Loggly is easy to use, but the difficulty in getting logs into Loggly can depend heavily on your current logging solution and network setup. If you are having issues, here are a few tips on tracking down where things are going wrong.

Loggly receives events via syslog and HTTP inputs, both of which can be managed via the input page. For syslog inputs, check you have an input available to send data to by clicking on the 'input' tab at the top of your account.'

If you don't have an input, create one by clicking on 'new input'.

Syslog UDP inputs differ from syslog TCP inputs. If you use a TCP input, you'll need to send in data to us over TCP and if you are using an UDP input you need to send us data over UDP. If you are using a TCP input, you'll need to make sure the syslog server you are running supports sending data over TCP to custom ports.

For syslog servers other than Syslog-NG, you should prepend your hostname with @@ for TCP connections, and @ for UDP connections.

*.* @@logs.loggly.com:<port>

*.* @logs.loggly.com:<port>

The indicator lights next the inputs indicate if it has received data recently. If it's green, it has received data in the last 5 minutes. If the light is red, or flashing red, you may need to put your input into discovery mode.

Syslog inputs will block unauthorized IPs from sending them data by default. To allow a device to send data to a given syslog ginput, put the syslog input in Disovery Mode by clicking on the on/off switch next to it on the input list, or on the input detail page.

You can also use the API to add a device/host to an input to allow it to send in data to your account.

HTTP inputs don't use discovery mode as they are authenticated with a hash.

Check connectivity from your server to Loggly's syslog servers by doing a regular ol' ping:

ping logs.loggly.com

You should get a response:

64 bytes from 75.101.142.96: icmp_seq=0 ttl=50 time=98.997 ms

If your input is a TCP input, you should check if your server can connect to the input's port number:

telnet logs.loggly.com 13337

You should get an established connection. You can try typing something and then hitting enter, then something else, and again. You can get out of the telnet by doing a ctrl-].

Note: Be sure to replace 13337 with the actual port number listed on your input page!

You can check the output of netstat to see if your machine is connecting correctly to Loggly (changing 13337 to the correct port of course):

netstat -anlp | grep 13337

You should see ESTABLISHED connections:

tcp        0      0 111.11.233.37:52432     75.101.142.96:12222     ESTABLISHED 13337/syslog-ng

If Loggly or a firewall is blocking connections, you may see something like this:

tcp        0      1 111.11.233.37:58524     75.101.142.96:22222     SYN_SENT    13337/syslog-ng 

Be sure you check that your input is in discovery mode!

If you have the ability to dump netflow data from your box, you can check to see if there is data flowing to Loggly from your syslog process:

tcpdump port 13337

You can also specify the protocol if you are running UDP:

tcpdump udp port 13337