syslog-ng puts messages into the disk-buffer file, until the disk-buffer file size reaches disk-buf-size(). Above that size, flow control is triggered. syslog-ng PE completely stops reading incoming messages from the source, making the control window (governed by log_iw_size()) fill up and blocking the sources.
In this configuration, log messages are stored on the disk (and not in the memory), which increases reliability.
Figure 35: Flow control, reliable disk-buffer, no ALTP
Set flags(flow-control) in the log path.
Configure the disk-buffer option. For details, see Example: Example configuration of the reliable disk-buffer.
disk-buffer( mem-buf-size(10485760) # storing 10 MB messages in memory and on disk disk-buf-size(2147483648) # storing 2 GB of messages only on disk reliable(yes) )
This configuration minimizes the loss of log messages in the following situations:
Message loss when syslog-ng PE is stopped or restarted: When syslog-ng is stopped or restarted, the contents of the disk-buffer file do not get lost, greatly increasing reliability.
Also note that the memory buffer is only used as a cache in this configuration. Any data stored in the memory has already been written to the disk-buffer file, which, again, results in more reliability.
In rare cases, the buffers stored on the disk can become corrupted, in which case syslog-ng PE may not able to process all the logs stored in the disk-buffer file.
One drawback of using the reliable disk-buffer option is that the processing of log messages by syslog-ng PE is slower than when messages are stored in the output buffer only, or when using the normal disk-buffer option.
This configuration does not provide protection against the loss of log messages in the following situations:
The example presented here is set in a client-relay-server scenario.
Once messages have been written to the disk-buffer file, the relay returns an acknowledgment to the client.
When the server has successfully received and processed the messages in the batch, it sends an acknowledgment of the processed messages to the relay.
It is only at this point that the relay removes log messages from the disk-buffer file because this is when logs are considered "delivered" to the server.
After receiving the acknowledgment, the sender sends another batch of messages.
This configuration gives you the greatest degree of protection against log message loss. ALTP provides acknowledgment about the successful processing of log messages at the level of the application layer. Even if the reception of log messages has been acknowledged by TCP at the transport layer, log messages are considered delivered only when the syslog-ng PE application has received an acknowledgment from the other syslog-ng PE instance about the successful delivery of log messages.
This mechanism guarantees that log messages are not lost between the client and the relay, or between the relay and the server, or on the relay itself. To minimize the risk of message loss on the client or the server, use flow control and reliable disk-buffer.
Figure 36: Flow control, reliable disk-buffer, ALTP
Set flags(flow-control) in the log path.
Configure the disk-buffer option. For details, see Example: Example configuration of the reliable disk-buffer.
disk-buffer( mem-buf-size(10485760) # storing 10 MB messages in memory and on disk disk-buf-size(2147483648) # storing 2 GB of messages only on disk reliable(yes) )
Enable ALTP by setting transport(rltp). For details, see ALTP options.
This configuration minimizes the loss of log messages in the following situations:
Message loss when syslog-ng PE is stopped or restarted: When syslog-ng is stopped or restarted, the contents of the disk-buffer file do not get lost, greatly increasing reliability.
Also note that the memory buffer is only used as a cache in this configuration. Any data stored in the memory has already been written to the disk-buffer file, which, again, results in more reliability.
In rare cases, the buffers stored on the disk can become corrupted, in which case syslog-ng PE may not able to process all the logs stored in the disk-buffer file.
This configuration results in the slowest processing time out of all the options described in this chapter.
Choosing the ideal configuration for your environment may not always be a straightforward decision. Depending on your use case, it is worth considering which outcome is more desirable (with the following points representing the two opposite ends of the spectrum):
If your application sends its logs through a blocking I/O socket and you prefer not to slow down or stop the application when log messages are arriving in volumes greater than syslog-ng PE is able to process, then consider turning flow control off on the client side. This way, you will not be using the whole application-client-server chain at full capacity, and yet still be able to spot the loss of application log messages at the beginning of the chain already, in the internal logs of the client.
This chapter explains the methods that you can use to customize, reformat, and modify log messages using syslog-ng Premium Edition.
Customizing message format using macros and templates explains how to use templates and macros to change the format of log messages, or the names of logfiles and database tables.
Modifying messages using rewrite rules describes how to use rewrite rules to search and replace certain parts of the message content.
Regular expressions lists the different types of regular expressions that can be used in various syslog-ng PE objects like filters and rewrite rules.
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy