|Applies To||RSA Product Set: Security Analytics|
RSA Product/Service Type: Security Analytics Server, Virtual Log Collector
RSA Version/Condition: 10.4.x,10.5.x
O/S Version: EL6
|Issue||Rate-limiting messages (as shown below) appear whenever there is a large number of log messages being recorded in the /var/log/messages file.|
These errors can be stopped by setting appropriate parameters for $SystemLogRateLimitInterval and $SystemLogRateLimitBurst in the /etc/rsyslog.conf file, as explained in the article entitled RSA Security Analytics Log Decoder is dropping system messages due to rate-limiting. However, adjusting these parameters may not help if a large number of log messages are logging.
Dec 17 05:05:10 DELGG7SIEMVLC7 rsyslogd-2177: imuxsock begins to drop messages from pid 2059 due to rate-limiting
|Cause||One reason that rate-limiting messages may appear is due to a large number of collectd errors being logged, as shown in the example below.|
Dec 24 11:42:53 DELGG7SIEMVLC7 collectd: NgNativeReader_NwLogCollector-FastUpdate: nwsdk failure: NwResponseData returned 0 and NwLastError failed
Follow below steps to stop the collectd errors from logging on the appliance.