[syslog-ng] syslog-ng buffer and reload
Fabien Wernli
wernli at in2p3.fr
Mon Mar 27 10:52:06 UTC 2017
Hi,
I'm using the disk queue to buffer the writes to elasticsearch.
I notices the following behaviour:
When reloading the configuration (`syslog-ng-ctl reload`), syslog-ng stops
processing incoming messages (they appear as `dropped` in stats) and starts
emptying the queue. It only starts accepting new messages when the queue is
completely empty.
I understand this is probably an expected behaviour, but in the following
scenario (I just experienced) it poses a problem:
1. some application goes bananas logging at zillions of events per second
2. syslog-ng queue starts filling up
3. crazy app identified: I modify syslog-ng.conf in order to filter out the
app
4. syslog-ng-ctl reload
5. syslog-ng starts dropping all new messages and emptying the queue
6. I have to wait for the queue to be empty (which can take a long time)
Wouldn't it be saner to continue accepting messages when intercepting the
HUP?
More information about the syslog-ng
mailing list