We are working with customer case related to Sentinel and there are couple of concerns related to log forwarder servers (when collecting syslog or CEF from devices like firewalls):
- Customer requires that solution must ensure event data collection even when designed capacity limits are exceeded temporarily. (e.g. there is a network outage and after that there comes lot of firewall log data as a burst).
- Another wish is that there should be a capability to limit network throughput, when buffered data is transferred after a network outage.
Question is how log forwarder handles such situation? Is the log dropped if the EPS limit of log forwarder is reached? Is there any buffer for such situations?
And is there any possibility to limit the throughput if there comes log data as a burst?
All suggestions how to ensure continous data collection and avoid dropping of logs are welcome.