Discussion for KB Entry 6925 - Syslogtag rsyslog-2007

Discussions around Windows Eventlog messages.

Moderator: rgerhards

Google Ads


Re: Discussion for KB Entry 6925 - Syslogtag rsyslog-2007

Postby BennyE_HH » Fri Nov 04, 2016 6:52 pm

I saw the same error message
Nov 4 17:45:01 watchtux rsyslogd-2007: action 'action 19' suspended, next retry is Fri Nov 4 17:46:31 2016 [try http://www.rsyslog.com/e/2007 ]


In my case the root cause for this was a changed format:
Code: Select all
cat /etc/rsyslog.d/ap1101.conf
# Log handler for Alcatel-Lucent Enterprise AP1101
$template AccessPointLog, "/var/log/ap1101.log"
:fromhost-ip, isequal, "192.168.0.125" -?AccessPointLog
#& ~
& stop


Instead of "& ~" it should be "& stop". After that, the error message disappeared.
BennyE_HH
New
 
Posts: 1
Joined: Fri Nov 04, 2016 6:26 pm

Re: Discussion for KB Entry 6925 - Syslogtag rsyslog-2007

Postby fr4m3s » Tue Dec 27, 2016 4:13 am

Hi, I'm currently running on a freshly updated Pi 3. I run the command uname -a and get the following result:
Linux raspberrypi 4.4.13-v7+ #894 SMP Mon Jun 13 13:13:27 BST 2016 armv7l GNU/Linux

This is an example of the recent output I've ben getting from tail -f /var/log/syslog:

Code: Select all
Dec 26 21:42:13 raspberrypi wpa_supplicant[430]: wlan0: WPA: Group rekeying completed with b0:7f:b9:74:07:bb [GTK=CCMP]
Dec 26 21:42:13 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Mon Dec 26 21:43:43 2016 [try http://www.rsyslog.com/e/2007 ]
Dec 26 21:45:16 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Mon Dec 26 21:46:46 2016 [try http://www.rsyslog.com/e/2007 ]
Dec 26 21:52:13 raspberrypi wpa_supplicant[430]: wlan0: WPA: Group rekeying completed with b0:7f:b9:74:07:bb [GTK=CCMP]
Dec 26 21:52:13 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Mon Dec 26 21:53:43 2016 [try http://www.rsyslog.com/e/2007 ]
Dec 26 22:02:13 raspberrypi wpa_supplicant[430]: wlan0: WPA: Group rekeying completed with b0:7f:b9:74:07:bb [GTK=CCMP]
Dec 26 22:02:13 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Mon Dec 26 22:03:43 2016 [try http://www.rsyslog.com/e/2007 ]





What is going on here? I don't notice any obstruction of functionality or wireless connectivity. These messages come in quite often but are intermittent as well. Can range between 5 min intervals and 25 min intervals.
fr4m3s
New
 
Posts: 1
Joined: Tue Dec 27, 2016 3:58 am

Re: Discussion for KB Entry 6925 - Syslogtag rsyslog-2007

Postby jordanpm » Thu Mar 09, 2017 6:31 pm

I saw this error after restarting rsyslogd
Mar 9 17:18:31 agct1utl1-1 rsyslogd: Could not create tcp listener, ignoring port 9514 bind-address (null). [v8.23.0 try http://www.rsyslog.com/e/2077 ]
Mar 9 17:18:31 agct1utl1-1 rsyslogd: Could not create tcp listener, ignoring port 8514 bind-address (null). [v8.23.0 try http://www.rsyslog.com/e/2077 ]
Mar 9 17:18:31 agct1utl1-1 rsyslogd: Could not create tcp listener, ignoring port 514 bind-address (null). [v8.23.0 try http://www.rsyslog.com/e/2077 ]

A second restart worked OK

snip from rsyslog.conf

# Provides TCP syslog reception
$ModLoad imtcp
$InputTCPServerRun 514
$InputTCPServerRun 8514
$InputTCPServerRun 9514
jordanpm
New
 
Posts: 2
Joined: Thu Mar 09, 2017 6:26 pm

Re: Discussion for KB Entry 6925 - Syslogtag rsyslog-2007

Postby werdna » Fri Mar 24, 2017 6:05 pm

I am having this error everytime

Mar 24 17:39:40 raspberrypi wpa_supplicant[471]: wlan0: WPA: Group rekeying completed with c4:ea:1d:c6:31:93 [GTK=TKIP]
Mar 24 17:39:40 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Fri Mar 24 17:40:40 2017 [try http://www.rsyslog.com/e/2007 ]
Mar 24 17:49:40 raspberrypi wpa_supplicant[471]: wlan0: WPA: Group rekeying completed with c4:ea:1d:c6:31:93 [GTK=TKIP]
Mar 24 17:49:40 raspberrypi rsyslogd-2007: action 'action 17' suspended, next retry is Fri Mar 24 17:50:40 2017 [try http://www.rsyslog.com/e/2007 ]

Please help me. Thanks
werdna
New
 
Posts: 1
Joined: Fri Mar 24, 2017 6:00 pm

Re: Discussion for KB Entry 6925 - Syslogtag rsyslog-2007

Postby cnamejj » Tue Jul 04, 2017 3:44 am

I'm in the process of rolling out a new build of rsyslog, compiled from v8.28.0 source. It's seems to be working fine, but I am seeing the sorts of messages described in this discussion under certain circumstances. Here's an example.

Code: Select all
Jul  3 19:16:54.041197 vpc4-jjones rsyslogd[-]:  action 'action 14' suspended, next retry is Mon Jul  3 19:17:24 2017 [v8.28.0 try http://www.rsyslog.com/e/2007 ]


It happens when the rsyslog that's trying to relay messages to a centralized syslog server can't connect to the receiving end. I'm using RELP to handle the message transfer. And I can reproduce the error by stopping the rsyslog service on the receiving and then restart the rsyslog that originates (and relays) the messages.

In out production configuration there should always be at least one server available so don't think this will be an issue once we're fully deployed. But since the introductory comment explained that this condition shouldn't be generating these logs, and asked that people document their use cases, I wanted to post a note.
cnamejj
New
 
Posts: 1
Joined: Tue Jul 04, 2017 3:33 am

Google Ads


Previous

Return to Windows Eventlog

Who is online

Users browsing this forum: No registered users and 4 guests

cron