Collector FAQs

This section provides frequently asked questions about collecting data into Sumo Logic and the answers you need. 

In this section, we will introduce the following concepts:

📄️ Collector fails to connect to Sumo

For this issue, the failure to connect may be due to the target server failed to respond or HTTP 504 or HTTP 408 errors.

📄️ Collector locking log files on Windows servers

The Sumo Logic Collector will hold a log file open for read while log messages are actively being written to the file, and may not close the file for up to a couple minutes after the log has stopped being written to. In some instances, this could prevent the log file from properly rotating. This issue can be resolved on 64-bit versions of Windows by upgrading to the 64-bit version of the Collector. This is a one-time manual update to existing Collectors. Any further upgrades of the Collectors through the UI will continue to update using the same 64-bit version.

📄️ Windows:

Error messages on Windows: "This Collector does not seem to have tanuki wrapper integration enabled."

📄️ Configure Limits for Collector Caching

Caching of outbound data is supported for Installed Collectors when a Collector is throttled or paused or the connection is broken. Data is cached first in memory and then on disk.

📄️ Delete data already collected to Sumo Logic

Question:

📄️ Enabling updated Remote Windows Event Collection with 19.155 Collector

The 19.155 release of the Sumo Logic collector introduces a new collection approach for Remote Windows Event sources.  The new approach provides increased collection throughput, lower resource consumption, and easier configuration.

📄️ File Locking problems when using Windows UNC with Local File Sources

The contents of this article are only valid for Collector versions later than 19.73.

📄️ Increase Collector Memory

Collectors are set to use 128MB of RAM by default. If your Collectors ingest more than a few files, you should consider increasing the max heap size the Collector can use.

📄️ Increase Max Threads for Collector

The Collector will use three threads per available CPU by default. For example, if you have a six CPU system the default number of threads used by Sources would be 18. This may not be enough to keep up with data collection.

📄️ Increase the number of Windows Event messages a Collector can retrieve

The Sumo Logic Collector currently has a hard limit on the number of events a Source can retrieve from an Event Log Source every second. This limit is set to 512 events every 300ms by default. The following message in the Collector logs reference this setting.

📄️ How to Ingest Old or Historical Data

The overwhelming majority of log data processed by Sumo are nearly real-time messages. For this reason, Sumo's timestamp detection and data indexing systems are optimized to handle streams of data originating in the recent past.

📄️ Troubleshooting time discrepancies

In most scenarios, the message time and receipt time of a log message in Sumo Logic should be almost the same, within a minute of each other. However, network latency, random (not continuous) spikes in data volume, and service disruptions can cause delays, leading to a discrepancy between message time and receipt time. Large discrepancies can lead to incorrect events being displayed, and may even cause search performance issues. On some occasions, it can also prevent Dashboards from populating with data.

📄️ How can I tell if I'm collecting data?

After installing a Collector and configuring a Source, your data should appear in Sumo Logic in a matter of minutes. How can you confirm that your data is being collected? Try any of the following options.