This section describes how to empty disk-buffer files used in syslog-ng Premium Edition (syslog-ng PE).
|
Caution:
Hazard of data loss! You must stop log reception to be able to empty a disk-buffer. If you fail to stop log reception before emptying a disk-buffer, your newly received log messages may get stored in the disk-buffer, overwriting your previous log messages. To avoid log loss, One Identity recommends that you redirect your logs to a different syslog server when emptying your disk-buffer files. |
NOTE: Consider the following while reading this section:
This section uses a simple example configuration with one source and one destination with disk-buffer.
If you are not aware of disk-buffers or you're not sure which of your destinations use disk-buffer, One Identity recommends that you do not proceed with the procedure of emptying your disk-buffer files. Instead, One Identity recommends that you contact our Support Team and open a service request. When opening the service request, describe your issue and attach a collected debug bundle from your system.
For more information about collecting a debug bundle for Microsoft Windows, see How to create a syslog-ng debug bundle archive on Windows operating system.
For more information about collecting a debug bundle for Linux or Unix OS, see How to create a syslog-ng debug bundle on Linux Or Unix operating system.
Recommendation
One Identity recommends that you empty your disk-buffer files before you begin the following:
-
Upgrading syslog-ng Premium Edition (syslog-ng PE) from version 6 to 7.
-
Changing the configuration of a remote destination with disk-buffer.
-
Applying a solution that includes the removal of the syslog-ng PE persistent file.
Example configuration for emptying disk-buffer files
The syslog-ng PE application uses the following example configuration to describe how to empty disk-buffer files:
source s_net { network(); }; destination d_logserver { network("10.21.10.20" port(514) disk-buffer( disk-buf-size(2000000) ) ); }; log { source(s_net); destination(d_logserver); };
To empty disk-buffer files,
-
Name the disk-buffer file to empty and the destination statement using it.
If you are not sure about which disk-buffer file to empty, or the destination statement using the disk-buffer file in question, you can use one of the following methods:
-
Check the list and the status of the disk-buffer files.
Examples
-
Non-empty disk-buffer file
Disk-buffer state loaded; filename='/opt/syslog-ng/var/syslog-ng-00000.qf', qout_length='0', qbacklog_length='0', qoverflow_length='0', qdisk_length='3006'
-
IP:PORT information of the destination with the disk-buffer in use
afsocket_dd_qfile(stream,10.21.10.20:514) = { "queue_file": "/opt/syslog-ng/var/syslog-ng-00000.qf" }
For more information about getting information about disk-buffer files, see Information about disk-buffer files.
-
-
Find the destination statement in the syslog-ng PE configuration using the IP:PORT information.
destination d_logserver { network("10.21.10.20" port(514) disk-buffer( disk-buf-size(2000000) ) ); };
-
-
Locate the log statements that use the destination statement you named previously.
-
Disable the sources in the log statements.
Add '#' at the beginning of all source() entries in the log paths.
log { #source(s_net); destination(d_logserver); }
-
Reload syslog-ng PE by entering the /opt/syslog-ng/sbin/syslog-ng-ctl reload command.
-
Check the disk-buffer file status.
For more information, see Getting the status information of disk-buffer files.
-
To enable the sources again, remove '#' from the log paths and reload syslog-ng PE.