Following an upgrade to Messaging Gateway (SMG) 10.9.2, system and audit log traffic sent to configured remote syslog servers or SIEM platforms may decrease significantly. Users report that not all log data expected by the SIEM is successfully relayed. This behavior often surfaces as a partial loss of data, such as only 5 out of 10 expected email events appearing in live log monitoring.

Symptoms

Reviewing the messages log in SMG reveals entries indicating that the rsyslog service is rate-limiting traffic:

rsyslogd[6829]: imjournal: 15929 messages lost due to rate-limiting (20000 allowed within 600 seconds) 

Additional symptoms include:

• Inconsistent log forwarding immediately following a 10.9.2 update.
• Live monitoring shows intermittent message delivery to the external syslog server.

• Product: Messaging Gateway (SMG)
• Versions: 10.9.1, 10.9.2
• Component: Remote Syslog / SIEM Integration

A change in the rsyslogd service configuration implements aggressive rate-limiting for remote syslog communication. The service is restricted to a maximum of 20,000 messages within a 600-second (10-minute) interval; any volume exceeding this is discarded by the local daemon.

This issue is fixed in Patch 10.9.2-300.

The patch process will make changes to your system. Review it carefully before running:

1. Log into the SMG command line as admin
2. Run the following command
   patch -p 10.9.2-300 install
3. Restart the Messaging Gateway system
   reboot

• Patch 10.9.2-300 released for Messaging Gateway