VMware Identity Manager sends duplicate messages to vRealize Log Insight
search cancel

VMware Identity Manager sends duplicate messages to vRealize Log Insight

book

Article ID: 431323

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • The vRealize Log Insight (vRLI) is flooded with a massive amount of duplicated historical log messages from VMware Identity Manager (VIDM).

  • Network bandwidth or syslog server storage may experience unexpected spikes due to the high volume of duplicate logs.

Environment

VMware Identity Manager (vIDM) 3.3.7

Cause

The primary cause of this log duplication is the use of wildcards (*) in the log file paths within the vIDM /etc/rsyslog.conf configuration file (e.g., monitoring horizon*.log, accesscontrol*.log).

When the vIDM appliance generates a large volume of logs, it performs a standard "log rotation," renaming the active horizon.log file to horizon-1.log to save space. Because the rsyslog configuration uses the *.log wildcard, it incorrectly identifies the newly rotated horizon-1.log as a brand-new file. This forces the rsyslog service to read the entire historical file from line 1 all over again and re-send it across the network, creating a massive burst of duplicate logs every time a log file rotates.

Resolution

To stop this cycle, modify the rsyslog.conf file to strictly target only the active log files and clear the old service cache.

Note: Simply restarting the rsyslog service is not sufficient. Rsyslog retains corrupted internal bookmarks (imfile-state files) and keeps open file handles for the old rotated files (e.g., horizon-1.log, horizon-2.log), which prevents it from properly processing the newly corrected configuration.

Step-by-Step Instructions:

  1. Log in to the vIDM 3.3.7 appliance via SSH as the root user.

  2. Stop the rsyslog service to release open file handles: systemctl stop rsyslog

  3. Back up the existing configuration file: cp /etc/rsyslog.conf /etc/rsyslog.conf.bak

  4. Edit the /etc/rsyslog.conf file using a text editor (e.g., vi):

    • Locate the lines containing log path inputs.

    • Remove the wildcards (*) to explicitly target only the active log files.

    • Example: Change horizon*.log to horizon.log, and accesscontrol*.log to accesscontrol.log.

    • Save and exit the file.

  5. Navigate to the rsyslog working directory (typically /var/rsyslog/imfilestate) and delete the old internal bookmark state files (*imfile-state*): rm -f /var/rsyslog/imfilestate/*imfile-state*.

  6. Start the rsyslog service: systemctl start rsyslog

  7. Verify the service is running correctly: systemctl status rsyslog

Powered by Wolken Software