I was able to reproduce the problem using the logger command from a RH7 workstation to an rsyslog server running under RH6 so I am fairly certain the problem wasn't on the Cisco side.
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | | Mobile: 7349151444 | Email: [email protected] -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of David Lang Sent: Thursday, October 27, 2016 3:12 PM To: [email protected] Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6? On Tue, 4 Oct 2016 18:02:39 +0000, Scot Kreienkamp wrote: > Hi Everyone, > > I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM > repo running in production here. It's a very busy server, but from > what I can tell I am not dropping any messages. The queues are > usually less than 100 and return to 0 within 60 seconds. I have had > the config in place on my server for 1 month now and it had been > working flawlessly until the end of last month. I have included the > relevant part of my config inline below, any comments on tuning or > help with my problem would be appreciated. > > Here's my problem: > > Basically, this section of my config is receiving syslogs from an ASA > firewall and writing them all to dynafile NetworkPerIP. About 20 > other hosts are also sending logs hitting this rule. Up through > 23:59 > 9-30-2016 all messages that had a tag that contained "ASA-5-111010" > were also written to another dynafile, FirewallChangeLog. That's > what > I wanted to happen, and as I said, it was working flawlessly until > the > end of last month. Since the calendar flipped over to Oct 1 the logs > have not been written to the FirewallChangeLog. In testing, I > simulated a log message from my workstation to this rule like so: > logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test > $(date)". > It was written to the FirewallChangeLog but NOT to the NetworkPerIP > log; it's only written to the NetworkPerIP log if I don't tag it with > the "ASA-5-111010". That's what makes me think I'm hitting a bug in > the code somewhere. If I copy this config to a test box running > RHEL7 > with the same version of rsyslog and same config it seems to work OK. > I haven't tried on another RHEL6. I am not hitting the limit of > number of open files, it's set to 15,000 and I'm only at 5,000 last I > checked. And lastly, rsyslogd -N1 doesn't show any errors. I went > ahead and did the upgrade to RHEL7 since it was on my list to upgrade > anyway and the problem has disappeared. > When I see this sort of thing, I suspect that there is a problem with the date format being sent by the ASA, can you send samples of a raw message (either output with $rawmsg or use the RSYSLOG_DebugFormat) I would guess that instead of Oct 1 it's doing Oct 1 or something odd like that. You may want to play around with the pmcisco* modules to try and fix up the cisco specific oddities that we know about. David Lang _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT. This message is intended only for the individual or entity to which it is addressed. It may contain privileged, confidential information which is exempt from disclosure under applicable laws. If you are not the intended recipient, you are strictly prohibited from disseminating or distributing this information (other than to the intended recipient) or copying this information. If you have received this communication in error, please notify us immediately by e-mail or by telephone at the above number. Thank you. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.

