MonitorWare Knowledge Base

Issue: It appears that repeated messages are not being forwarded to a remote syslog-ng server properly.

Setup:
-OpenBSD 3.8/Sparc64
-rsyslog 1.12.1 & 1.12.2

Background: I am currently using rsyslog on my OpenBSD box to forward messages to a remote syslog-ng box. As a test, I am running logger on the OpenBSD box to make sure the syslog message is being received on the remote syslog-ng server.

Issue 1: The first message is received correctly. However, if I send the exact same message right after it, the message is not received. I believe there is an interval time before it will send a repeated message to the remote server.

Issue 2 (more important): After the interval is exceeded, rsyslog will send the message to the remote syslog-ng server. The issue is that the %timegenerated% is not updated but instead the first timestamp is used.

Expected Behavior: I am expecting that each message should be forwarded to the remote syslog-ng server and each with an unique time stamp.

Configuration File (pieces):

$template syslogng,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag%%msg%"

:msg, contains, "TESTING:" @@127.0.0.1:5140;syslogng

Note 1: 127.0.0.1:5140 is a local listener that forwards the rsyslog traffic through a SSL Tunnel.

Note 2: Test syslog messages are genreated by logger -p local7.info TESTING: 123

Debug Logs (pieces):

Issue 1

1st try

Filter: check for property 'msg' (value ' TESTING: 123') contains 'TESTING:': TRUE
Called fprintlog, logging to FORW 127.0.0.1:5140/tcp
TCP sent 54 bytes, requested 54, msg: '<190>Nov 7 20:19:59 admin1-kjc-ussea-2 TESTING: 123
'

2nd try

Filter: check for property 'msg' (value ' TESTING: 123') contains 'TESTING:': TRUE
msg repeated 1 times, 3 sec of 30.

Issue 2

logmsg: local7.info<190>, flags 2, from 'admin1-kjc-ussea-2', msg Nov 7 20:24:55 root: TESTING: 123
Filter: check for property 'msg' (value ' TESTING: 123') contains 'TESTING:': TRUE
msg repeated 2 times, 40 sec of 30.
Called fprintlog, logging to FORW 127.0.0.1:5140/tcp
TCP sent 54 bytes, requested 54, msg: '<190>Nov 7 20:24:15 admin1-kjc-ussea-2 TESTING: 123
'

Notice the times are different what's noted in logmsg vs what's actually forwarded.

Any assistance would be appreciated! Thanks!

• Custom written rsyslog.conf?
• Maintenance Contract?
• Installation support?

A bit late, but for the records. The -e option has been added to support transmission of every message. This needs to be specified at startup. It is available starting with 1.13.1 or via anonymous cvs.

Rainer