<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Verdana
}
--></style>
</head>
<body class='hmmessage'>
Unfortunately I no longer have the tcpdump since we only keep them for 2 or 3 days. Ever since I increased the parameters the problem has stopped happening. I will have to recreate this again in the test environment to get a new tcpdump. However, because increasing the size stopped the problem, I do not think it is a problem with EOF. <BR>
<BR>
<BR>> From: bazsi@balabit.hu<BR>> To: syslog-ng@lists.balabit.hu<BR>> Date: Thu, 14 Jan 2010 10:12:40 +0100<BR>> Subject: Re: [syslog-ng] Broken TCP connection<BR>> <BR>> On Mon, 2010-01-11 at 14:49 -0600, James Pirman wrote:<BR>> > pzolee,<BR>> > <BR>> > The client happens to be a custom application, so I don't have a<BR>> > client config, and flow control doesn't really apply on the client<BR>> > side. I was able to setup a test environment and recreated the<BR>> > problem. The message immediately before the disconnect message is the<BR>> > following:<BR>> > <BR>> > <47>1 2010-01-11T14:36:40.239-06:00 server-04 syslog-ng 30082 - [meta<BR>> > sequenceId="122761"] debug Destination queue full, dropping message;<BR>> > queue_len='1000', mem_fifo_size='1000'<BR>> > <BR>> > I am guessing if I don't have flow control on the client side that I<BR>> > need to play with the numbers to ensure that none of the buffers ever<BR>> > get filled up. Is this correct?<BR>> <BR>> That message alone should not cause syslog-ng to initiate a disconnect.<BR>> Do you have TLS enabled?<BR>> <BR>> The only reasons syslog-ng disconnects are:<BR>> * either some kind of protocol format issue<BR>> * or an EOF on the client side<BR>> <BR>> Protocol errors are logged. The exact reasons with messages follow:<BR>> <BR>> msg_error("Error reading frame header",<BR>> evt_tag_int("fd", self->super.transport->fd),<BR>> evt_tag_errno("error", errno),<BR>> NULL);<BR>> <BR>> msg_error("Invalid frame header", <BR>> evt_tag_printf("header", "%.*s", (gint) (i - self->buffer_pos), &self->buffer[self->buffer_pos]),<BR>> NULL);<BR>> <BR>> msg_error("Incoming frame larger than log_msg_size()",<BR>> evt_tag_int("log_msg_size", self->buffer_size - LPFS_FRAME_BUFFER),<BR>> evt_tag_int("frame_length", self->frame_len),<BR>> NULL);<BR>> <BR>> As I see with the syslog() protocol, EOFs are not logged, only with <BR>> the traditional protocol. I've added this log message with this patch<BR>> to OSE 3.1, but you should be able to apply it to 3.0 as well.<BR>> <BR>> commit bbc248bc8a577a299036d2ab6898d72f657fc7a0<BR>> Author: Balazs Scheidler <bazsi@balabit.hu><BR>> Date: Thu Jan 14 10:11:33 2010 +0100<BR>> <BR>> logproto: added log message about EOF in the new style syslog protocol handler<BR>> <BR>> Are you sure that it wasn't the client which sent a FIN packet in <BR>> the first place? Can you show at least the end of tcpdump -rn <pcap file>?<BR>> <BR>> -- <BR>> Bazsi<BR>> <BR>> ______________________________________________________________________________<BR>> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng<BR>> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng<BR>> FAQ: http://www.campin.net/syslog-ng/faq.html<BR>> <BR> <br /><hr />Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. <a href='http://clk.atdmt.com/GBL/go/196390709/direct/01/' target='_new'>Sign up now.</a></body>
</html>