Hi,
- You can try increasing the UDP buffers (both kernel and syslog-ng side) even to multiple GBs.
- If that does not help, you can split the UDP traffic to even more different udp sources (different port is enough). Each source will have its own udp buffer so the chance to fill up decreases.
- The next thing to consider is to place new syslog-ng machines behind the LB.
- Last but not least I would suggest to place multiple syslog-ng relay servers as close as possible to the original UDP log sources (eg. one per each geolocation/subnet/etc) and send the logs to the central syslog-ngs through tcp.
... View more
Hi, in your syslog-ng configuration, change create_dirs (no); to yes, otherwise syslog-ng will use only existing directories.
If that doesn't help, check your SELinux settings and adjust them if needed to permit syslog-ng to write in the directories you want to.
... View more
filter f_new_networkdevices { netmask(192.168.2.1/32) or netmask(192.168.2.2/32); };
log { source(s_tcp_remote); filter(f_new_networkdevices); flags(final); }; #logs to no where without a destination
log { source(s_udp_remote); filter(f_new_networkdevices); flags(final); }; #logs to no where without a destination
I want to completely drop logs from these ips for now.
This is not working for me it is still logging.
... View more