocol (TCP/UDP) and port, it could be that the Sumo process could not bind to the port because another process was using the port. In this case, a collector log message will indicate that the Sumo process failed to bind to the port.
Push test messages using netcat. Use netcat to push data to the port using a chat session. Netcat is a networking utility with a simple interface that you can use to read and write from TCP and UDP sockets. Netcat is not included by default; you can download it from http://nmap.org/ncat. Sample commands are shown below. The first two commands are for Windows, the last two are for Linux. If you are running the command on the host where the collector runs, you can replace "<ip_address>" with "localhost".
ncat.exe -v <ip_address> 1514 ## for TCP port1514
ncat.exe -vu <ip_address> 1514 ## for UDP port 1514
nc -v <ip_address> 1514 ## for TCP port1514
nc -vu <ip_address> 1514 ## for UDP port 1514
- Verify ingestion of test messages and check for timestamp issues: Check the Sumo Search page to make sure that the data pushed in the chat interface is available.
If the messages are available in the Sumo Search page, that indicates that the Syslog Source is working as expected. In this case, the problem might be that data is not reaching the Syslog-configured port from the original Syslog clients or from a load balancer.
Also, check the Use Receipt Time box next to the Start button on the Search page. The Syslog source is configured to use UTC time by default. Because your test messages do not have a timestamp, Sumo will interpret the logs as UTC, and the search won't include the results in the default Last 15 Minute timeframe.
- Check for firewall issues if test messages are ingested but not data from the source. If ncat data pushed from the local host where the collector runs is ingested, but ncat data pushed from a remote host is not ingested, that could mean that a firewall rule is blocking the external data from being received on the host (or sometimes is received on the host but not by the process) where the collector is running. You may need to add firewall rules (or remove firewall exceptions, as the case may be) to allow inbound traffic on the port where the collector is listening.
- If all is good but data is not ingested, data check for CR LF. Note that if the Syslog data is missing any carriage return or LineFeed characters (CR LF or \r \n), that would result in the following message in the collector logs because we would listen to the connection and would wait out till we time out (typically 2 minutes till timeout) expecting an end of line character. The fix is to make sure the syslog data includes CR LFs.
2017-05-07 17:20:08,293 -0500 [Thread-2875] ERROR com.sumologic.scala.collector.input.syslog.EventInput - Received event: Exception. server com.sumologic.scala.collector.input.syslog.TCPSyslogServer@45424f69, socketAddress /172.21.36.28:60097 java.net.SocketTimeoutException: Read timed out