Blogs
- Mastering DHCP Snooping: Enhance Your Network Security
- Automate Meraki Device Renaming
- Securing Your Network Access with 802.1X
- OpenSSL cheatsheet
- 802.1x EAP peap and EAP tls
- BGP Internet Edge
- Sumologic Troubleshooting
- Firewall Benefits
- Meraki
- Napalm Python
- SumoLogic SEIM
- Layer 1 and 2 checklist
- Automating OS Upgrade
- Netmiko
- TCPDUMP
- Multicast Notes
- MPLS Notes
- BGP Notes
- OSPF Notes
- Linux cheat sheet
- ISIS Notes
- TCP IP
Sumologic Troubleshooting
Introduction
In this blog, we will discuss how to troubleshoot the Sumologic collector from Syslog not showing to troubleshoot Script Alerts and how we can change the collector listening interface.
Collector Connection Troubleshooting:
- First, check the status of the collector on the Sumologic UI.
- Second, check the connection between the devices sending the logs
and the collector.
- Third, check the local firewall of the collector.
- Forth, check the collector status locally.
- Fifth, check if the java application is listening to the proper port.
Check Collector Status:
- First, check the collector's status on the Sumologic UI itself.
- Second, check the status of the collector on the server
# go to the Sumologic collector directory
cd /usr/local/SumoCollector/
# check the status
./collector status
# check the status of the systemctl
sudo systemctl status collector.service - Third, if the collector is not up and running, you might need to
restart the collector and or the server or even re-install.
PS: For a production, reach out to Sumologic support first. They have a good support team.
Check Collector Config and Logs:
cd /usr/local/SumoCollector/collector
cat collector.properties
cat wrapper.conf
cat /usr/local/SumoCollector/logs/collector.logConnectivity:
- Check if there is a firewall between the Sumologic collector and
the devices sending the logs.
- Check reachability run ping and traceroute to and from the collector to the devices
- Verify that the data-center firewall is allowing the traffic
through
- Check the local firewall on the server running the collector
iptables -L -n
sudo ufw status verbose
# is you need to open the port and if you are running ufw
sudo ufw allow <udpPort>/udp - Run tcpdump to verify that the traffic is reaching the collector
tcpdump udp port - check if the collector is listening on the correct port
sudo netstat -tulpn
Script Alerts Troubleshooting:
- To allow script sources and/or script action sources to run, you
will need to enable them by setting the Collector parameter
enableScriptSource or enableActionSource in the user.properties
file of the Collector.
Note: Restart the collector to apply the configuration change.
enableScriptSource=true
enableActionSource=true - check if alerts are reaching the collector. The logs files should
be in this directory
/usr/local/SumoCollector/alerts/ - Check if the scripting language is available on your collector. If not, you can run a bash script that will run your script in your favourite programing language
- Check you have the correct FULL PATH of the script and the working directory
-
Check Sumologic audit logs
- Enable Sumologic Auditing path under ( Administrator > Seciruty > Polices > Sumo Logic Auditing )
-
Run the search query
_index=sumologic_audit
- useful links: link, link, link
Update Lisenting Interface:
How to force the collector to use IPv4 to listen for
Syslog messages
link
Thank you for reading. I hope this has been helpful. If you need any help, don't hesitate to reach out. We
are more than happy to help you in any way we can.
Talk to an expert
Talk to an expert