I have a heavy forwarder running on a RHEL 6 server that has 16 processors and 16GB. This heavy forwarder has usually kept up with all of the logs that were sent to it, but a few months ago, I am pretty sure I overwhelmed it. Now, I have moved all of the extra logs off of this server to another server and I am back to the original set of logs that I started with. However, it will not keep up.
The logs are Cisco ASA firewall logs, WSA logs, and some other small volume syslogs. In the inputs.conf file, the WSA logs are set to "batch" mode and all of the rest are in monitor mode.
inputs.conf:
#### WSA Logs ####
[batch:///logs/sawmill]
disabled = 0
# followTail = 0
index = wsa
initCrcLength = 1024
sourcetype = cisco:wsa:squid
whitelist = aclog.*
move_policy = sinkhole
crcSalt =
Any one having this same issue? Any help is appreciated. I can post snippets of conf files if it will help.
Thank you in advance,
Ron