One Identity does not support or recommend the periodic restarting of Syslog-ng as the logging service was not designed to be restart periodically.
If the periodic reboots are necessary please follow these guidelines to reduce the risk of log loss:
1.) If using a disk-buffer, ensure reliable disk-queues are used. Reliable disk-queues are more fault-tolerant and ensure that no logs are lost during a reboot.
*NOTE* Reliable disk-queues do read/write slower than the normal disk-queues, please keep this in mind when implementing reliable disk-queues.
For information on enabling reliable disk-queues please consult the Syslog-ng PE Administrative Guide pertaining to the destination being used for destination-specific disk-queue options.
2.) The Syslog-ng PE service should only be stopped when logs are not being written and/or read from the disk-queues as this can cause log loss.
For information on whether or not logs are being written and/or read from the queue files please use one of the following 2 methods:
a.) The Disk Queue Tool - Using the Disk Queue Tool or DQTool, the queues can be queried and checked to ensure the queues are empty before performing a reboot. Please find more information on the Disk Queue Tool here.
b.) Syslog-ng-ctl stats output - By using the following command one can query the syslog-ng-ctl stats to ensure no logs are currently queuing:
/opt/syslog-ng/sbin/syslog-ng-ctl stats | egrep -i 'queued' | egrep -i 'd_' | awk -F";" '{print $2":"$5":"$6}' | sed 's/#0//'