Hi Everyone,

I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM repo 
running in production here.  It's a very busy server, but from what I can tell 
I am not dropping any messages.  The queues are usually less than 100 and 
return to 0 within 60 seconds.  I have had the config in place on my server for 
1 month now and it had been working flawlessly until the end of last month.  I 
have included the relevant part of my config inline below, any comments on 
tuning or help with my problem would be appreciated.

Here's my problem:

Basically, this section of my config is receiving syslogs from an ASA firewall 
and writing them all to dynafile NetworkPerIP.  About 20 other hosts are also 
sending logs hitting this rule.  Up through 23:59 9-30-2016 all messages that 
had a tag that contained "ASA-5-111010" were also written to another dynafile, 
FirewallChangeLog.  That's what I wanted to happen, and as I said, it was 
working flawlessly until the end of last month.  Since the calendar flipped 
over to Oct 1 the logs have not been written to the FirewallChangeLog.  In 
testing, I simulated a log message from my workstation to this rule like so:  
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)".  It was 
written to the FirewallChangeLog but NOT to the NetworkPerIP log; it's only 
written to the NetworkPerIP log if I don't tag it with the "ASA-5-111010".  
That's what makes me think I'm hitting a bug in the code somewhere.  If I copy 
this config to a test box running RHEL7 with the same version of rsyslog and 
same config it seems to work OK.  I haven't tried on another RHEL6.  I am not 
hitting the limit of number of open files, it's set to 15,000 and I'm only at 
5,000 last I checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I 
went ahead and did the upgrade to RHEL7 since it was on my list to upgrade 
anyway and the problem has disappeared.


Config snippet:

template (name="NetworkPerIP" type="string" 
string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log")
template (name="FirewallChangeLog" type="string" 
string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log")

ruleset(name="Net-1514"
        queue.type="LinkedList"
        queue.size="25000"
        queue.dequeueBatchSize="1024"
        queue.workerThreads="3"
        queue.workerThreadMinimumMessages="1000"
        queue.discardmark="20000"){
        action(type="omfile" dynafilecachesize="50" DynaFile="NetworkPerIP" 
template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off" 
asyncWriting="on" dirCreateMode="0750"  FileCreateMode="0640" 
dirGroup="networksecured" fileGroup="networksecured")
        if $syslogtag contains "ASA-5-111010" then {
                action(type="omfile" dynafilecachesize="50" 
DynaFile="FirewallChangeLog" template="RSYSLOG_TraditionalFileFormat" 
ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750"  
FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured")
        }
        stop
}


input(type="imudp" port="1514" ruleset="Net-1514")
input(type="imptcp" port="1514" ruleset="Net-1514")



Thanks!

Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162  | * 734-384-6403 | | * 7349151444 
| *  [email protected]<mailto:%7BE-mail%7D>
www<http://www.la-z-boy.com/>.la-z-boy.com<http://www.la-z-boy.com/> | 
facebook.<https://www.facebook.com/lazboy>com<https://www.facebook.com/lazboy>/<https://www.facebook.com/lazboy>lazboy<http://facebook.com/lazboy>
 | twitter.com/lazboy<https://twitter.com/lazboy> | 
youtube.com/<https://www.youtube.com/user/lazboy>lazboy<https://www.youtube.com/user/lazboy>

[cid:lzbVertical_hres.jpg]



This message is intended only for the individual or entity to which it is 
addressed.  It may contain privileged, confidential information which is exempt 
from disclosure under applicable laws.  If you are not the intended recipient, 
you are strictly prohibited from disseminating or distributing this information 
(other than to the intended recipient) or copying this information.  If you 
have received this communication in error, please notify us immediately by 
e-mail or by telephone at the above number. Thank you.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to