<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
2010.01.07. 17:53 keltezéssel, James Pirman írta:
<blockquote cite="mid:SNT102-W194F9A751156F9AB19161EF7710@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>Yes,
that is correct. The 127.0.0.1 destination is actually my own
application. <br>
</blockquote>
Ok<br>
<blockquote cite="mid:SNT102-W194F9A751156F9AB19161EF7710@phx.gbl"
type="cite"> <br>
I just noticed today that the problem seems to be happening when the
amount of traffic increases. Right now I am testing with
log_fetch_limit increased from 100 to 1000, and I added log_fifo_size
globally and set it to 50000. I also decreased my flush timeout from
100 to 10. This appears to be helping and I haven't dropped a
connection since. Does this seem like the correct approach?<br>
</blockquote>
I think, this is just a game with numbers but not the real reason for
this behaviour. If you have problem with large traffic, just write the
"flags(flow-control)" field into the right destination of your client
config.<br>
Answer me that I asked of you, please (client config and debug log)<br>
<blockquote cite="mid:SNT102-W194F9A751156F9AB19161EF7710@phx.gbl"
type="cite"> <br>
Thanks,<br>
Jim<br>
<br>
<hr id="stopSpelling">
Date: Thu, 7 Jan 2010 17:38:41 +0100<br>
From: <a class="moz-txt-link-abbreviated" href="mailto:pzolee@balabit.hu">pzolee@balabit.hu</a><br>
To: <a class="moz-txt-link-abbreviated" href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>; <a class="moz-txt-link-abbreviated" href="mailto:jim_pirman@hotmail.com">jim_pirman@hotmail.com</a><br>
Subject: Re: [syslog-ng] Broken TCP connection<br>
<br>
Hi,<br>
<br>
If I understand you correctly, you have three client/servers, don't you?<br>
client(.218) -> relay server(.198) -> local server on relay
server (127.0.0.1)<br>
<br>
and the problem is that sometimes your relay server drops the
connection of client.<br>
<br>
<br>
James Pirman írta:
<blockquote cite="mid:SNT102-W3130D37832D34D2AB4B576F7710@phx.gbl">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Verdana;}
</style>Is there anyone that can help with this? Is there any more
information that I need to provide in order for me to get help? I've
been dealing with for weeks and am starting to think the only solution
is to write my own server.<br>
<br>
<hr id="ecxstopSpelling">
From: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:jim_pirman@hotmail.com">jim_pirman@hotmail.com</a><br>
To: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
Date: Tue, 5 Jan 2010 11:22:36 -0600<br>
Subject: [syslog-ng] Broken TCP connection<br>
<br>
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Verdana;}
</style>
I am currently having an issue with syslog-ng 3.0.4 where my TCP
connection between my client and server is lost throughout the day. By
looking at the pcap file from tcpdump I can tell that the TCP
connection reset was initiated by the syslog-ng server. The only
information that was initially in the log file regarding this
disconnection was the following 2 lines:<br>
<br>
<span lang="EN"><45>1 2010-01-05T10:29:32.323-06:00
server-db-01 syslog-ng 29213 - [meta sequenceId="2733719"] notice
Syslog connection closed; fd='9',
client='AF_INET(192.168.27.218:46326)',
local='AF_INET(192.168.27.198:20514)'<br>
</span></blockquote>
Can you show me the previous few lines before this log message?<br>
Because if syslog-ng drops the connection usually sends log message
about the reason of this behaviour, like this:<br>
<br>
2010-01-07T17:24:48+01:00 syslog-ng err Invalid frame header; header=''<br>
2010-01-07T17:24:48+01:00 syslog-ng notice Syslog connection closed;
fd='10', client='AF_INET(10.100.20.1:33251)',
local='AF_INET(10.30.0.32:20514)'<br>
<br>
<br>
Your client config can also be useful, the problem may be on client
side. Can you show me the debug log of your client when the connection
lost?<br>
<blockquote cite="mid:SNT102-W3130D37832D34D2AB4B576F7710@phx.gbl"><span
lang="EN"> <br>
and <br>
<br>
<span lang="EN"><46>1 2010-01-05T10:29:32.323-06:00
server-db-01 syslog-ng 29213 - [meta sequenceId="2733720"] info Closing
log transport fd; fd='9'<br>
<br>
<br>
In order to get more information, I set the following flags in init.d:
"-v -d -t".<br>
<br>
This did not give me any more information about the TCP disconnect,
however I did notice that a lot of my normal messages were preceeded by
the following text:<br>
<br>
<span lang="EN"><47>1 2010-01-05T10:29:32.323-06:00
server-db-01 syslog-ng 29213 - [meta sequenceId="2733718"] debug
Incoming log entry; line=<br>
<br>
A normal log message then follows the '=' sign. <br>
<br>
A decent percentage of my messages are preceeded by this throughout the
day, but just before the disconnect it appears that all of my messages
from server-db-01 are preceeded by the debug line. Any ideas as to
what could be going on? I have included my config file below if that
helps.<br>
<br>
Any assistance would be greatly appreciated.<br>
-Jim<br>
<br>
<span lang="EN">@version: 3.0<br>
#Default configuration file for syslog-ng.<br>
#<br>
# For a description of syslog-ng configuration file directives, please
read<br>
# the syslog-ng Administrator's guide at:<br>
#<br>
# <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html">http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html</a><br>
#<br>
options {<br>
keep_hostname(yes);<br>
keep_timestamp(yes);<br>
frac_digits(3);<br>
};<br>
source all {<br>
internal();<br>
syslog(ip("192.168.27.198") port(20514) transport("tcp")
log_fetch_limit(100));<br>
};<br>
destination allclientsfile {<br>
file("/data/local/Logs/server-$YEAR-$MONTH-$DAY.log"<br>
flags(syslog-protocol)<br>
flush_timeout(100)<br>
create_dirs(yes)<br>
dir_owner(jpirman)<br>
dir_group(jpirman)<br>
owner(jpirman)<br>
group(jpirman)<br>
template("$PRIORITY $MESSAGE")<br>
);<br>
};<br>
destination msgserver {<br>
udp("127.0.0.1" port(20515)<br>
flush_timeout(100) <br>
template("$ISODATE $PROGRAM $PRIORITY $MESSAGE\n"));<br>
};<br>
log { source(all); destination(allclientsfile);
destination(msgserver);};<br>
</span> <br>
<br>
</span></span></span><br>
<hr>
Hotmail: Powerful Free email with security by Microsoft. <a
moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/171222986/direct/01/">Get it now.</a>
<br>
<hr>
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. <a
moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/196390709/direct/01/">Sign up now.</a>
<pre><hr width="90%" size="4">
______________________________________________________________________________
Member info: <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true"
class="ecxmoz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<pre class="ecxmoz-signature">--
pzolee
</pre>
<br>
<hr>Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. <a
moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/196390709/direct/01/" target="_new">Sign
up now.</a>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext" href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext" href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext" href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
pzolee</div>
</body>
</html>