Thanks, the hint about the message beginning with the letter z helped a lot.
The error "Uncompression of a message failed with return code -3" is generated by the rsyslog instance on the master node. It seems that messages get mixed up or truncated during the forwarding: 2016-01-22T19:15:14.150225+02:00 MN rsyslogd: Uncompression of a message failed with return code -3 - enable debug logging if you need further information. Message ignored. [v8.10.0] 2016-01-22T19:15:14.150201+02:00 zing cgroup subsys cpuset As you can see above, the kernel log "Initializing cgroup subsys cpuset" was cut, and the part "zing cgroup subsys cpuset" arrived separately. Since it starts with a z, it causes this error to appear. The template we use for forwarding is: template(name="ForwardFormat" type="string" string="<%PRI%>%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag:1:32%%msg:::sp-if-no-1st-sp%%msg%\n") I am concerned about the '\n' at the end. I removed it and forwarding worked OK. Do you think it is causing problems? Do you see anything else suspicious in the template? Also the forwarding is done in an awkward way: if ( $syslogfacility-text == 'auth' or $syslogfacility-text == 'authpriv' ) then @@Log:1025;ForwardFormat # warning or higher level logs are forwarded to master syslog *.warn @@Log:1025;ForwardFormat # rest of logs go to master-syslog *.* @@Log:1025;ForwardFormat >From the above it seems that an auth.err log will be forwarded three times, as >forwarded logs are not dropped. Do you think this might cause this error? Thanks for the help! Best regards, Klearchos -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of EXT Peter Portante Sent: Friday, January 22, 2016 2:56 PM To: rsyslog-users <[email protected]> Subject: Re: [rsyslog] Error message "Uncompression of a message failed" with no compression specified On Fri, Jan 22, 2016 at 6:22 AM, Chaloulos, Klearchos (Nokia - GR/Athens) < [email protected]> wrote: > Hello, > > I am using a logging setup in a cluster of virtual machines(nodes), where > the flow of logs is like this: > > Systemd-journald - > rsyslog local on all nodes of cluster -> rsyslog > master on master node. > > I see the following error: "Uncompression of a message failed with return > code -3". This comes from the rsyslog message parser where it seeks to decompress a message it sees beginning with the letter "z". If it fails to successfully decompress the message, it emits this error and ignores the message. > What puzzles me is that I have not specified any compression in the > rsyslog configuration. Is it possible for this error to appear when no > compression is explicitly specified? > Which instance of the rsyslog process is emitting the message, the one local on all cluster nodes or the rsyslog instance on the master node? If it is the latter, what is the template being used to send log data to the master? -peter > > There is no compression enabled in systemd-journald either. > > Best regards, > > Klearchos > > _______________________________________________ > rsyslog mailing list > http://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad > of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you > DON'T LIKE THAT. > _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
