<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
Yes, it is. You need to increase log_fetch_limit() and log_fifo_size()
in this
case.
Keep your mind the log_fifo_size must be larger than the
log_fetch_limit.<br>
I don't suggest reducing flush_timeout but you should increase both
flush_timeout and flush_lines. Because this message (dropping message)
means your client send messages too fast and the syslog-ng cannot be
able to write them in time.<br>
Back to the original problem, I don't have much idea the reason for
disconnecting. Can you send me the tcpdump file? I suspect the problem
may be here in relation to high traffic.<br>
<br>
<br>
2010.01.11. 21:49 keltezéssel, James Pirman írta:
<blockquote cite="mid:SNT102-W39782E197269263C68FB76F76D0@phx.gbl"
type="cite">
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>pzolee,<br>
<br>
The client happens to be a custom application, so I don't have a client
config, and flow control doesn't really apply on the client side. I
was able to setup a test environment and recreated the problem. The
message immediately before the disconnect message is the following:<br>
<br>
<47>1 2010-01-11T14:36:40.239-06:00 server-04 syslog-ng 30082 -
[meta sequenceId="122761"] debug Destination queue full, dropping
message; queue_len='1000', mem_fifo_size='1000'<br>
<br>
I am guessing if I don't have flow control on the client side that I
need to play with the numbers to ensure that none of the buffers ever
get filled up. Is this correct?<br>
<br>
Thanks again,<br>
Jim<br>
<br>
<br>
<hr id="stopSpelling">Date: Thu, 7 Jan 2010 21:11:15 +0100<br>
From: <a class="moz-txt-link-abbreviated"
href="mailto:pzolee@balabit.hu">pzolee@balabit.hu</a><br>
To: <a class="moz-txt-link-abbreviated"
href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
CC: <a class="moz-txt-link-abbreviated"
href="mailto:jim_pirman@hotmail.com">jim_pirman@hotmail.com</a><br>
Subject: Re: [syslog-ng] Broken TCP connection<br>
<br>
2010.01.07. 17:53 keltezéssel, James Pirman írta:
<blockquote cite="mid:SNT102-W194F9A751156F9AB19161EF7710@phx.gbl">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Verdana;}
</style>Yes,
that is correct. The 127.0.0.1 destination is
actually my own application. <br>
</blockquote>
Ok<br>
<blockquote cite="mid:SNT102-W194F9A751156F9AB19161EF7710@phx.gbl"> <br>
I just noticed today that the problem seems to be happening when the
amount of traffic increases. Right now I am testing with
log_fetch_limit increased from 100 to 1000, and I added log_fifo_size
globally and set it to 50000. I also decreased my flush timeout from
100 to 10. This appears to be helping and I haven't dropped a
connection since. Does this seem like the correct approach?<br>
</blockquote>
I think, this is just a game with numbers but not the real reason for
this behaviour. If you have problem with large traffic, just write the
"flags(flow-control)" field into the right destination of your client
config.<br>
Answer me that I asked of you, please (client config and debug log)<br>
<blockquote cite="mid:SNT102-W194F9A751156F9AB19161EF7710@phx.gbl"> <br>
Thanks,<br>
Jim<br>
<br>
<hr id="ecxstopSpelling">Date: Thu, 7 Jan 2010 17:38:41 +0100<br>
From: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:pzolee@balabit.hu">pzolee@balabit.hu</a><br>
To: <a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a>;
<a moz-do-not-send="true" class="ecxmoz-txt-link-abbreviated"
href="mailto:jim_pirman@hotmail.com">jim_pirman@hotmail.com</a><br>
Subject: Re: [syslog-ng] Broken TCP connection<br>
<br>
Hi,<br>
<br>
If I understand you correctly, you have three client/servers, don't you?<br>
client(.218) -> relay server(.198) -> local server on relay
server (127.0.0.1)<br>
<br>
and the problem is that sometimes your relay server drops the
connection of client.<br>
<br>
<br>
James Pirman írta:
<blockquote cite="mid:SNT102-W3130D37832D34D2AB4B576F7710@phx.gbl">
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Verdana;}
</style>Is
there anyone that can help with this? Is there any
more information that I need to provide in order for me to get help?
