[syslog-ng] Need clarification on different behavior of forwarding rules in syslog-ng
kavita.mohite at gmail.com
Tue Apr 17 18:20:55 UTC 2018
Hello Support Team,
In the syslog-ng configuration, we have 2 forward rules as follows:
1. One rule reads from source (port 514) and writes syslogs to the file for
all the syslogs greater than debug.
2. Second rule reads from source (port 514) and forwards the the syslog to
the destination if a set of filter rules match. These set of filter rules
are called whitelist filter rules are filter rules containing match filter
and priority filter in each rule. As there are multiple filter rules, they
are ORed to create a main filter rule.
Now we have syslogs coming in at a rate of 400 eps. Following is our
A. If the syslog matches the filter in point 2 above, then following happens
- It is forwarded to the destination provided in point 2.
- Also at the same time it is written to a file as per rule in point 1.
B. If the syslog does not match the filter in point 2 above, then following
- It is NOT forwarded to the destination provided in point 2 as there is
- It is suppose to still write to file as the rule in 1 matches. *But
this does not happen.*
We are seeing that if the filter in point 2 matches then both the forward
rules get executed immediately and we see the log written to file also
immediately. But in case of B, if the syslog does not match we are seeing
that the write to file is happening g in bulk for 30 minutes. *Why is this
? Why does it not write to file immediately in case of (B) but does it in
case of A ?*
Below is the snap of the config values we are using in the syslog-ng.conf
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the syslog-ng