We have updated our Terms of Service, Code of Conduct, and Addendum.

What exactly does a Syslog source do when it experiences backpressure?

Options

What exactly does a Syslog source do when it experiences backpressure? Does it close the receiving port?

Answers

  • Shane Daniels
    Options

    Assume you are using syslog over TCP here yes?

  • Harry Gardner
    Options

    Technically will leave the connection open and stop reading data from the socket (i.e. backpressure).

  • Quinn Stevenson
    Options

    We use both TCP and UDP. So I guess for UDP, nothing really changes - right?

  • Harry Gardner
    Options

    Yes correct, cannot back pressure UDP, events will be dropped in that case.

  • Quinn Stevenson
    Options

    Got it - TY

  • Brandon McCombs
    Options

    The consequence of no longer reading from the tcp buffer is that the tcpip stack starts sending a tcp window size of 0 to the client which makes the client stop sending. This avoid data loss at least on the stream side, and altogether, at least for a little while, if the source can buffer.

  • Quinn Stevenson
    Options

    That makes perfect sense. I was just wondering if Cribl stopped listening for UDP traffic or just ignored it