I was able to reproduce the problem using the logger command from a RH7 
workstation to an rsyslog server running under RH6 so I am fairly certain the 
problem wasn't on the Cisco side.


Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: [email protected]
-----Original Message-----
From: [email protected] 
[mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:12 PM
To: [email protected]
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

 On Tue, 4 Oct 2016 18:02:39 +0000, Scot Kreienkamp wrote:
> Hi Everyone,
>
> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
> repo running in production here.  It's a very busy server, but from
> what I can tell I am not dropping any messages.  The queues are
> usually less than 100 and return to 0 within 60 seconds.  I have had
> the config in place on my server for 1 month now and it had been
> working flawlessly until the end of last month.  I have included the
> relevant part of my config inline below, any comments on tuning or
> help with my problem would be appreciated.
>
> Here's my problem:
>
> Basically, this section of my config is receiving syslogs from an ASA
> firewall and writing them all to dynafile NetworkPerIP.  About 20
> other hosts are also sending logs hitting this rule.  Up through
> 23:59
> 9-30-2016 all messages that had a tag that contained "ASA-5-111010"
> were also written to another dynafile, FirewallChangeLog.  That's
> what
> I wanted to happen, and as I said, it was working flawlessly until
> the
> end of last month.  Since the calendar flipped over to Oct 1 the logs
> have not been written to the FirewallChangeLog.  In testing, I
> simulated a log message from my workstation to this rule like so:
> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
> $(date)".
> It was written to the FirewallChangeLog but NOT to the NetworkPerIP
> log; it's only written to the NetworkPerIP log if I don't tag it with
> the "ASA-5-111010".  That's what makes me think I'm hitting a bug in
> the code somewhere.  If I copy this config to a test box running
> RHEL7
> with the same version of rsyslog and same config it seems to work OK.
> I haven't tried on another RHEL6.  I am not hitting the limit of
> number of open files, it's set to 15,000 and I'm only at 5,000 last I
> checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I went
> ahead and did the upgrade to RHEL7 since it was on my list to upgrade
> anyway and the problem has disappeared.
>

 When I see this sort of thing, I suspect that there is a problem with
 the date format being sent by the ASA, can you send samples of a raw
 message (either output with $rawmsg or use the RSYSLOG_DebugFormat)

 I would guess that instead of Oct  1 it's doing Oct 1 or something odd
 like that. You may want to play around with the pmcisco* modules to try
 and fix up the cisco specific oddities that we know about.

 David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

This message is intended only for the individual or entity to which it is 
addressed.  It may contain privileged, confidential information which is exempt 
from disclosure under applicable laws.  If you are not the intended recipient, 
you are strictly prohibited from disseminating or distributing this information 
(other than to the intended recipient) or copying this information.  If you 
have received this communication in error, please notify us immediately by 
e-mail or by telephone at the above number. Thank you.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to