Advertisement
Should start off that I’m not an expert in Linux, primarily a Windows Engineer. With that said I’m having some trouble limiting Syslog-NG on Ubuntu from using 100% of the local disk.<\/p>\n
In order to ingest Syslog messages from our FortiGates into Microsoft Sentinel, we have to use a log forwarder. In this case its an Ubuntu VM that receives the Syslog messages via Syslog-NG and forwards them up to Microsoft Sentinel. We have zero need to keep these messages on the local VM after being forwarded to Sentinel. No configuration changes have been made since installing Syslog-NG, completely vanilla default.<\/p>\n
How can I change Syslog-NG behavior to receive the message, forward the message and delete from local disk to avoid disk full situations? A Linux for Idiots answer would be extremely helpful, a step by step if anyone could be so kind. Really appreciate any help!<\/p>","upvoteCount":6,"answerCount":5,"datePublished":"2025-04-10T16:01:05.119Z","author":{"@type":"Person","name":"mark31224003","url":"https://community.spiceworks.com/u/mark31224003"},"suggestedAnswer":[{"@type":"Answer","text":"
Should start off that I’m not an expert in Linux, primarily a Windows Engineer. With that said I’m having some trouble limiting Syslog-NG on Ubuntu from using 100% of the local disk.<\/p>\n
In order to ingest Syslog messages from our FortiGates into Microsoft Sentinel, we have to use a log forwarder. In this case its an Ubuntu VM that receives the Syslog messages via Syslog-NG and forwards them up to Microsoft Sentinel. We have zero need to keep these messages on the local VM after being forwarded to Sentinel. No configuration changes have been made since installing Syslog-NG, completely vanilla default.<\/p>\n
How can I change Syslog-NG behavior to receive the message, forward the message and delete from local disk to avoid disk full situations? A Linux for Idiots answer would be extremely helpful, a step by step if anyone could be so kind. Really appreciate any help!<\/p>","upvoteCount":6,"datePublished":"2025-04-10T16:01:05.191Z","url":"https://community.spiceworks.com/t/syslog-ng-using-100-of-disk/1195322/1","author":{"@type":"Person","name":"mark31224003","url":"https://community.spiceworks.com/u/mark31224003"}},{"@type":"Answer","text":"
The configuration format is very simple for syslog-ng, there are 3 sections that you are going to use 99%of the time.<\/p>\n
source - with some squiggle brackets enclosing names of things that make log entries
\ndestination - with squiggle wrapped list of places to forward log data to
\nlog {source(thing);destination(thing) which links them together.<\/p>\n
when the log data is supposed to be put in a file, the place thing in the destination squiggle section is file(‘/some/path/and/filename’)<\/p>\n
I suspect you have that in your config, and don’t want it, sence you are just passing data from one machine to another machine, — unless — someone had to write a log format translator to rewrite the fortigate data stream into aproper compatable format, in which case, yes, you need to write and read it back and now your life is misery because someone can’t follow standards.<\/p>\n
Then you probably need to make a cron job to stop syslog, rename the log file, start it back up again, make sure all that worked, then delete the old one…
\nBut that is a cron thing, not a syslog thing…<\/p>","upvoteCount":4,"datePublished":"2025-04-10T20:26:07.133Z","url":"https://community.spiceworks.com/t/syslog-ng-using-100-of-disk/1195322/2","author":{"@type":"Person","name":"somedude2","url":"https://community.spiceworks.com/u/somedude2"}},{"@type":"Answer","text":"
Thanks for reaching out! Posting my configuration files below. The only thing I’m missing is any callouts to a file. Would you mind taking a look through here and let me know what to change up? Very grateful for your assist.<\/p>\n
/conf.d/azuremonitoragent-tcp.conf<\/strong><\/p>\n destination d_azure_mdsd { log { /etc/syslog-ng/syslog-ng.conf<\/strong> log { source(s_src); filter(f_news); filter(f_crit); destination(d_newscrit); }; #log<\/span> { source(s_src); filter(f_ppp); destination(d_ppp); };<\/p>\n log { source(s_src); filter(f_debug); destination(d_debug); }; log { source(s_src); filter(f_console); destination(d_console_all); destination(d_xconsole); }; #log<\/span> { source(s_src); destination(d_net); };<\/p>\n @include<\/span> “/etc/syslog-ng/conf.d/*.conf”<\/p>\n #source<\/span> s_src { udp( port(514)); tcp( port(514));};<\/a>during install time, we detect if s_src exist, if it does then we<\/h1>\n
<\/a>replace it by appropriate source name like in redhat ‘s_sys’<\/h1>\n
<\/a>Forwrding using tcp<\/h1>\n
\nnetwork(“127.0.0.1”
\nport(28330)
\nflags(no_multi_line)
\nlog-fifo-size(25000));
\n};<\/p>\n
\nsource(s_src); # will be automatically parsed from /etc/syslog-ng/syslog-ng.conf
\ndestination(d_azure_mdsd);
\nflags(flow-control);
\n};<\/p>\n
\n#log<\/span> { source(s_src); filter(f_mail); filter(f_info); destination(d_mailinfo); };
\n#log<\/span> { source(s_src); filter(f_mail); filter(f_warn); destination(d_mailwarn); };
\n#log<\/span> { source(s_src); filter(f_mail); filter(f_err); destination(d_mailerr); };<\/p>\n
\nlog { source(s_src); filter(f_news); filter(f_err); destination(d_newserr); };
\nlog { source(s_src); filter(f_news); filter(f_notice); destination(d_newsnotice); };
\n#log<\/span> { source(s_src); filter(f_cnews); destination(d_console_all); };
\n#log<\/span> { source(s_src); filter(f_cother); destination(d_console_all); };<\/p>\n
\nlog { source(s_src); filter(f_error); destination(d_error); };
\nlog { source(s_src); filter(f_messages); destination(d_messages); };<\/p>\n
\nlog { source(s_src); filter(f_crit); destination(d_console); };<\/p>\n<\/a>All messages send to a remote site<\/h1>\n
<\/a><\/h1>\n
<\/a><\/h3>\n
<\/a>Include all config files in /etc/syslog-ng/conf.d/<\/h1>\n
<\/a><\/h3>\n
\n#source<\/span> s_src { udp( port(514)); tcp( port(514));};
\nsource s_src { udp( port(514)); tcp( port(514));};<\/p>","upvoteCount":1,"datePublished":"2025-04-11T13:25:55.010Z","url":"https://community.spiceworks.com/t/syslog-ng-using-100-of-disk/1195322/3","author":{"@type":"Person","name":"mark31224003","url":"https://community.spiceworks.com/u/mark31224003"}},{"@type":"Answer","text":"