We have recently setup RSyslog (On Ubuntu 18.04.4 LTS VM) receiving logs from our Firewalls and then forwarding to Azure Sentinel. The problem with Syslog is after a few hours the CPU start reaching max 100% and connections to each Firewall slowly change from ESTABLISHED changes to CLOSE and it ultimately stops receiving the logs. Below is the sample output:
I saw below recommendation searching on Google
service rsyslog stop
sed -i -e 's/^\$ModLoad imklog/#\$ModLoad imklog/g' /etc/rsyslog.conf
service rsyslog start
Wondering if any one know root cause and how to fix it? Just in case if we use above solution commands what exactly the second command 'sed' will do?