I've been dealing with for weeks and am starting to think the only
solution is to write my own server.<br>
<br>
<hr id="ecxecxstopSpelling">From: <a moz-do-not-send="true"
class="ecxecxmoz-txt-link-abbreviated"
href="mailto:jim_pirman@hotmail.com">jim_pirman@hotmail.com</a><br>
To: <a moz-do-not-send="true" class="ecxecxmoz-txt-link-abbreviated"
href="mailto:syslog-ng@lists.balabit.hu">syslog-ng@lists.balabit.hu</a><br>
Date: Tue, 5 Jan 2010 11:22:36 -0600<br>
Subject: [syslog-ng] Broken TCP connection<br>
<br>
<style>
.ExternalClass .ecxhmmessage P
{padding:0px;}
.ExternalClass body.ecxhmmessage
{font-size:10pt;font-family:Verdana;}
</style>I
am currently having an issue with syslog-ng 3.0.4 where my TCP
connection between my client and server is lost throughout the day. By
looking at the pcap file from tcpdump I can tell that the TCP
connection reset was initiated by the syslog-ng server. The only
information that was initially in the log file regarding this
disconnection was the following 2 lines:<br>
<br>
<span lang="EN"><45>1 2010-01-05T10:29:32.323-06:00
server-db-01 syslog-ng 29213 - [meta sequenceId="2733719"] notice
Syslog connection closed; fd='9',
client='AF_INET(192.168.27.218:46326)',
local='AF_INET(192.168.27.198:20514)'<br>
</span></blockquote>
Can you show me the previous few lines before this log message?<br>
Because if syslog-ng drops the connection usually sends log message
about the reason of this behaviour, like this:<br>
<br>
2010-01-07T17:24:48+01:00 syslog-ng err Invalid frame header; header=''<br>
2010-01-07T17:24:48+01:00 syslog-ng notice Syslog connection closed;
fd='10', client='AF_INET(10.100.20.1:33251)',
local='AF_INET(10.30.0.32:20514)'<br>
<br>
<br>
Your client config can also be useful, the problem may be on client
side. Can you show me the debug log of your client when the connection
lost?<br>
<blockquote cite="mid:SNT102-W3130D37832D34D2AB4B576F7710@phx.gbl"><span
lang="EN"> <br>
and <br>
<br>
<span lang="EN"><46>1 2010-01-05T10:29:32.323-06:00
server-db-01 syslog-ng 29213 - [meta sequenceId="2733720"] info Closing
log transport fd; fd='9'<br>
<br>
<br>
In order to get more information, I set the following flags in init.d:
"-v -d -t".<br>
<br>
This did not give me any more information about the TCP disconnect,
however I did notice that a lot of my normal messages were preceeded by
the following text:<br>
<br>
<span lang="EN"><47>1 2010-01-05T10:29:32.323-06:00
server-db-01 syslog-ng 29213 - [meta sequenceId="2733718"] debug
Incoming log entry; line=<br>
<br>
A normal log message then follows the '=' sign. <br>
<br>
A decent percentage of my messages are preceeded by this throughout the
day, but just before the disconnect it appears that all of my messages
from server-db-01 are preceeded by the debug line. Any ideas as to
what could be going on? I have included my config file below if that
helps.<br>
<br>
Any assistance would be greatly appreciated.<br>
-Jim<br>
<br>
<span lang="EN">@version: 3.0<br>
#Default configuration file for syslog-ng.<br>
#<br>
# For a description of syslog-ng configuration file directives, please
read<br>
# the syslog-ng Administrator's guide at:<br>
#<br>
# <a moz-do-not-send="true" class="ecxecxmoz-txt-link-freetext"
href="http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html">http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html</a><br>
#<br>
options {<br>
keep_hostname(yes);<br>
keep_timestamp(yes);<br>
frac_digits(3);<br>
};<br>
source all {<br>
internal();<br>
syslog(ip("192.168.27.198") port(20514) transport("tcp")
log_fetch_limit(100));<br>
};<br>
destination allclientsfile {<br>
file("/data/local/Logs/server-$YEAR-$MONTH-$DAY.log"<br>
flags(syslog-protocol)<br>
flush_timeout(100)<br>
create_dirs(yes)<br>
dir_owner(jpirman)<br>
dir_group(jpirman)<br>
owner(jpirman)<br>
group(jpirman)<br>
template("$PRIORITY $MESSAGE")<br>
);<br>
};<br>
destination msgserver {<br>
udp("127.0.0.1" port(20515)<br>
flush_timeout(100) <br>
template("$ISODATE $PROGRAM $PRIORITY $MESSAGE\n"));<br>
};<br>
log { source(all); destination(allclientsfile);
destination(msgserver);};<br>
</span> <br>
<br>
</span></span></span><br>
<hr>Hotmail: Powerful Free email with security by Microsoft. <a
moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/171222986/direct/01/">Get it now.</a>
<br>
<hr>Your E-mail and More On-the-Go. Get Windows Live Hotmail
Free. <a moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/196390709/direct/01/">Sign up now.</a>
<pre><hr width="90%" size="4">
______________________________________________________________________________
Member info: <a moz-do-not-send="true"
class="ecxecxmoz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true"
class="ecxecxmoz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" class="ecxecxmoz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<pre class="ecxecxmoz-signature">--
pzolee
</pre>
<br>
<hr>Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. <a
moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/196390709/direct/01/">Sign up now.</a>
<pre><fieldset class="ecxmimeAttachmentHeader"></fieldset>
______________________________________________________________________________
Member info: <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a moz-do-not-send="true"
class="ecxmoz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a moz-do-not-send="true" class="ecxmoz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<div class="ecxmoz-signature">-- <br>
pzolee</div>
<br>
<hr>Hotmail: Free, trusted and rich email service. <a
moz-do-not-send="true"
href="http://clk.atdmt.com/GBL/go/196390708/direct/01/" target="_new">Get
it
now.</a>
<pre wrap=""><fieldset class="mimeAttachmentHeader"></fieldset>
______________________________________________________________________________
Member info: <a class="moz-txt-link-freetext"
href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a>
Documentation: <a class="moz-txt-link-freetext"
href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a>
FAQ: <a class="moz-txt-link-freetext"
href="http://www.campin.net/syslog-ng/faq.html">http://www.campin.net/syslog-ng/faq.html</a>
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
pzolee</div>
</body>
</html>