Following the upgrade to Messaging Gateway (SMG) 10.9.2, system and audit log traffic sent to the configured remote syslog server or SIEM falls off significantly. Not all log data which should be relayed to the SIEM via syslog does not appear to be sent following the upgrade.

Reviewing the messages log in SMG shows the following entry indicating that syslog is rate limiting traffic

messages
rsyslogd[6829]: imjournal: 15929 messages lost due to rate-limiting (20000 allowed within 600 seconds) 

Version: 10.9.1, 10.9.2

This issue is caused by a change in the rsyslogd service configuration which implements aggressive rate limiting for remote syslog communication.

The rsyslogd service is currently limited to a maximum of 20,000 messages within a 600-second (10-minute) interval. Any log traffic exceeding this volume is discarded by the local rsyslog daemon.

This issue is addressed by installing patch 10.9.2-300. To apply patch 

1. Log into the SMG command line as admin
2. Run
   patch -p 10.9.2-300 install
3. Restart the Messaging Gateway system
   reboot

• Subscribe to a Broadcom knowledge article by article or product