If you have a Syslog Source that is not ingesting messages, you can test it in the following ways:

  1. Once the Syslog Source is configured, on the Collector host, verify that there is a Listen process on the configured port in the output of "netstat -na".

  2. Push some data using netcat on to that port using a chat-like session. Netcat is a networking utility used for reading or writing from TCP and UDP sockets that has a simple interface. Netcat is not included with Windows by default, but you can download it from http://nmap.org/ncat.

ncat.exe -v <ip_address> 1514 ## for TCP port1514

 

ncat.exe -vu <ip_address> 1514 ## for UDP port 1514

 

  1. Then, check the Sumo Logic Search page to make sure that the data pushed in the chat-like interface is available. 

If the messages are available in the Sumo Logic Search page, that would indicate the Syslog Source is working as expected. So the problem might be that data is not reaching the Syslog configured port from the original Syslog clients or from a load balancer, for example. 

Also check the Use Receipt Time box next to the Start button on the Search page. The Syslog Source is configured to use UTC time by default. Because your test messages do not have a timestamp, Sumo Logic will interpret the logs as UTC, and the search won't include the results in the default Last 15 Minute timeframe.

  1. If ncat data pushed from the local host the Collector is running is ingested, but ncat data pushed from a remote host is not ingested, that could mean that a firewall rule is blocking the external data from being received on the host where the Collector is running. You may need to add firewall rules to allow inbound traffic on the port the Collector is listening on.