I haven't seen the max-connections message but the ESTABLISHED connections (from the same source) keeps incrementing every couple of minutes on the target (even though the sender only ever shows one connection). The only other point I had forgotten to mention (and it shouldn't matter) is that this traffic runs through a Radware (formerly Nortel) Application Switch 2424 (I previously had a similar syslog config but different data stream running an Alteon 180e with no issues). The IP 10.10.10.41 is the load balance IP (VIP).<br>
<br>I upgraded both source and target to 3.0.3 in case that would help (it hasn't).<br><br>SENDER (10.10.10.227)<br>(syslog-ng.conf snippet)<br>options {<br> time_reopen (2);<br> log_fifo_size (10000);<br>
long_hostnames (off);<br> use_dns (no);<br> use_fqdn (no);<br> create_dirs (yes);<br> dir_perm (0755);<br> perm (0644);<br> chain_hostnames (no);<br> keep_hostname (yes);<br>
stats_freq (3600);<br> log_msg_size (65535);<br> log_fifo_size (65536);<br> };<br><br>destination d_data { tcp("10.10.10.41" so_sndbuf(2094752) so_keepalive(yes)); };<br><br>(netstat)<br>
tcp 0 0 <a href="http://10.10.10.227:38370">10.10.10.227:38370</a> <a href="http://10.10.10.41:514">10.10.10.41:514</a> ESTABLISHED 2067/syslog-ng<br><br><br>RECEIVER (10.10.10.31)<br>(syslog-ng.conf snippet)<br>
source remote {<br> udp(ip(0.0.0.0) port(514) so_rcvbuf(1048576));<br> tcp(ip(0.0.0.0) port(514) max-connections(500) so_rcvbuf(1048576) so_keepalive(yes));<br>};<br><br>(netstat)<br>tcp 0 0 <a href="http://0.0.0.0:514">0.0.0.0:514</a> 0.0.0.0:* LISTEN 2086/syslog-ng<br>
tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9501">10.10.10.227:9501</a> ESTABLISHED 2086/syslog-ng<br>tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9503">10.10.10.227:9503</a> ESTABLISHED 2086/syslog-ng<br>
tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9499">10.10.10.227:9499</a> ESTABLISHED 2086/syslog-ng<br>tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9509">10.10.10.227:9509</a> ESTABLISHED 2086/syslog-ng<br>
tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9511">10.10.10.227:9511</a> ESTABLISHED 2086/syslog-ng<br>tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9505">10.10.10.227:9505</a> ESTABLISHED 2086/syslog-ng<br>
tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9507">10.10.10.227:9507</a> ESTABLISHED 2086/syslog-ng<br>tcp 0 0 <a href="http://10.10.10.31:514">10.10.10.31:514</a> <a href="http://10.10.10.227:9513">10.10.10.227:9513</a> ESTABLISHED 2086/syslog-ng<br>
<br><br><div class="gmail_quote">On Thu, Jul 30, 2009 at 3:25 AM, Balazs Scheidler <span dir="ltr"><<a href="mailto:bazsi@balabit.hu">bazsi@balabit.hu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On Wed, 2009-07-29 at 11:22 -0400, Matt Pinkham wrote:<br>
> For the last 24 hours on versions 2.0.4, 2.1.4, & 3.0.3 syslog-ng will<br>
> stop taking new connections via a listening port every 100-110 minutes<br>
> (aka it will hang up immediately). It will never recover on its own<br>
> and has to be restarted. I haven't figured out the exact interval but<br>
> hopefully that will be close enough to work with (note that the<br>
> traffic is fairly low -- 10 mesgs/sec -- 500K-600K data/min). I had a<br>
> program logging data locally via /dev/log into a named directory and<br>
> then moved this program to a remote server. That remote server does<br>
> not seem to be having an issue. I have observed this issue on two<br>
> separate servers (RHEL4.Coolthat were taking this data feed. I have<br>
> tried with flush_lines/sync & time_reopen commented out with no<br>
> difference as well as log_fifo_size, log_mesg_size,so_recvbuf<br>
> commented out. There are no obvious messages about why syslog-ng<br>
> stops working (even with debug and verbose enabled). Note that these<br>
> two servers (that stop working) are behind an Alteon 2424 switch<br>
> (although I have other feeds to other servers working fine behind this<br>
> switch). Ideas? Need more data?<br>
<br>
<br>
does this mean that syslog-ng is closing the connection immediately? I<br>
see only one reason that causes this: max_connections() limit is<br>
reached.<br>
<br>
try increasing max-connections()<br>
<br>
Although this case is logged in syslog-ng's log.<br>
<font color="#888888"><br>
<br>
--<br>
Bazsi<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.campin.net/syslog-ng/faq.html" target="_blank">http://www.campin.net/syslog-ng/faq.html</a><br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Some men see things as they are and ask why. I see things that never were and ask for initiative rolls.<br>