What exactly does a Syslog source do when it experiences backpressure? Does it close the receiving port?
Assume you are using syslog over TCP here yes?
Technically will leave the connection open and stop reading data from the socket (i.e. backpressure).
We use both TCP and UDP. So I guess for UDP, nothing really changes - right?
Yes correct, cannot back pressure UDP, events will be dropped in that case.
Got it - TY
The consequence of no longer reading from the tcp buffer is that the tcpip stack starts sending a tcp window size of 0 to the client which makes the client stop sending. This avoid data loss at least on the stream side, and altogether, at least for a little while, if the source can buffer.
That makes perfect sense. I was just wondering if Cribl stopped listening for UDP traffic or just ignored it