A Sumo Logic Syslog Source operates like a syslog server listening on the designated port to receive syslog messages. Set your syslog-enabled devices to send syslog data to the same port you specify in Sumo Logic Syslog Source configuration.
For multiple syslog collections, set up a separate Source for each and set a separate port number for each.
If you are editing a Source, metadata changes are reflected going forward. Metadata for previously collected log data will not be retroactively changed.
To configure a Syslog Source:
- In Sumo Logic select Manage Data > Collection > Collection (Manage > Collection in the classic UI).
- Find the name of the Installed Collector to which you'd like to add a Source. Click Add and then choose Add Source from the pop-up menu.
- Select Syslog for the Source type.
- Set the following:
- Name.Type the name you'd like to display for the new Source. Description is optional. Source name metadata is stored in a searchable field called _sourceName.
- Protocol. Select the option that your syslog-enabled devices are currently using to send syslog data (UDP or TCP).
- Port. Type the port number for the Source to listen to. If the Collector runs as root (default), use 514. Otherwise, consider 1514 or 5140. Make sure the devices are sending to the same port.
- Source Category. Enter any string to tag the output collected from this Source with searchable metadata. For example, enter firewall to tag all entries from this Source in a field called _sourceCategory. Type_sourceCategory=firewall in the Search field to return results from this Source. For more information, see Metadata Naming Conventions.
- Set any of the following under Advanced:
- Enable Timestamp Parsing. This option is selected by default. If it's deselected, no timestamp information is parsed at all.
- Time Zone. There are two options for Time Zone. You can use the time zone present in your log files, and then choose an option in case time zone information is missing from a log message. Or, you can have Sumo Logic completely disregard any time zone information present in logs by forcing a time zone. It's very important to have the proper time zone set, no matter which option you choose. If the time zone of logs can't be determined, Sumo Logic assigns logs UTC; if the rest of your logs are from another time zone your search results will be affected.
- Timestamp Format. By default, Sumo Logic will automatically detect the timestamp format of your logs. However, you can manually specify a timestamp format for a Source. See Timestamps, Time Zones, Time Ranges, and Date Formats for more information.
- Create any processing rules you'd like for the new Source.
- When you are finished configuring the Source click Save.
You can return to this dialog and edit the settings for the Source at any time.
Choosing TCP or UDP
When you configure a Syslog Source, you will need to choose a transfer protocol, either TCP or UDP. If your syslog-enabled devices have already been configured using TCP or UDP, choose the same protocol. If you are just setting up your devices, your first choice should probably be TCP.
TCP includes a guaranteed delivery mechanism, meaning that the network layer provides that all of your logs arrive at the Sumo Logic Collector software in order and without any dropped log messages. The downside of this protocol is that it creates more network and CPU overhead than the alternative UDP protocol. However, due to its reliability guarantee, TCP is the recommended protocol unless you have network and CPU utilization concerns that you need to work around due to an extremely high volume of log messages.
The Collector supports single-line TCP messages up to 65,535 bytes.
UDP is a streaming protocol that makes no guarantees of delivery, and as such, log messages may be dropped or arrive out of order. However, in return for this lack of guarantee, UDP does not create the same kind of network and CPU overhead that is created by the TCP protocol. In reality, in most networks, UDP is reliable enough for mission-critical use, however, there may be situations where network traffic storms might cause messages to be dropped or arrive out of order. If this is an unacceptable risk for you, then choose TCP.
Per RFC 5426, the Collector by default supports UDP messages up to 2048 bytes. To increase the UDP message length limit to the maximum datagram size (65k), you can add the following configuration to collector/config/collector.properties and restart the Collector:
collector.syslog.udp.readBufferSize = 65535
Specifying the network interface for a Syslog Source
When configuring a Syslog Source in a computer that has more than one network interface you can specify which network interface the Collector should bind to. This option is set in the collector.properties file.
To specify the network interface:
- Configure the Syslog Source.
- Navigate to collector/config/collector.properties. Open the file in a text editor.
- Add syslog.hostname=your_host_name where your_host_name identifies the network interface you'd like to use.
- Save and close the file.
Troubleshooting Syslog Sources
If data is not being ingested into your Syslog Source, you may need to add firewall rules to allow inbound traffic on the port the Collector is listening on.
For more information, see How to test a Syslog Source in case messages are not ingested.