On Thu, 27 Oct 2016, Scot Kreienkamp wrote:
I was able to reproduce the problem using the logger command from a RH7
workstation to an rsyslog server running under RH6 so I am fairly certain the
problem wasn't on the Cisco side.
samples of the raw logs that are being mis-processed would be a huge help.
David Lang
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: scot.kreienk...@la-z-boy.com
-----Original Message-----
From: rsyslog-boun...@lists.adiscon.com
[mailto:rsyslog-boun...@lists.adiscon.com] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:12 PM
To: rsyslog@lists.adiscon.com
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
On Tue, 4 Oct 2016 18:02:39 +0000, Scot Kreienkamp wrote:
Hi Everyone,
I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
repo running in production here. It's a very busy server, but from
what I can tell I am not dropping any messages. The queues are
usually less than 100 and return to 0 within 60 seconds. I have had
the config in place on my server for 1 month now and it had been
working flawlessly until the end of last month. I have included the
relevant part of my config inline below, any comments on tuning or
help with my problem would be appreciated.
Here's my problem:
Basically, this section of my config is receiving syslogs from an ASA
firewall and writing them all to dynafile NetworkPerIP. About 20
other hosts are also sending logs hitting this rule. Up through
23:59
9-30-2016 all messages that had a tag that contained "ASA-5-111010"
were also written to another dynafile, FirewallChangeLog. That's
what
I wanted to happen, and as I said, it was working flawlessly until
the
end of last month. Since the calendar flipped over to Oct 1 the logs
have not been written to the FirewallChangeLog. In testing, I
simulated a log message from my workstation to this rule like so:
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
$(date)".
It was written to the FirewallChangeLog but NOT to the NetworkPerIP
log; it's only written to the NetworkPerIP log if I don't tag it with
the "ASA-5-111010". That's what makes me think I'm hitting a bug in
the code somewhere. If I copy this config to a test box running
RHEL7
with the same version of rsyslog and same config it seems to work OK.
I haven't tried on another RHEL6. I am not hitting the limit of
number of open files, it's set to 15,000 and I'm only at 5,000 last I
checked. And lastly, rsyslogd -N1 doesn't show any errors. I went
ahead and did the upgrade to RHEL7 since it was on my list to upgrade
anyway and the problem has disappeared.
When I see this sort of thing, I suspect that there is a problem with
the date format being sent by the ASA, can you send samples of a raw
message (either output with $rawmsg or use the RSYSLOG_DebugFormat)
I would guess that instead of Oct 1 it's doing Oct 1 or something odd
like that. You may want to play around with the pmcisco* modules to try
and fix up the cisco specific oddities that we know about.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
This message is intended only for the individual or entity to which it is
addressed. It may contain privileged, confidential information which is exempt
from disclosure under applicable laws. If you are not the intended recipient,
you are strictly prohibited from disseminating or distributing this information
(other than to the intended recipient) or copying this information. If you
have received this communication in error, please notify us immediately by
e-mail or by telephone at the above number. Thank you.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
