If you have a Syslog Source that is not ingesting messages, you can use the following steps to find the problem:
Once the Syslog Source is configured, verify on the Collector host that there is a Listen process on the configured port in the output of "netstat -nap". If there is no Sumo process listening on the configured protocol (TCP/UDP) and port, then it could be that the Sumo process could not bind to the port since another process was holding onto the port and there would be a collector log message indicating this failure to bind to the port.
Push data using Netcat on to that port using a chat session. Netcat is a networking utility used for reading or writing from TCP and UDP sockets that has a simple interface. Netcat is not included by default, but you can download it from http://nmap.org/ncat. Sample commands below- first two for windows and last two for linux. If running on the host hosting the collector, you can replace "<ip_address>" with "localhost"
ncat.exe -v <ip_address> 1514 ## for TCP port1514
ncat.exe -vu <ip_address> 1514 ## for UDP port 1514
nc -v <ip_address> 1514 ## for TCP port1514
nc -vu <ip_address> 1514 ## for UDP port 1514
- Check the Sumo Logic Search page to make sure that the data pushed in the chat interface is available.
If the messages are available in the Sumo Logic Search page, that would indicate the Syslog Source is working as expected. So the problem might be that data is not reaching the Syslog configured port from the original Syslog clients or from a load balancer.
Also check the Use Receipt Time box next to the Start button on the Search page. The Syslog Source is configured to use UTC time by default. Because your test messages do not have a timestamp, Sumo Logic will interpret the logs as UTC, and the search won't include the results in the default Last 15 Minute timeframe.
- If ncat data pushed from the local host the Collector is running is ingested, but ncat data pushed from a remote host is not ingested, that could mean that a firewall rule is blocking the external data from being received on the host where the Collector is running. You may need to add firewall rules to allow inbound traffic on the port the Collector is listening.
- Note that if the syslog data is missing any carriage return or LineFeed characters (CR LF or \r \n), that would result in the following message in the collector logs because we would listen to the connection and would wait out till we time out (typically 2 minutes till timeout) expecting an end of line character. The fix is to make sure the syslog data does include CR LFs.
2017-05-07 17:20:08,293 -0500 [Thread-2875] ERROR com.sumologic.scala.collector.input.syslog.EventInput - Received event: Exception. server com.sumologic.scala.collector.input.syslog.TCPSyslogServer@45424f69, socketAddress /172.21.36.28:60097 java.net.SocketTimeoutException: Read timed out