O congelamento do aspecto de transmissão de log deste problema parece ser provavelmente devido a um bug na maneira como o rsyslog é configurado fora da caixa com 'buntu: link
Também consegui encontrar um post interessante sobre intercâmbio de especialistas: www.expert-sex-change.com/OS/Linux/Administration/Q_27511414.html:
> I recently ran into a problem and was hoping someone could help me figure it out. I am > running Ubuntu 10.04 and rsyslog 5.8.1. I setup rsyslog to monitor a few files and send > the any changes to those files to Loggly (great service by the way). Well, it all works > great, except for the fact that whenever I restart rsyslog it resends everything from those > files that it had sent in the past. Now, it is my understanding that rsyslog should use > the $WorkDirectory and create what file that you set for $InputFileStateFile to save the > state of the monitored file so that it does not send duplicate entries. > > Here is an example that I'm working with: > > $WorkDirectory /var/log/rsyslog > > # Monit log file > $InputFileName /var/log/monit.log > $InputFileTag monit > $InputFileStateFile monit-state > $InputFileSeverity info > $InputRunFileMonitor > > So, from my description above, rsyslog should create a "monit-state" file in > "/var/log/rsyslog" which would save the state of the /var/log/monit.log" file so no > duplicates are sent. Is that correct? If so, this is not happening! > > What should the premission of "/var/log/rsyslog" be? Do I have to touch "monit-state" in > "/var/log/rsyslog" (I tried that already and nothing happened)?
Com uma resposta interessante:
> Ok, I found this site (Trouble Shooting Rsyslog) and went through the interactive debugging > mode using: > > rsyslogd -c5 -dn > logfile > 1: > Select all > Open in new window > > > I was able to see that it was in fact a permissions problem. I opened up permissions to > 777 for my $WorkDirectory, just to test, and rsyslog did create the state files and > everything worked as planned. I will continue to play with the permissions so that it's > not 777 (obviously), but I wanted to let anyone else that might be having this problem know > how I solved it.
Eu ajustei as permissões em / var / spool / rsyslog para pertencer ao usuário "syslog". Eu testei para transmissões duplicadas depois de aplicar essa alteração e parece ter resolvido o problema. Se o problema voltar a surgir ou eu descobrir que isso não resolveu, voltarei aqui e atualizarei a resposta.
SOLUÇÃO:
$ sudo chown syslog /var/spool/rsyslog