[syslog-ng] syslog-ng buffer and reload
Jorge Pereira
jpereiran at gmail.com
Mon Mar 27 18:12:57 UTC 2017
+1 (make sense)
--
Jorge Pereira
On Mon, Mar 27, 2017 at 7:52 AM, Fabien Wernli <wernli at in2p3.fr> wrote:
> Hi,
>
> I'm using the disk queue to buffer the writes to elasticsearch.
> I notices the following behaviour:
>
> When reloading the configuration (`syslog-ng-ctl reload`), syslog-ng stops
> processing incoming messages (they appear as `dropped` in stats) and starts
> emptying the queue. It only starts accepting new messages when the queue is
> completely empty.
>
> I understand this is probably an expected behaviour, but in the following
> scenario (I just experienced) it poses a problem:
>
> 1. some application goes bananas logging at zillions of events per second
> 2. syslog-ng queue starts filling up
> 3. crazy app identified: I modify syslog-ng.conf in order to filter out the
> app
> 4. syslog-ng-ctl reload
> 5. syslog-ng starts dropping all new messages and emptying the queue
> 6. I have to wait for the queue to be empty (which can take a long time)
>
> Wouldn't it be saner to continue accepting messages when intercepting the
> HUP?
>
> ____________________________________________________________
> __________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?
> product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20170327/776bfd20/attachment.html>
More information about the syslog-ng
mailing list