[syslog-ng] syslog-ng-ctl reload and disbuffer clear
Pal, Laszlo
vlad at vlad.hu
Wed Mar 17 13:54:42 UTC 2021
Hi,
We are using several instances of syslog-ng OSE to send logs to SIEM.
Of course, I'm using diskbuffer and throttle to limit the number of
logs sent and keep my licensing happy :)
However, every time when I change the config and reload syslog-ng it
seems all the logs in the disk buffer is sent in once, so there is
some event drop in SIEM
Is there any way to avoid this?
Here is my relevant part of the config
destination d_siem {
network(
"xxx.xxx.xxx.xxx"
port(514)
suppress(5)
throttle(500)
frac_digits(0)
log_fifo_size(500000)
time_zone("Europe/Budapest")
persist-name("siem_standard")
transport(tcp)
disk-buffer(
mem-buf-length(2000)
disk-buf-size(50000000000)
reliable(no)
dir("/data/syslog-ng/diskbuffer")
)
);
};
Thanks
Laszlo
More information about the syslog-ng
mailing list