Second time poster, long time reader:) I´ve a question regarding a scenario when the BigIP are configured with HSL and the remote servers become unavailable, does the BigIP caches the logs locally and send the logs to the HSL servers when the remotes servers are available again?
//Thanks in advance
Ah okey, thx for your info.
I feel I should elaborate so you are better informed as to why this is the case. The high speed logging feature is a mechanism to enable production logging without impacting the performance of the BIG-IP. That is its primary purpose. To that end they bypass syslog entirely and TMM does no processing on the logs at all.
This is why you have to supply the raw facility and level using the calculation provided in RFC5424 Pg.9. local0.info is 150 and local7.info is 190. At the beginning of the message you have to provide this raw value.. <190> Your syslog message
So to answer your question, their is no logs held in reserve because the system is designed around minimal impact to system performance and the most efficient way to achieve that is for TMM to put the messages directly back on the wire (the network) and then its job is done.
Already been answered but thought would add something.
If HSL fails the logs are lost however you can configure the use of a pool which if you set 'Action On Service Down' to 'Reselect' within the pool configuration should be able to limit the lose of logs. This is only valid if you have more than one server you can remote log to.