As of 3.5, with the pipelines set up to accept both TCP and UDP streams on the same port, logstash will fill up the /var/logstash/-events-errors-.log files. This is because if nothing is being sent via TCP, the NGFW still sends an abnormal message to the logstash server through TCP on port 5514/5516 and all of those messages wind up in the file and it fills the filesystem if there are enough of them.
We don't need TCP for syslog, so it needs to be removed from all pipelines and it won't be a problem anymore.
As of 3.5, with the pipelines set up to accept both TCP and UDP streams on the same port, logstash will fill up the /var/logstash/-events-errors-.log files. This is because if nothing is being sent via TCP, the NGFW still sends an abnormal message to the logstash server through TCP on port 5514/5516 and all of those messages wind up in the file and it fills the filesystem if there are enough of them.
We don't need TCP for syslog, so it needs to be removed from all pipelines and it won't be a problem anymore.