Expand all | Collapse all

SRX210HE2: Syslog cache?

  • 1.  SRX210HE2: Syslog cache?

    Posted 03-01-2021 21:09
    I've been trying to exclude some messages from being sent to the syslog host due to a several day backlog. I made a change to match on Feb 27, but it didn't appear to work, so been trying over past few days with different regex.

    The problem is, I can't seem to find any way of clearing the backlog events from being sent (still sending through events from 2021 Feb 28 04:57:04 despite current time being 2021 Mar 2 13:02:50) to work out if the current regex is excluding or not.

    There is only host configured, not file:

    system {
        syslog {
            host x.x.x.x {
                any any;
                match "!(.*RT_FLOW_SESSION_DENY.*out-deny.*|.*RT_FLOW_SESSION_CREATE.*)";
                port 1514;
                source-address x.x.x.x;

    Is there a way to clear the syslog backlog?

    • I've tried restart event-processing immediately, but still picks up where it left off.
    • I've tried cleaning up files from WebUI (which rotates logs first).
    • I've tried snooping the filesystem, but can't seem to find any cache file.

  • 2.  RE: SRX210HE2: Syslog cache?

    Posted 03-01-2021 21:52
    Scratch that....found hidden backlog of the raw files on syslog server, so was pretending to look like current events from SRX, when it was just still going through backlog. Appears match is now working correctly too.