<div dir="ltr">Hi,<div><br></div>I checked your config file and I did not find max-connections() option. The default value is 10 for this options. <div>Increase value of it to necessary value. Maybe help this.<div><br></div><div>BR.</div><div>Zoli</div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 28, 2015 at 10:57 PM, Michael Starks <span dir="ltr"><<a href="mailto:syslog-ng-list@michaelstarks.com" target="_blank">syslog-ng-list@michaelstarks.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am running syslog-ng 3.4.7 as distributed by ELSA. I have a problem<br>
whereby nxlog agents (v2.9.1347) making a new TCP connection to the<br>
syslog-ng server repeatedly show lines like this in nxlog.log:<br>
2015-09-28 14:28:25 INFO reconnecting in 1 seconds<br>
<br>
Many connections are working, but it especially has a problem with new<br>
agents coming online. Sometimes when I restart syslog-ng it helps, but<br>
not always.<br>
<br>
Other than the standard ELSA config, I am simply also writing to a<br>
filesystem destination. If I remove the <a href="http://elsa.pl" rel="noreferrer" target="_blank">elsa.pl</a> destination, I still<br>
have problems.<br>
<br>
The problem isn't necessarily related to just nxlog agents. I also have<br>
a Cisco proxy that is using TCP to send logs, and that is also getting<br>
RSTs sent to it.<br>
<br>
I tried v3.6.3 and that didn't seem to help.<br>
<br>
A packet capture shows the SYN from the agent, a SYN ACK, another SYN,<br>
then a FIN *prior* to the data packet being received. Immediately after<br>
the data packet, the log server sends a RST. As a result, I have a bunch<br>
of TIME_WAITs open.<br>
<br>
No host firewall is running.<br>
<br>
I am currently only bursting to about 350 EPS and I have syslog-ng<br>
running in the foreground looking for dropped packets like so (there<br>
haven't been any): /usr/local/syslog-ng-3.4.7/sbin/syslog-ng -Ftvd 2>&1<br>
| grep "dropping messages"<br>
<br>
Any assistance would be greatly appreciated!<br>
<br>
Currently loaded syslog-ng.conf:<br>
# cat /usr/local/syslog-ng/etc/syslog-ng.conf<br>
@version: 3.2<br>
<br>
<br>
<br>
options {<br>
<br>
log_fifo_size(30000);<br>
<br>
#threaded(yes); # enable if using Syslog-NG 3.3.x<br>
<br>
use_dns (no); # IMPORTANT! A busy syslog server can become<br>
unresponsive if DNS lookups fail, so we disable them.<br>
<br>
use_fqdn (no);<br>
<br>
keep_hostname (yes);<br>
<br>
};<br>
<br>
<br>
<br>
source s_network {<br>
<br>
# no-multi-line means parse message as-is, newlines included, to<br>
allow for multi-line messages<br>
<br>
tcp(flags(no-multi-line));<br>
<br>
udp(flags(no-multi-line));<br>
<br>
};<br>
<br>
<br>
<br>
source s_internal {<br>
<br>
internal();<br>
<br>
};<br>
<br>
<br>
<br>
source s_realtime {<br>
<br>
pipe("/data/elsa/tmp/realtime" flags(expect-hostname));<br>
<br>
};<br>
<br>
<br>
<br>
source s_import {<br>
<br>
pipe("/data/elsa/tmp/import" flags(expect-hostname<br>
syslog-protocol));<br>
<br>
};<br>
<br>
<br>
<br>
source s_ops {<br>
<br>
unix-dgram("/data/elsa/tmp/ops" flags(expect-hostname<br>
syslog-protocol no-multi-line));<br>
<br>
};<br>
<br>
<br>
<br>
parser p_db {<br>
<br>
db-parser(file("/usr/local/elsa/node/conf/merged.xml"));<br>
<br>
};<br>
<br>
<br>
<br>
filter f_rewrite_cisco_program { match('^(%[A-Z\_]+\-\d\-[0-9A-Z\_]+):<br>
