[rsyslog] Duplicate entries

Stephen Carville stephen.carville at gmail.com
Sun May 25 18:10:00 CEST 2008 

On Sun, May 25, 2008 at 1:57 AM, Rainer Gerhards
<rgerhards at hq.adiscon.com> wrote:

> However, this is not in the version you have. Can you report anything
> specific on the message duplication?

I used some network tools to watch the behavior between scacitf01-d
(clent) and scacisys01 (server).

$ netstat -atp (domain name removed for readability);

on scacisys01

tcp        0      0 scacisys01:shell scacitf01-d:57878 ESTABLISHED
26777/rsyslogd
tcp        0      0 scacisys01:shell scacitf01-d:57876 ESTABLISHED
26777/rsyslogd

on scacitf01-d

tcp        0      0 scacitf01-d:57878 scacisys01:shell ESTABLISHED
10387/rsyslogd
tcp        0      0 scacitf01-d:57876 scacisys01:shell ESTABLISHED
10387/rsyslogd

Should there be two connections?

For an ssh login, wireshark reports that the syslog server received
the following

from scacitf01-d:57876 :

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Connection from
10.212.166.26 port 46039

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Found matching RSA key:
a0:f6:2d:e7:4d:b8:c0:53:01:c6:b3:ce:63:16:05:4f

<38>May 25 07:35:26 scacitf01-d sshd[16156]: Postponed publickey for
stephen from 10.212.166.26 port 46039 ssh2

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Found matching RSA key:
a0:f6:2d:e7:4d:b8:c0:53:01:c6:b3:ce:63:16:05:4f

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Accepted publickey for
stephen from 10.212.166.26 port 46039 ssh2

and from scacitf01-d:57878:

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Connection from
10.212.166.26 port 46039

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Found matching RSA key:
a0:f6:2d:e7:4d:b8:c0:53:01:c6:b3:ce:63:16:05:4f

<38>May 25 07:35:26 scacitf01-d sshd[16156]: Postponed publickey for
stephen from 10.212.166.26 port 46039 ssh2

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Found matching RSA key:
a0:f6:2d:e7:4d:b8:c0:53:01:c6:b3:ce:63:16:05:4f

<38>May 25 07:35:26 scacitf01-d sshd[16155]: Accepted publickey for
stephen from 10.212.166.26 port 46039 ssh2

<86>May 25 07:35:26 scacitf01-d sshd[16155]: pam_unix(sshd:session):
session opened for user stephen by (uid=0)

So some message are being sent twice.

>Also, would it be an option to
> upgrade to the latest v2-stable version (which is 2.0.5). Note that the
> difference is only bug fixes, no new functionality is being added to v2.

Probably if it's only bug fixes.

-- 
Stephen Carville

More information about the rsyslog mailing list