<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Hi,</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Do you have flags(flow-control) specified in your log paths?</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
If so, a dead destination in such log paths might cause the mentioned issue.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
When flow-control is activated, the corresponding sources will be suspended. This suspended state does not even allow syslog-ng to truly release connections that have been closed by the clients.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
This is actually more of expected behavior as we don't want to allow new connections in situations where logs could not be delivered anyway.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
Please check the queued statistic counters of "syslog-ng-ctl stats" to see whether this is the case.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<span class="VIiyi" lang="en"><span class="JLqJ4b ChMk0b" data-language-for-alternatives="en" data-language-to-translate-into="hu" data-phrase-index="0" data-number-of-phrases="1"><span>In case of anything else, I would suspect a bug</span></span></span>.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
--</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 11pt; color: rgb(0, 0, 0);">
László Várady<br>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Evan Rempel <erempel@uvic.ca><br>
<b>Sent:</b> Thursday, February 17, 2022 19:01<br>
<b>To:</b> syslog-ng@lists.balabit.hu <syslog-ng@lists.balabit.hu><br>
<b>Subject:</b> [syslog-ng] allowed concurrent connections - bug?</font>
<div> </div>
</div>
<div class="BodyFragment"><font size="2"><span style="font-size:11pt;">
<div class="PlainText">CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.<br>
<br>
<br>
I am having an issue that is a little difficult to reproduce so I wanted<br>
some input from others.<br>
<br>
I have a syslog-ng 3.35.1 that has a TLS source defined with<br>
max-connections(10000)<br>
<br>
After some time the server starts logging a lot of messages<br>
<br>
syslog-ng[12802]: Number of allowed concurrent connections reached,<br>
rejecting connection; client='AF_INET(XXXX:61062)',<br>
local='AF_INET(YYYY:6514)', group_name='client_network_tcp',<br>
location='/etc/syslog-ng/syslog-ng.server.conf:61:9', max='10000'<br>
<br>
To the best of my ability I can only find about 2500 actual connections.<br>
<br>
Both lsof and netstat report around the 2500 connections.<br>
<br>
I had to restart syslog-ng to stop this situation.<br>
<br>
Has anyone seen this behavior before?<br>
<br>
I get a lot of TLS connections without a certificate.<br>
<br>
Error reading RFC6587 style framed data<br>
<br>
Pperhaps the counters are not decremented for those timed out connections?<br>
<br>
--<br>
Evan Rempel<br>
<br>
______________________________________________________________________________<br>
Member info: <a href="https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Claszlo.varady%40oneidentity.com%7C4f9e5678c2bb4140645c08d9f23f840c%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637807176916131984%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zbW9OAsb8C1JcXGfhEOlpb1Iq8OpeMQB9BPEBPTgGHg%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7Claszlo.varady%40oneidentity.com%7C4f9e5678c2bb4140645c08d9f23f840c%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637807176916131984%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zbW9OAsb8C1JcXGfhEOlpb1Iq8OpeMQB9BPEBPTgGHg%3D&reserved=0</a><br>
Documentation: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Claszlo.varady%40oneidentity.com%7C4f9e5678c2bb4140645c08d9f23f840c%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637807176916131984%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=D9Kx3H70ocShwCDySAitI0Yzai5%2F3WrpFipQgGZbZeQ%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7Claszlo.varady%40oneidentity.com%7C4f9e5678c2bb4140645c08d9f23f840c%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637807176916131984%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=D9Kx3H70ocShwCDySAitI0Yzai5%2F3WrpFipQgGZbZeQ%3D&reserved=0</a><br>
FAQ: <a href="https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Claszlo.varady%40oneidentity.com%7C4f9e5678c2bb4140645c08d9f23f840c%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637807176916131984%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GjZ6x6YgEXmZYXNRuMKqf60Vg3t5oG5n5P%2FFUyCV4Dk%3D&reserved=0">
https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7Claszlo.varady%40oneidentity.com%7C4f9e5678c2bb4140645c08d9f23f840c%7C91c369b51c9e439c989c1867ec606603%7C0%7C1%7C637807176916131984%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=GjZ6x6YgEXmZYXNRuMKqf60Vg3t5oG5n5P%2FFUyCV4Dk%3D&reserved=0</a><br>
<br>
</div>
</span></font></div>
</body>
</html>