We have a syslogng connector installed in our arcsight environment.
This connector(1) is sending the logs as cefsyslog to another connector(2) which is further forwarding the logs to arcsight esm/logger.
We have access access to connector1.
Recently we got a notification that the 300GB /arcsight partition on the connector server was full.
When we checked, we found [/arcsight/connectors/connector_name/current/user/agent/agentdata] directory had around 20000 queue files and around 50 cache files and that this directory was using 250GB out of the 300GB allocated to the /arcsight partition.
We have checked the connection between Connector1 and Connector2 using telnet/netcat, it is showing established for the defined syslog port.
As of now we have copied the files in [.../agentdata] directory to a different server as a backup.
The property flag for file queueing is defined as,
Need help with addressing the issue.