[rsyslog] Rsyslog seems to think there are duplicates

Fri, 11 Oct 2019 10:14:54 -0700 


Hey,


We are using Checkpoint Log Exporter 
(https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122323) 
I don't think that it matters, except maybe for the fact that they are 
implementing RFC5424.


The logs are being written to file by Rsyslog as follows:

---------------------
module(load="imtcp")
module(load="imudp")

input(type="imtcp" port="514")
input(type="imudp" port="514")


template(name="FileNameByHost" type="string" 
string="/syslog/%fromhost-ip%.log")

if ($fromhost-ip startswith "192.168.x.y") then { # RFC5424

  action(type="omfile" dynaFile="FileNameByHost" 
template="RSYSLOG_SyslogProtocol23Format")    <-------------------

} else {

  action(type="omfile" dynaFile="FileNameByHost" 
template="RSYSLOG_FileFormat")

}

call asyncelk
...
---------------------


Now Rsyslog thinks some messages are duplicates. And apparently it 
thinks there are _many_ duplicates. I have sniffed the traffic, and no 
duplicates are being transmitted AFAICS. Here is an example of what is 
logged nevertheless:



<134>1 2019-10-11T16:27:51Z chkpt-mgt CheckPoint 15439 - 
[action:"Reject"; ifdir:"inbound"; ifname:"eth2.53"; logid:"0"; 
loguid:"{0x0,0x0,0x0,0x0}"; origin:"192.168.1.2"; originsicname:"xxxxx"; 
sequencenum:"32"; time:"1570811271"; version:"5"; dst:"224.0.0.18"; 
hll_key:"2008789500278145398"; inzone:"Internal"; layer_name:"Unified"; 
layer_uuid:"a-b-c-d-e"; match_id:"177"; parent_rule:"0"; 
rule_action:"Reject"; rule_name:"xyz"; rule_uid:"a-b-c-d-e"; 
product:"VPN-1 & FireWall-1"; proto:"51"; service_id:"AH"; 
src:"1.2.3.4"; ]  message repeated 49 times: []



Other times it says "99 times" or "149 times", ... I've created somes 
stats in fact :D



# tail -n 10000 //syslog/1.2.3.4.log | grep -o -E 'repeated [0-9]+ 
times' | sort | uniq -c | sort -n | tail -10

     23 repeated 44 times
     26 repeated 199 times
     35 repeated 159 times
     37 repeated 9 times
     38 repeated 4 times
    101 repeated 149 times
    155 repeated 109 times
    408 repeated 59 times
    417 repeated 99 times
   2926 repeated 49 times

This is SLES 15-SP1 running rsyslog-8.33.1-3.17.1.x86_64

Any idea?

Thanks,
Marki


_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.






















					Reply via email to