([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches"<br>
"nobackref")); };<br>
<br>
filter f_rewrite_cisco_program_2 {<br>
match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:<br>
[A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")<br>
flags("store-matches" "nobackref")); };<br>
<br>
filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+):<br>
([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches"<br>
"nobackref")); };<br>
<br>
filter f_rewrite_cisco_program_4 { match('^\d{6}:<br>
[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:<br>
[A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")<br>
flags("store-matches" "nobackref")); };<br>
<br>
<br>
<br>
filter f_unclassified { "${.classifier.class}" eq "unknown" };<br>
<br>
rewrite r_unparsed { set("98", value("MSGID")); };<br>
<br>
<br>
<br>
rewrite r_cisco_program {<br>
<br>
set("$1", value("PROGRAM")<br>
condition(filter(f_rewrite_cisco_program) or<br>
filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)<br>
or filter(f_rewrite_cisco_program_4)));<br>
<br>
set("$2", value("MESSAGE")<br>
condition(filter(f_rewrite_cisco_program) or<br>
filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)<br>
or filter(f_rewrite_cisco_program_4)));<br>
<br>
};<br>
<br>
<br>
<br>
rewrite r_snare {<br>
subst("MSWinEventLog.+(Security|Application|System).+", "$1",<br>
value("PROGRAM") flags(global)); };<br>
<br>
# URL encode any literal pipes so the tab rewriter doesn't introduce<br>
ambiguity<br>
<br>
rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global)<br>
condition(program("bro_*" type(glob)))); };<br>
<br>
#rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE")<br>
flags(global)); };<br>
<br>
rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };<br>
<br>
rewrite r_host { set("$SOURCEIP", value("HOST")); };<br>
<br>
rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST")<br>
condition("$pdb_extracted_sourceip" != "")); };<br>
<br>
rewrite r_extracted_timestamp {<br>
<br>
set("$S_UNIXTIME", value("SOURCE"));<br>
<br>
set("$pdb_extracted_timestamp", value("SOURCE")<br>
condition("$pdb_extracted_timestamp" != ""));<br>
<br>
};<br>
<br>
<br>
<br>
template t_db_parsed {<br>
template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n");<br>
};<br>
<br>
template t_db_parsed_import {<br>
template("$MSGID\t$SOURCE\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n");<br>
};<br>
<br>
template t_ops {<br>
template("$S_UNIXTIME\t$HOST\t$PROGRAM\t$MSGID\t$MSGONLY\t${.SDATA.elsa@32473.line_number}\t${.SDATA.elsa@32473.pid}\t${.SDATA.elsa@32473.client}\t${.SDATA.elsa@32473.qid}\t\t\t${.SDATA.elsa@32473.priority}\t${.SDATA.elsa@32473.file}\t${.SDATA.elsa@32473.method}\t${.SDATA.elsa@32473.hostname}\t\t\n");<br>
};<br>
<br>
template t_unparsed { template("Unparsed host=$HOST program=$PROGRAM<br>
msg=$MSGONLY\n"); };<br>
<br>
<br>
<br>
destination d_elsa { program("perl /usr/local/elsa/node/<a href="http://elsa.pl" rel="noreferrer" target="_blank">elsa.pl</a> -c<br>
/etc/elsa_node.conf" template(t_db_parsed)); };<br>
<br>
destination d_elsa_import { program("perl /usr/local/elsa/node/<a href="http://elsa.pl" rel="noreferrer" target="_blank">elsa.pl</a><br>
-c /etc/elsa_node.conf -f __IMPORT__" template(t_db_parsed_import)); };<br>
<br>
