That's why I included the line I was using to test, so that anyone reading my 
message had the means to produce whatever output they needed if they chose to 
look into it further.  I don't have a RH6 machine to try this with anymore.  My 
solution was to upgrade to RH7 where it was no longer an issue.

logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test  $(date)"

That logger line, executed on RH7 and delivered to a RH6 host, was not 
processed properly.  I was filtering it based on syslogtag.

Rsyslog rules I was using:

template (name="NetworkPerIP" type="string" 
string="/opt/network/%fromhost-ip%/%$YEAR%-%$MONTH%-%$DAY%.log")
template (name="FirewallChangeLog" type="string" 
string="/opt/network/FirewallChange/%$YEAR%-%$MONTH%-%$DAY%.log")

ruleset(name="Net-1514"){
        action(name="Net-1514-omfile" type="omfile" dynafilecachesize="50" 
DynaFile="NetworkPerIP" template="RSYSLOG_TraditionalFileFormat" 
ioBufferSize="128k" flushOnTXEnd="off" asyncWriting="on" dirCreateMode="0750"  
FileCreateMode="0640" dirGroup="networksecured" fileGroup="networksecured")
        if $syslogtag contains "ASA-5-111010" then {
                action(name="Net-1514-FWCH" type="omfile" 
dynafilecachesize="50" DynaFile="FirewallChangeLog" 
template="RSYSLOG_TraditionalFileFormat" ioBufferSize="128k" flushOnTXEnd="off" 
asyncWriting="on" dirCreateMode="0750"     FileCreateMode="0640" 
dirGroup="networksecured" fileGroup="networksecured")
        }
        stop
}


input(type="imudp" port="1514" ruleset="Net-1514")
input(type="imptcp" port="1514" ruleset="Net-1514")






Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
Mobile: 7349151444 | Email: [email protected]
-----Original Message-----
From: [email protected] 
[mailto:[email protected]] On Behalf Of David Lang
Sent: Thursday, October 27, 2016 3:24 PM
To: rsyslog-users
Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?

On Thu, 27 Oct 2016, Scot Kreienkamp wrote:

> I was able to reproduce the problem using the logger command from a RH7 
> workstation to an rsyslog server running under RH6 so I am fairly certain the 
> problem wasn't on the Cisco side.

samples of the raw logs that are being mis-processed would be a huge help.

David Lang

>
> Scot Kreienkamp  | Senior Systems Engineer | La-Z-Boy Corporate
> One La-Z-Boy Drive | Monroe, Michigan 48162 |  Office: 734-384-6403 |  |  
> Mobile: 7349151444 | Email: [email protected]
> -----Original Message-----
> From: [email protected] 
> [mailto:[email protected]] On Behalf Of David Lang
> Sent: Thursday, October 27, 2016 3:12 PM
> To: [email protected]
> Subject: Re: [rsyslog] Possible date handling bug in dynafile on RHEL6?
>
> On Tue, 4 Oct 2016 18:02:39 +0000, Scot Kreienkamp wrote:
>> Hi Everyone,
>>
>> I had an RHEL6 rsysylog server running rsyslog-8.21.0-1 from the RPM
>> repo running in production here.  It's a very busy server, but from
>> what I can tell I am not dropping any messages.  The queues are
>> usually less than 100 and return to 0 within 60 seconds.  I have had
>> the config in place on my server for 1 month now and it had been
>> working flawlessly until the end of last month.  I have included the
>> relevant part of my config inline below, any comments on tuning or
>> help with my problem would be appreciated.
>>
>> Here's my problem:
>>
>> Basically, this section of my config is receiving syslogs from an ASA
>> firewall and writing them all to dynafile NetworkPerIP.  About 20
>> other hosts are also sending logs hitting this rule.  Up through
>> 23:59
>> 9-30-2016 all messages that had a tag that contained "ASA-5-111010"
>> were also written to another dynafile, FirewallChangeLog.  That's
>> what
>> I wanted to happen, and as I said, it was working flawlessly until
>> the
>> end of last month.  Since the calendar flipped over to Oct 1 the logs
>> have not been written to the FirewallChangeLog.  In testing, I
>> simulated a log message from my workstation to this rule like so:
>> logger -P 1514 -n monvsyslog --udp -t "%ASA-5-111010:" "test
>> $(date)".
>> It was written to the FirewallChangeLog but NOT to the NetworkPerIP
>> log; it's only written to the NetworkPerIP log if I don't tag it with
>> the "ASA-5-111010".  That's what makes me think I'm hitting a bug in
>> the code somewhere.  If I copy this config to a test box running
>> RHEL7
>> with the same version of rsyslog and same config it seems to work OK.
>> I haven't tried on another RHEL6.  I am not hitting the limit of
>> number of open files, it's set to 15,000 and I'm only at 5,000 last I
>> checked.  And lastly, rsyslogd -N1 doesn't show any errors.  I went
>> ahead and did the upgrade to RHEL7 since it was on my list to upgrade
>> anyway and the problem has disappeared.
>>
>
> When I see this sort of thing, I suspect that there is a problem with
> the date format being sent by the ASA, can you send samples of a raw
> message (either output with $rawmsg or use the RSYSLOG_DebugFormat)
>
> I would guess that instead of Oct  1 it's doing Oct 1 or something odd
> like that. You may want to play around with the pmcisco* modules to try
> and fix up the cisco specific oddities that we know about.
>
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
>
> This message is intended only for the individual or entity to which it is 
> addressed.  It may contain privileged, confidential information which is 
> exempt from disclosure under applicable laws.  If you are not the intended 
> recipient, you are strictly prohibited from disseminating or distributing 
> this information (other than to the intended recipient) or copying this 
> information.  If you have received this communication in error, please notify 
> us immediately by e-mail or by telephone at the above number. Thank you.
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com/professional-services/
> What's up with rsyslog? Follow https://twitter.com/rgerhards
> NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
> sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T 
> LIKE THAT.
>
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to