<div dir="ltr"><p class="MsoNormal">Hi,</p>

<p class="MsoNormal">we use syslog-ng on one of our nodes as client and rsyslogd
as server.</p>

<p class="MsoNormal">We have configured tcp to connect to server.</p>

<p class="MsoNormal">What we see is when the reboot the complete cluster (has
node where the server runs and other node where the client runs,) only the
server node is rebooted. The client node where syslog-ng runs is not rebooted.</p>

<p class="MsoNormal">The issue is after we reboot the syslog-ng connection is not
re-established and hence we are not getting any logs on the server.</p>

<p class="MsoNormal">After going through some of the posts related to the problem
and the admin guide, it mentions about time_reopen() value to solve this issue.</p>

<p class="MsoNormal">In my case, i have configured time_reopen(40). So it means
at 40s interval the tcp connection is tired to be re-established. But i see
that this is not happening.</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">Can you please help me resolve this issue. Also can you let
me know how many times and at what interval this connection re-establishment is
tried.</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">Below are some of the logs that could be helpful.</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">syslog-ng.conf:</p>

<p class="MsoNormal">cat /etc/syslog-ng/syslog-ng.conf</p>

<p class="MsoNormal"># syslog-ng configuration file.</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># This should behave pretty much like the original syslog on
RedHat. But</p>

<p class="MsoNormal"># it could be configured a lot smarter.</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># See syslog-ng(8) and syslog-ng.conf(5) for more
information.</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># 20000925 <a href="mailto:gb@sysfive.com" target="_blank">gb@sysfive.com</a></p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># Updated by Frank Crawford
(&lt;<a href="mailto:Frank.Crawford@ac3.com.au" target="_blank">Frank.Crawford@ac3.com.au</a>&gt;) - 10 Aug 2002</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>- for Red Hat
7.3</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>- totally do
away with klogd</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>- add message
&quot;kernel:&quot; as is done with klogd.</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># Updated by Frank Crawford
(&lt;<a href="mailto:Frank.Crawford@ac3.com.au" target="_blank">Frank.Crawford@ac3.com.au</a>&gt;) - 22 Aug 2002</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>- use the
log_prefix option as per Balazs Scheidler&#39;s email</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># Updated by Jose Pedro Oliveira (&lt;jpo at
<a href="http://di.uminho.pt" target="_blank">di.uminho.pt</a>&gt;) - 05 Apr 2003</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span>- corrected
filters &#39;f_filter2&#39; and &#39;f_filter6&#39;</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp; </span>these filters
were only allowing messages of one specific</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp; </span>priority level;
they should be allowing messages from that</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp; </span>priority and
upper levels.</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># Updated by Jose Pedro Oliveira (&lt;jpo at
<a href="http://di.uminho.pt" target="_blank">di.uminho.pt</a>&gt;) - 25 Jan 2005</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp; </span>- Don&#39;t sync the
d_mail destination</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal"># Updated by Jose Pedro Oliveira (&lt;jpo at
<a href="http://di.uminho.pt" target="_blank">di.uminho.pt</a>&gt;) - 01 Feb 2005</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp; </span>- /proc/kmsg is a
file not a pipe.</p>

<p class="MsoNormal">#<span>&nbsp;&nbsp;&nbsp;&nbsp;
</span>(<a href="https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006963.html" target="_blank">https://lists.balabit.hu/pipermail/syslog-ng/2005-February/006963.html</a>)</p>

<p class="MsoNormal">#</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">options {</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>sync (0);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>time_reopen (40);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>log_fifo_size
(1000);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>stats(86400);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>long_hostnames
(off);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>use_dns (no);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>use_fqdn (no);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>create_dirs (no);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>keep_hostname
(yes);</p>

<p class="MsoNormal">};</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">source s_sys {</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>file
(&quot;/proc/kmsg&quot; log_prefix(&quot;kernel: &quot;));</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>unix-stream
(&quot;/dev/log&quot;);</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span>internal();</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp; </span># udp(ip(0.0.0.0)
port(514));</p>

<p class="MsoNormal">};</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">destination d_cons { file(&quot;/dev/console&quot;); };</p>

<p class="MsoNormal">#destination d_mesg { file(&quot;/var/log/messages&quot;);
};</p>

<p class="MsoNormal">#destination d_auth { file(&quot;/var/log/secure&quot;); };</p>

<p class="MsoNormal">destination d_mail { file(&quot;/var/log/maillog&quot;
sync(10)); };</p>

<p class="MsoNormal">destination d_spol { file(&quot;/var/log/spooler&quot;); };</p>

<p class="MsoNormal">destination d_boot { file(&quot;/var/log/boot.log&quot;); };</p>

<p class="MsoNormal">destination d_cron { file(&quot;/var/log/cron&quot;); };</p>

<p class="MsoNormal">destination d_mlal { usertty(&quot;*&quot;); };</p>

<p class="MsoNormal">destination tcp-to-master<span>&nbsp;&nbsp;
</span>{ tcp(&quot;169.254.1.82&quot; localip(&quot;169.254.1.66&quot;)
localport(601) port(601) ); };</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">#filter f_filter1<span>&nbsp;&nbsp; </span>{
facility(kern); };</p>

<p class="MsoNormal">filter f_filter2<span>&nbsp;&nbsp; </span>{
level(info..emerg) and</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>not facility(mail,authpriv,cron) and</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>not match(&quot;Connection broken to AF_INET&quot;) and</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>not match(&quot;Error connecting to remote host AF_INET&quot;); };</p>

