Following the upgrade to Messaging Gateway 10.9.2, remote syslog (Administration > Logs)  system and audit log traffic to a remote logging server or SIEM falls off signifcantly. Log data which should be relayed to the SIEM via syslog does not appear to be sent following the upgrade.

This issue is caused by a change in the rsyslogd server configuration which implements aggressive rate limiting for remote syslog communication.

Rate Limit Threshold: The service is currently configured to allow a maximum of 20,000 messages within a 600-second (10-minute) interval. Any log traffic exceeding this volume is discarded by the local rsyslog daemon before it can be transmitted.

This issue is currently under investigation by Messaging Gateway product engineering and will be addressed in a future patch or release.

Please subscribe to this article to be automatically notified of any updates or fixes for this issue.

Potential workaround

Reduce the log data sent to the remote syslog server in Administration > Logs > Remote as much as reasonably possible to ensure that the important information is sent before rate limits are applied. Individual organizations will need to decide which remote log traffic is critical.

If logging SMG audit log data remotely to a SIEM, Broadcom support recommends reducing all other remote logging to warning or error level to improve delivery of the more critical audit log data.

• Subscribe to a Broadcom knowledge article by article or product