<p dir="ltr"><br>
On May 7, 2013 10:51 PM, "Matt Wise" <<a href="mailto:matt@nextdoor.com">matt@nextdoor.com</a>> wrote:<br>
><br>
> I've done some more testing and now have narrowed the problem down to our Amazon ELB. Because the OSS version of Syslog-ng does not support failing over destinations from hostA to hostB when one fails, we are using an ELB in front of our syslog servers.<br>
><br>
> When we have no ELB in place, our syslog-ng client detects the network drop immediately and begins to try to reconnect. When the ELB is in the way, it never detects the network connection drop. I don't understand why. I've tested a bit manually using openssl to connect to our remote endpoint through the ELB and directly and I don't see any difference in the way network connections are killed off. Any thoughts here?<br>
><br></p>
<p dir="ltr">Hmm interesting. The difference might be how connections are terminated. Can you check that using tcpdump?</p>
<p dir="ltr">> --matt<br>
><br>
> On May 6, 2013, at 9:53 AM, Matt Wise <<a href="mailto:matt@nextdoor.com">matt@nextdoor.com</a>> wrote:<br>
><br>
> > We're running Syslog-NG 3.3.4 in our mixed Ubuntu 10/12 environment. We use SSL for all of our syslog-to-syslog connections, and have logging going to two different data pipelines.<br>
> ><br>
> > Data Dest #1: SyslogNG Client ----(SSL)----> SyslogNG Server ------> Logstash File-read-in-service<br>
> > Data Dest #2: SyslogNG Client ----(SSL)----> Stunnel Service ------> Flume Syslog Service<br>
> ><br>
> > The data streams work fine most of the time, but if we restart either the remote syslog-ng server, or the stunnel service, it seems that the syslog ng clients don't try to reconnect for a LONG time (or ever) to the endpoints again. I end up seeing the connection on the client go into a CLOSE_WAIT state, and syslog-ng keeps thinking that its sending log events through the connection, so it seems to never try to reconnect.<br>
> ><br>
> > I've tried setting time_reopen() to 0, 1 and 5... no luck or change in behavior.<br>
> ><br>
> > Any thoughts?<br>
> ><br>
> > --Matt<br>
> ><br>
><br>
> ______________________________________________________________________________<br>
> Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
> Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
> FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
><br>
</p>