Hi,
We had an issue back in December where our central rsyslog was not
available with result /var/lib/rsyslog on our satellite rsyslog servers
getting to 100%. We moved the spool files to another directory in order
to resubmit them at later stage.
Few days ago we decided to re-transmit those logs by moving the spool
files back to /var/lib/rsyslog and start rsyslog so they could be
processed and sent to our central rsyslog server.
We noticed that the logs indeed ended up on the central rsyslog server
with correct day and month but with wrong year. Meaning,
original date on the logs was *2022*-12-16 but arrived on the central
rsyslog server with *2023*-12-16:
2023-01-24 06:36:24PST [ root@syslog1:/var/log/]
# zgrep SPOOL_TEST secure-20230124.gz
2023-12-16T10:04:56-08:00 backend201 su: pam_unix(su:session): session
closed for user nobody SPOOL_TEST
2023-12-16T07:59:03-08:00 frontend130 sudo: pam_unix(sudo:session):
session closed for user root SPOOL_TEST
Anyone has seen this problem before? Is this a bug?
Best regards,
Ricardo Esteves.
We had an issue back in December where our central rsyslog was not
available with result /var/lib/rsyslog on our satellite rsyslog servers
getting to 100%. We moved the spool files to another directory in order
to resubmit them at later stage.
Few days ago we decided to re-transmit those logs by moving the spool
files back to /var/lib/rsyslog and start rsyslog so they could be
processed and sent to our central rsyslog server.
We noticed that the logs indeed ended up on the central rsyslog server
with correct day and month but with wrong year. Meaning,
original date on the logs was *2022*-12-16 but arrived on the central
rsyslog server with *2023*-12-16:
2023-01-24 06:36:24PST [ root@syslog1:/var/log/]
# zgrep SPOOL_TEST secure-20230124.gz
2023-12-16T10:04:56-08:00 backend201 su: pam_unix(su:session): session
closed for user nobody SPOOL_TEST
2023-12-16T07:59:03-08:00 frontend130 sudo: pam_unix(sudo:session):
session closed for user root SPOOL_TEST
Anyone has seen this problem before? Is this a bug?
Best regards,
Ricardo Esteves.
Attached Files:
-
OpenPGP_0x9DCA12A350F395E0.asc (3.08 KB)
-
OpenPGP_signature (0.82 KB)