I've been trying to exclude some messages from being sent to the syslog host due to a several day backlog. I made a change to match on Feb 27, but it didn't appear to work, so been trying over past few days with different regex.
The problem is, I can't seem to find any way of clearing the backlog events from being sent (still sending through events from 2021 Feb 28 04:57:04 despite current time being 2021 Mar 2 13:02:50) to work out if the current regex is excluding or not.
There is only host configured, not file:
system {
syslog {
host x.x.x.x {
any any;
match "!(.*RT_FLOW_SESSION_DENY.*out-deny.*|.*RT_FLOW_SESSION_CREATE.*)";
port 1514;
source-address x.x.x.x;
}
}
}
Is there a way to clear the syslog backlog?
- I've tried restart event-processing immediately, but still picks up where it left off.
- I've tried cleaning up files from WebUI (which rotates logs first).
- I've tried snooping the filesystem, but can't seem to find any cache file.