Auvik sets a volume limit on the number of syslog messages processed and retained for each site to ensure optimal performance and manageability. Auvik has a transfer volume limit that defines how many messages can be sent, in total, for each site. The total transfer volume limit on a site is 700,000 messages per managed billable device over a 14-day rolling window.
For example, if you have 3 billable devices on a site with no changes over the 14-day period, your transfer limit would be
700,000 x 3 = 2.1 million messages.
Even if you have more devices forwarding syslog to Auvik, your transfer volume limit is based only on the number of billable devices. So, if you have 10 devices sending syslog, but only 3 are billable devices, your site’s 14-day transfer limit remains at 2.1 million messages.
In addition to this overall site-level limit, Auvik enforces the following per-device constraints:
- Burst rate limit: Auvik supports up to 100 logs per second per device, with temporary bursts of up to 1,000 logs. If a device exceeds this rate, logs from that device will be dropped.
- Log size limit: The platform supports log messages up to 2 KB in size. Any log message larger than 2 KB will be truncated, meaning only the first 2 KB of the message will be retained and processed.
It’s also important to note that only messages that are processed and retained will count towards your message limit:
- If you enable messages with severity levels 5, 6, and 7 to be processed in Manage Filters, those messages count towards your message volume limit.
- If a device sends messages with severity levels 5, 6, or 7 but you’ve disabled them in Manage Filters, these messages will be discarded by the collector and won’t count towards your message volume limit.
What happens if a site exceeds the volume limit?
If the number of syslog messages exceeds this volume limit, the system will automatically remove the oldest messages until the total volume falls back below the threshold.
If syslog archiving is enabled for the site, the removed messages will be archived before deletion. This ensures you can still access historical logs for compliance or forensic purposes, even if they're no longer visible in the live syslog viewer.
An email notification will be sent to all users with the Super Admin role on the site when the volume limit is exceeded. This provides visibility into the event and allows for timely action.
To prevent hitting the volume limit in the first place:
- Filter out low-severity messages. Configure your devices to send only messages at a certain severity level or higher (e.g., exclude debug, informational, and notice messages) to reduce noise and conserve storage.
- Investigate unusual spikes. If there's a sudden increase in syslog volume, investigate the source devices. This could indicate misconfiguration, looping messages, or potential security concerns.
Proactive management of syslog input and storage ensures you retain valuable log data and maintain system performance.
Where can I view the current volume?
You can view the total number of logs processed under Syslog - View Usage. The percentage displayed indicates the number of messages processed divided by the calculated limit.