<div dir="ltr"><div><div>Hello,<br><br></div>The PR was merged. So syslog-ng upstream now includes this fix.<br><br></div>n<br></div><div class="gmail_extra"><br><div class="gmail_quote">On 19 September 2016 at 14:12, Scheidler, Balázs <span dir="ltr"><<a href="mailto:balazs.scheidler@balabit.com" target="_blank">balazs.scheidler@balabit.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div>Hi,<br><br></div>I've just submitted this pull request:<br><a href="https://github.com/balabit/syslog-ng/pull/1211" target="_blank">https://github.com/balabit/<wbr>syslog-ng/pull/1211</a><br><br></div><div>Hope this resolves your problem.<br></div><div><br></div>Cheers,<br></div>Bazsi<span class="HOEnZb"><font color="#888888"><br></font></span></div><div class="gmail_extra"><span class="HOEnZb"><font color="#888888"><br clear="all"><div><div data-smartmail="gmail_signature"><div dir="ltr">-- <br>Bazsi<br></div></div></div></font></span><div><div class="h5">
<br><div class="gmail_quote">On Mon, Sep 19, 2016 at 10:51 AM, Claus Albøge <span dir="ltr"><<a href="mailto:ca@tdchosting.dk" target="_blank">ca@tdchosting.dk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I have ~6000 hosts sending syslog-TLS to a syslog-ng server. I’m seeing a lot of reconnects from the clients, and on the syslog-ng servers I get the following messages:<br>
<br>
TCP: request_sock_TCP: Possible SYN flooding on port 6514. Sending cookies. Check SNMP counters.<br>
<br>
netstat -s show the following:<br>
<br>
$ netstat -s | grep -i listen<br>
<a href="tel:10480620" value="+3610480620" target="_blank">10480620</a> times the listen queue of a socket overflowed<br>
<a href="tel:11144791" value="+3611144791" target="_blank">11144791</a> SYNs to LISTEN sockets dropped<br>
<br>
A few resources suggest this could be due to the applications socket listen backlog.<br>
<br>
Starting syslog-ng with strace reveals the following:<br>
<br>
30067 listen(5, 255) = 0<br>
30067 listen(11, 255) = 0<br>
30067 listen(12, 255) = 0<br>
30067 listen(17, 255) = 0<br>
<br>
It seems like the backlog is hardcoded to 255 in the source.<br>
<br>
A bit more info:<br>
<br>
Saving the output from: “netstat -n | grep -c SYN_RECV” to a file a few times per second, shows the following:<br>
<br>
2016-09-19 09:54:14.767469015: 0<br>
2016-09-19 09:54:14.906638364: 0<br>
2016-09-19 09:54:15.048591252: 0<br>
2016-09-19 09:54:15.184325070: 0<br>
2016-09-19 09:54:15.324150368: 0<br>
2016-09-19 09:54:15.459749187: 0<br>
2016-09-19 09:54:15.587983284: 0<br>
2016-09-19 09:54:15.722558975: 42<br>
2016-09-19 09:54:15.873601766: 256<br>
2016-09-19 09:54:16.020145083: 247<br>
2016-09-19 09:54:16.177231109: 178<br>
2016-09-19 09:54:16.340875439: 178<br>
2016-09-19 09:54:16.488506916: 178<br>
2016-09-19 09:54:16.637815500: 176<br>
2016-09-19 09:54:16.790781389: 149<br>
2016-09-19 09:54:16.950254517: 141<br>
2016-09-19 09:54:17.125316109: 131<br>
2016-09-19 09:54:17.286839687: 131<br>
2016-09-19 09:54:17.445583267: 127<br>
2016-09-19 09:54:17.598144758: 127<br>
2016-09-19 09:54:17.747967473: 124<br>
2016-09-19 09:54:17.905359412: 2<br>
2016-09-19 09:54:18.062665358: 2<br>
2016-09-19 09:54:18.239973822: 0<br>
2016-09-19 09:54:18.398021514: 0<br>
2016-09-19 09:54:18.548074304: 0<br>
<br>
This matches the entry in /var/log/messages<br>
<br>
Sep 19 09:54:15 log03 kernel: [1116811.081666] TCP: request_sock_TCP: Possible SYN flooding on port 6514. Sending cookies. Check SNMP counters.<br>
<br>
Are there any tunings in the syslog-ng configuration I need to implement, or do I have to compile syslog-ng myself with a larger listen backlog? Perhaps this should be configurable?<br>
<br>
My source definition for syslog-TLS is like this:<br>
<br>
source s_syslog_tls {<br>
syslog(<br>
ip(0.0.0.0)<br>
port(6514)<br>
log_fetch_limit(100)<br>
log_iw_size(11000000)<br>
max-connections(10000)<br>
transport("tls")<br>
tls(<br>
key-file("/etc/pki/tls/certs/l<wbr>ogserver.key")<br>
cert-file("/etc/pki/tls/certs/<wbr>logserver.crt")<br>
peer-verify(optional-untrusted<wbr>)<br>
)<br>
);<br>
};<br>
<br>
$ syslog-ng -V<br>
syslog-ng 3.8.1<br>
Installer-Version: 3.8.1<br>
Revision:<br>
Module-Directory: //usr/lib64/syslog-ng<br>
Module-Path: //usr/lib64/syslog-ng<br>
Available-Modules: disk-buffer,sdjournal,afstomp,<wbr>json-plugin,cryptofuncs,graphi<wbr>te,cef,kvformat,add-contextual<wbr>-data,dbparser,pseudofile,<wbr>curl,csvparser,syslogformat,<wbr>confgen,afsocket,afuser,date,<wbr>linux-kmsg-format,system-<wbr>source,basicfuncs,afamqp,<wbr>affile,afprog<br>
Enable-Debug: off<br>
Enable-GProf: off<br>
Enable-Memtrace: off<br>
Enable-IPv6: on<br>
Enable-Spoof-Source: on<br>
Enable-TCP-Wrapper: on<br>
Enable-Linux-Caps: off<br>
<br>
syslog-ng-3.8.1-1.el7.centos.x<wbr>86_64 from <a href="https://copr-be.cloud.fedoraproject.org/results/czanik/syslog-ng38/epel-7-x86_64/" rel="noreferrer" target="_blank">https://copr-be.cloud.fedorapr<wbr>oject.org/results/czanik/<wbr>syslog-ng38/epel-7-x86_64/</a><br>
<br>
Please let me know if more info is needed.<br>
<br>
<br>
/Claus A<br>
<br>
<br>
<br>
______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailm<wbr>an/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support<wbr>/documentation/?product=<wbr>syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/sy<wbr>slog-ng-faq</a><br>
<br>
</blockquote></div><br></div></div></div>
<br>______________________________<wbr>______________________________<wbr>__________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/<wbr>mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/<wbr>support/documentation/?<wbr>product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/<wbr>syslog-ng-faq</a><br>
<br>
<br></blockquote></div><br></div>