<p class="MsoNormal">filter f_filter3<span>&nbsp;&nbsp; </span>{
facility(authpriv); };</p>

<p class="MsoNormal">filter f_filter4<span>&nbsp;&nbsp; </span>{
facility(mail); };</p>

<p class="MsoNormal">filter f_filter5<span>&nbsp;&nbsp; </span>{
level(emerg); };</p>

<p class="MsoNormal">filter f_filter6<span>&nbsp;&nbsp; </span>{
facility(uucp) or</p>

<p class="MsoNormal"><span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</span>(facility(news) and level(crit..emerg)); };</p>

<p class="MsoNormal">filter f_filter7<span>&nbsp;&nbsp; </span>{
facility(local7); };</p>

<p class="MsoNormal">filter f_filter8<span>&nbsp;&nbsp; </span>{
facility(cron); };</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">log { source(s_sys); filter(f_filter2);
destination(tcp-to-master); };</p>

<p class="MsoNormal">#log { source(s_sys); filter(f_filter1);
destination(d_cons); };</p>

<p class="MsoNormal"># Redirecting the logs to /var/log/ of CLA, to avoid log
files filling up AHUB3-A file system</p>

<p class="MsoNormal">#log { source(s_sys); filter(f_filter2);
destination(d_mesg); };</p>

<p class="MsoNormal">#log { source(s_sys); filter(f_filter3);
destination(d_auth); };</p>

<p class="MsoNormal">log { source(s_sys); filter(f_filter4); destination(d_mail);
};</p>

<p class="MsoNormal">log { source(s_sys); filter(f_filter5); destination(d_mlal);
};</p>

<p class="MsoNormal">log { source(s_sys); filter(f_filter6); destination(d_spol);
};</p>

<p class="MsoNormal">log { source(s_sys); filter(f_filter7); destination(d_boot);
};</p>

<p class="MsoNormal">log { source(s_sys); filter(f_filter8); destination(d_cron);
};</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">netstat output when the cluster was rebooted:</p>

<p class="MsoNormal">Transition from ESTABLISHED to CLOSED_WAIT</p>

<p class="MsoNormal">tcp 0 0 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> ESTABLISHED
3771/syslog-ng</p>

<p class="MsoNormal">10.34.37.082224000</p>

<p class="MsoNormal">tcp 1 0 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> CLOSE_WAIT
3771/syslog-ng</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">CLOSED_WAIT to LAST_ACK</p>

<p class="MsoNormal">tcp 1 0 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> CLOSE_WAIT
3771/syslog-ng</p>

<p class="MsoNormal">10.34.43.555017000</p>

<p class="MsoNormal">tcp 1 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> LAST_ACK -</p>

<p class="MsoNormal">10.34.43.644520000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">LAST_ACK to CLOSED:</p>

<p class="MsoNormal">tcp 1 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> LAST_ACK -</p>

<p class="MsoNormal">10.36.29.754533000</p>

<p class="MsoNormal">tcp 1 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> LAST_ACK -</p>

<p class="MsoNormal">10.36.29.801733000</p>

<p class="MsoNormal">tcp 1 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> LAST_ACK -</p>

<p class="MsoNormal">10.36.29.846228000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">10.36.29.892427000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">10.36.29.931181000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">SYN_SENT:</p>

<p class="MsoNormal">10.36.43.192808000</p>

<p class="MsoNormal">tcp 0 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> SYN_SENT
3771/syslog-ng</p>

<p class="MsoNormal">10.36.43.238811000</p>

<p class="MsoNormal">tcp 0 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> SYN_SENT
3771/syslog-ng</p>

<p class="MsoNormal">10.36.43.279561000</p>

<p class="MsoNormal">tcp 0 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> SYN_SENT
3771/syslog-ng</p>

<p class="MsoNormal">continues&hellip;</p>

<p class="MsoNormal">10.36.46.180840000</p>

<p class="MsoNormal">tcp 0 1 <a href="http://169.254.1.67:601" target="_blank">169.254.1.67:601</a> <a href="http://169.254.1.82:601" target="_blank">169.254.1.82:601</a> SYN_SENT
3771/syslog-ng</p>

<p class="MsoNormal">10.36.46.225891000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">10.36.46.275090000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">10.36.46.318485000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">10.36.46.359169000</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">The server node comes up and it start rsyslogd after some
more time. But when this starts, there is no syn packets received by rsyslogd
and hence the connection is not established.</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">Can you please let me know where exactly 40s(configured
time_reopen value) coming into picture here in the netstat output?</p>

<p class="MsoNormal">&nbsp;</p>

<p class="MsoNormal">syslog-ng version:</p>

<p class="MsoNormal">syslog-ng 1.6.12</p><p class="MsoNormal"><br></p><p class="MsoNormal">-----------------------------------------------------------------------------------------------------------------------------------------------------<br>
</p><p class="MsoNormal">I got a reply from one of the balabit guys that i have to use version 3.4.</p><p class="MsoNormal">I am currently trying to use it. <br></p><p class="MsoNormal">But i still have some questions below.</p>
<p class="MsoNormal">1. How many number of times the connection is retried.</p><p class="MsoNormal">2. when exactly the connection retry happens (when will it get to know when it has to retry)</p><p class="MsoNormal">3. time_reopen(40), what exactly is 40seconds here.</p>
<p class="MsoNormal"><br></p><br clear="all"><br>-- <br>Regards,<br>Prasad
</div>