Thought I had asked already but I don't see it, so sorry if it's a repost. 

I now have the need to switch all my syslog-ng -> SPLUNK feeds over to SUMO. Including json/beats going through syslog-ng :( 

Sumo supports a syslog tcp/udp collection, I setup an "Installed Collector" local to the environment.  Seems to work fine until you you need to match categories in sumo. 

The sumo config seems to be pretty limited per instance so looking at spinning up multiple instances of sumo just to support Category mapping.  Not happy with the product. 

Anyone working with syslog-ng and SUMO who would like to collaborate?   

Scot