destination d_elsa_ops { program("perl /usr/local/elsa/node/<a href="http://elsa.pl" rel="noreferrer" target="_blank">elsa.pl</a> -c<br>
/etc/elsa_node.conf -f __OPS__" template(t_ops)); };<br>
<br>
destination d_unclassified { unix-dgram("/data/elsa/tmp/ops"<br>
flags(syslog-protocol) template(t_unparsed)); };<br>
<br>
destination d_debug { unix-dgram("/data/elsa/tmp/debug"<br>
template(t_db_parsed)); };<br>
<br>
<br>
<br>
# Custom destination -Mike<br>
<br>
destination d_hosts {<br>
<br>
file("/data/logs/$HOST/$HOST.log");<br>
<br>
};<br>
<br>
<br>
<br>
include /etc/elsa_syslog-ng.conf;<br>
<br>
<br>
<br>
#log {<br>
<br>
# source(s_ops);<br>
<br>
# destination(d_elsa_ops);<br>
<br>
# flags(final);<br>
<br>
#};<br>
<br>
<br>
<br>
#log {<br>
<br>
# source(s_network);<br>
<br>
# source(s_realtime);<br>
<br>
# rewrite(r_host);<br>
<br>
# rewrite(r_cisco_program);<br>
<br>
# rewrite(r_snare);<br>
<br>
# rewrite(r_from_pipes);<br>
<br>
# rewrite(r_pipes);<br>
<br>
# parser(p_db);<br>
<br>
# rewrite(r_extracted_host);<br>
<br>
# ###FILTER_UNPARSED###log { filter(f_unclassified);<br>
rewrite(r_unparsed); destination(d_unclassified); flags(final); };<br>
<br>
# log { destination(d_elsa); };<br>
<br>
# log { destination(d_debug); };<br>
<br>
#};<br>
<br>
<br>
<br>
#log {<br>
<br>
# source(s_import);<br>
<br>
# rewrite(r_cisco_program);<br>
<br>
# rewrite(r_snare);<br>
<br>
# rewrite(r_from_pipes);<br>
<br>
# rewrite(r_pipes);<br>
<br>
# parser(p_db);<br>
<br>
# rewrite(r_extracted_host);<br>
<br>
# rewrite(r_extracted_timestamp);<br>
<br>
# destination(d_elsa_import);<br>
<br>
#};<br>
<br>
<br>
# cat /etc/elsa_syslog-ng.conf<br>
<br>
##################################<br>
<br>
#### Global Options #########<br>
<br>
##################################<br>
<br>
<br>
<br>
options {<br>
<br>
check_hostname(yes);<br>
<br>
create_dirs(yes);<br>
<br>
dir_group(log_analyst);<br>
<br>
dir_owner(root);<br>
<br>
dir_perm(0550);<br>
<br>
group(log_analyst);<br>
<br>
owner(root);<br>
<br>
perm(0640);<br>
<br>
# Let's not be vulnerable to DNS attacks and general problems<br>
<br>
dns_cache(no);<br>
<br>
use_dns(no);<br>
<br>
# Keep the original hostname (good for relay servers)<br>
<br>
keep_hostname(yes);<br>
<br>
# Keep original timestamp (not received time) - this could be forged, so<br>
use caution during forensincs examinations<br>
<br>
keep_timestamp(yes);<br>
<br>
};<br>
<br>
<br>
<br>
##################################<br>
<br>
########### Sources #########<br>
<br>
##################################<br>
<br>
<br>
<br>
# Source for local system logs<br>
<br>
source s_local {<br>
<br>
# message generated by Syslog-NG<br>
<br>
internal();<br>
<br>
# standard Linux log source (this is the default place for the syslog()<br>
<br>
# function to send logs to)<br>
<br>
unix-stream("/dev/log");<br>
<br>
# messages from the kernel<br>
<br>
file("/proc/kmsg" program_override("kernel: "));<br>
<br>
};<br>
<br>
<br>
<br>
##################################<br>
<br>
######### Destinations ##########<br>
<br>
##################################<br>
<br>
<br>
<br>
<br>
<br>
# This is the directory structure that will be automatically created as<br>
logs come in<br>
<br>
destination d_hosts {<br>
<br>
file("/data/logs/$HOST/$HOST.log");<br>
<br>
};<br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">---<div>zoli</div></div></div>
</div>