If i have an SRX sending data plane security logs in stream mode to an external syslog server, and that server is unreachable for some reason, does the SRX cache or buffer those security logs until the connection is restored? Its seems like i read somewhere that it did with available memory but once that memory buffer was full it would start dropping the messages. I can't seem to find any documentation about what happens to the log messages when the remote syslog system is unavailable.
I know you can configure multiple syslog servers but I am curious what happens if you only have 1.
Thanks for the help.
The SRX wont buffer the logs.
The syslog messages are sent over UDP so there is no acknowledgment mechanism for the SRX to detect if the server is available or not. If you see a syslog session, the server doesnt send any packets to the SRX.
Hope this helps.
Thanks for the reply. We are actually using TLS to ship the logs. Sorry i didn't specify that. Not sure if that changes anything. I can see in the 'messages' log when i connect or disconnect from the remote server.
Thanks for the confirmation. Unfortunately after some research I was not able to find any documentation that confirms this. However, if we think about it we can tell that the SRX uses TCP (if we are using TLS) and in absence of an Ack message from the remote peer, TCP will retransmit the data until either a reply is received or the connection times out. During the time that the SRX waits for the Ack message I believe it will buffer the messages until a reply is received or the connection times out, in which case the data will be lost.
When the connection to server is broken, SRX will try to get the connection restored and the logs will be saved in buffer during this period.
Thanks everyone. Good to know. I thought i had read an official Juniper document about this but I cannot find it anymore.