After following up on netflow2001's disk usage alert I discovered that logs are spammed by the following (over and over, even on netflow1001):
Dec 13 08:26:31 netflow2001 fastnetmon: 1576225591 INFO : Received ipfix options flowset id, which is not supported Dec 13 08:26:31 netflow2001 fastnetmon: 1576225591 INFO : We don't have a template for flowset_id: 513 but it's not an error if this message disappears in 5-10 seconds. We need some time to learn it!
From a quick search I found https://github.com/pavel-odintsov/fastnetmon/issues/618, not sure if related or not (talks about sampling that we do use, so possibly).
One issue is that fastnetmon's service unit doesn't have any SyslogIdentifier field, so all logs go to /var/log/user.log/messages/syslog/etc.. A spam amplifier basically :)