This document applies to Syslog entries for Cisco Email Security Appliance (ESA), Cisco Web Security Appliance (WSA), and Cisco Security Management Appliance (SMA).
Why does the appliance continue to push log entries to a Syslog server after the log subscription has been disabled?
Log Subscription has previously been set up to push the log entries to a syslog server. But after disabling the Log Subscription in question, or changing the method to retrieve the logs to something than Syslog Push, the appliance continues to push log entries to the Syslog server.
The appliance is having a buffer of Syslog data that it needs to empty. After this buffer has been emptied, the appliance will stop pushing the log entries to the Syslog server. As the buffer is stored in memory as well as on the hard drives, a reboot will not always clear the buffer.