<div dir="ltr"><div class="gmail_quote"><br><div dir="ltr">Hello Support Team,<div><br></div><div>In the syslog-ng configuration, we have 2 forward rules as follows:</div><div><br></div><div>1. One rule reads from source (port 514) and writes syslogs to the file for all the syslogs greater than debug.</div><div>2. Second rule reads from source <span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">(port 514) and forwards the the syslog to the destination if a set of filter rules match. These set of filter rules are called whitelist filter rules are filter rules containing match filter and priority filter in each rule. As there are multiple filter rules, they are ORed to create a main filter rule.</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Now we have syslogs coming in at a rate of  400 eps. Following is our observation:</span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">A. If the syslog matches the filter in point 2 above, then following happens</span></div><div><ul><li>It is forwarded to the destination provided in point 2.</li><li> Also at the same time it is written to a file as per rule in point 1.</li></ul></div><div>  <div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">B. If the syslog does not match the filter in point 2 above, then following happens</span></div><div style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><ul><li style="font-weight:400">It is NOT forwarded to the destination provided in point 2 as there is no match.</li><li>It is suppose to still write to file as the rule in 1 matches. <b>But this does not happen.</b></li></ul><div><b><br></b></div></div><div>We are seeing that if the filter in point 2 matches then both the forward rules get executed immediately and we see the log written to file also immediately. But in case of B, if the syslog does not match we are seeing that the write to file is happening g in bulk for 30 minutes. <b>Why is this ? Why does it not write to file immediately in case of (B) but does it in case of A ?</b></div><div><br></div><div>Below is the snap of the config values we are using in the syslog-ng.conf</div><div><br></div><div>




<span></span>





<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)">options {</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>flush_lines (100);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>log_fetch_limit(1000);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>log_iw_size(10000);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>time_reopen (10);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>log_fifo_size (10000);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>chain_hostnames (off);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>use_dns (no);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>use_fqdn (no);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>create_dirs (yes);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>keep_hostname (yes);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)"><span class="m_-1149610665855784622gmail-Apple-converted-space">        </span>threaded(yes);</p>
<p class="m_-1149610665855784622gmail-p1" style="margin:0px 0px 12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:14px;line-height:normal;font-family:"Helvetica Neue";color:rgb(51,51,51);background-color:rgba(241,241,241,0)">};</p>


<br></div><div>Thanks</div><div>Kavita Mohite</div><div><br><div><br></div></div></div></div>
</div><br></div>