What exactly does a Syslog source do when it experiences backpressure?
What exactly does a Syslog source do when it experiences backpressure? Does it close the receiving port?
Answers
-
Assume you are using syslog over TCP here yes?
0 -
Technically will leave the connection open and stop reading data from the socket (i.e. backpressure).
0 -
We use both TCP and UDP. So I guess for UDP, nothing really changes - right?
0 -
Yes correct, cannot back pressure UDP, events will be dropped in that case.
0 -
Got it - TY
0 -
The consequence of no longer reading from the tcp buffer is that the tcpip stack starts sending a tcp window size of 0 to the client which makes the client stop sending. This avoid data loss at least on the stream side, and altogether, at least for a little while, if the source can buffer.
0 -
That makes perfect sense. I was just wondering if Cribl stopped listening for UDP traffic or just ignored it
0
