VMWare remote syslog bug with timestamp in multiline messages

Seems like there is a bug in at least build and build of VMWare 5.5 regarding timestamp in syslog messages sent to remote syslog servers. In a multiline message the first message is sent according to syslog standard, but at least some of the messages containing the rest of the lines of the message seems to have som kind of overflow bug, as the field that should contain the timestamp in the syslog packet instead contains part of the message.

This can be seen in the following text taken from a tcpdump :

<166>2015-01-04T13:57:07.534Z esx035.hostname.local Vpxa: [FFBBF1A0 verbose 'Default' opID=539be6ef] [PR_629085 TreeNode constructor] nodeMap = {'resgroup-259460': '_id=resgroup-259460:_name=Resources:_remoteMoRef=vim.ResourcePool:ha-root-pool', 'resgroup-259486': '_id=resgroup-259486:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool4', 'resgroup-259613': '_id=resgroup-259613:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool3', 'resgroup-259617': '_id=resgroup-259617:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool5', 'resgroup-259876': '_id=resgroup-259876:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool86', 'resgroup-260138': '_id=resgroup-260138:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool78', 'resgroup-262721': '_id=resgroup-262721:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool83', 'resgro
<166>up-262773': '_id=resgrou esx035.hostname.local Vpxa: -262773:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool31', 'resgroup-264541': '_id=resgroup-264541:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool45', 'resgroup-266489': '_id=resgroup-266489:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool64', 'resgroup-266760': '_id=resgroup-266760:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool69', 'resgroup-267769': '_id=resgroup-267769:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool55'}
<166>2015-01-04T13:57:07.534Z esx035.hostname.local Vpxa: [FFBBF1A0 verbose 'Default' opID=539be6ef] [PR_629085 TreeNode constructor] nodeMap = {'resgroup-259460': '_id=resgroup-259460:_name=Resources:_remoteMoRef=vim.ResourcePool:ha-root-pool', 'resgroup-259486': '_id=resgroup-259486:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool4', 'resgroup-259613': '_id=resgroup-259613:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool3', 'resgroup-259617': '_id=resgroup-259617:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool5', 'resgroup-259876': '_id=resgroup-259876:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool86', 'resgroup-260138': '_id=resgroup-260138:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool78', 'resgroup-262721': '_id=resgroup-262721:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool83', 'resgro
<166>up-262773': '_id=resgrou esx035.hostname.local Vpxa: -262773:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool31', 'resgroup-264541': '_id=resgroup-264541:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool45', 'resgroup-266489': '_id=resgroup-266489:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool64', 'resgroup-266760': '_id=resgroup-266760:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool69', 'resgroup-267769': '_id=resgroup-267769:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool55', 'resgroup-268153': '_id=resgroup-268153:_name=RP.XXX.XXX.008:_remoteMoRef=vim.ResourcePool:pool12'}

2015 01 04 17 35 20 03

So, when you use %HOSTNAME% parameter in rsyslog to differentiate where logfiles are written, you end up getting a lot of garbarge named directories with logfiles.


comments powered by Disqus