That's why I included the line I was using to test, so that anyone reading my
message had the means to produce whatever output they needed if they chose to
look into it further. I don't have a RH6 machine to try this with anymore. My
solution was to upgrade to RH7 where it was no longer an issue.
logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test $(date)"
That logger line, executed on RH7 and delivered to a RH6 host, was not
processed properly. I was filtering it based on syslogtag.
Rsyslog rules I was using:
template (name="NetworkPerIP" type="string"
string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log")
template (name="FirewallChangeLog" type="string"
string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log")
ruleset(name="Net-1514"){
action(name="Net-1514-omfile" type="omfile" dynafilecachesize="50"
DynaFile="NetworkPerIP" template="RSYSLOG_TraditionalFileFormat"
ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750"
FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured")
if $syslogtag contains "ASA-5-111010" then {
action(name="Net-1514-FWCH" type="omfile"
dynafilecachesize="50" DynaFile="FirewallChangeLog"
template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off"
asyncWriting="on" dirCreateMode="0750" FileCreateMode="0640"
dirGroup="networksecured" fileGroup="networksecured")
}
stop
}
input(type="imudp" port="1514" ruleset="Net-1514")
input(type="imptcp" port="1514" ruleset="Net-1514")
Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
Mobile: 7349151444 | Email: [email protected]
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:24 PM
To: rsyslog-users
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
On Thu, 27 Oct 2016, Scot Kreienkamp wrote:
> I was able to reproduce the problem using the logger command from a RH7
> workstation to an rsyslog server running under RH6 so I am fairly certain the
> problem wasn't on the Cisco side.
samples of the raw logs that are being mis-processed would be a huge help.
David Lang
>
> Scot Kreienkamp | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 | Office: 734-384-6403 | |
> Mobile: 7349151444 | Email: [email protected]
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 3:12 PM
> To: [email protected]
> Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
>
> On Tue, 4 Oct 2016 18:02:39 +0000, Scot Kreienkamp wrote:
>> Hi Everyone,
>>
>> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
>> repo running in production here. It's a very busy server, but from
>> what I can tell I am not dropping any messages. The queues are
>> usually less than 100 and return to 0 within 60 seconds. I have had
>> the config in place on my server for 1 month now and it had been
>> working flawlessly until the end of last month. I have included the
>> relevant part of my config inline below, any comments on tuning or
>> help with my problem would be appreciated.
>>
>> Here's my problem:
>>
>> Basically, this section of my config is receiving syslogs from an ASA
>> firewall and writing them all to dynafile NetworkPerIP. About 20
>> other hosts are also sending logs hitting this rule. Up through
>> 23:59
>> 9-30-2016 all messages that had a tag that contained "ASA-5-111010"
>> were also written to another dynafile, FirewallChangeLog. That's
>> what
>> I wanted to happen, and as I said, it was working flawlessly until
>> the
>> end of last month. Since the calendar flipped over to Oct 1 the logs
>> have not been written to the FirewallChangeLog. In testing, I
>> simulated a log message from my workstation to this rule like so:
>> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
>> $(date)".
>> It was written to the FirewallChangeLog but NOT to the NetworkPerIP
>> log; it's only written to the NetworkPerIP log if I don't tag it with
>> the "ASA-5-111010". That's what makes me think I'm hitting a bug in
>> the code somewhere. If I copy this config to a test box running
>> RHEL7
>> with the same version of rsyslog and same config it seems to work OK.
>> I haven't tried on another RHEL6. I am not hitting the limit of
>> number of open files, it's set to 15,000 and I'm only at 5,000 last I
>> checked. And lastly, rsyslogd -N1 doesn't show any errors. I went
>> ahead and did the upgrade to RHEL7 since it was on my list to upgrade
>> anyway and the problem has disappeared.
>>
>
> When I see this sort of thing, I suspect that there is a problem with
> the date format being sent by the ASA, can you send samples of a raw
> message (either output with $rawmsg or use the RSYSLOG_DebugFormat)
>
> I would guess that instead of Oct 1 it's doing Oct 1 or something odd
> like that. You may want to play around with the pmcisco* modules to try
> and fix up the cisco specific oddities that we know about.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
> This message is intended only for the individual or entity to which it is
> addressed. It may contain privileged, confidential information which is
> exempt from disclosure under applicable laws. If you are not the intended
> recipient, you are strictly prohibited from disseminating or distributing
> this information (other than to the intended recipient) or copying this
> information. If you have received this communication in error, please notify
> us immediately by e-mail or by telephone at the above number. Thank you.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T
> LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.