I started seeing this kind of behaviour on my syslog-ng clients when I updated my syslog-ng server to 2.0.4 and tracked it down to the newely added support of TCPWrappers. There was no clue on the client machines since the rejection occured on the syslog-ng server. Just adding my $0.02 so that nothing was overlooked. Evan. Tim Boyer wrote:
On Tue, 2007-06-26 at 10:45 -0400, Tim Boyer wrote:
I'm running 2.0.0, and have eight remote servers logging to
a central
server. Seven of those servers are running fine; the
eighth keeps getting
log messages like this:
Jun 26 10:41:33 kyushu.denmantire.com syslog-ng[6829]:
syslog-ng starting
up; version='2.0.0' Jun 26 10:41:33 kyushu.denmantire.com syslog-ng: syslog-ng
startup succeeded
Jun 26 10:41:33 kyushu.denmantire.com syslog-ng[6829]: EOF
occurred while
idle;fd='5' Jun 26 10:41:33 kyushu.denmantire.com syslog-ng[6829]:
Connection broken;
time_reopen='60'
My first assumption was a firewall problem, but tcpdump
says that data's
getting there:
10:42:49.013423 IP kyushu-vpn-cli.denmantire.com.37759 > buran.denmantire.com.5142: S 1168830611:1168830611(0) win 5840 <mss 1460,sackOK,timestamp 316509070 0,nop,wscale 2> 10:42:49.014768 IP buran.denmantire.com.5142 > kyushu-vpn-cli.denmantire.com.37759: S
845996771:845996771(0) ack 1168830612
win 5792 <mss 1460,sackOK,timestamp 39334539 316509070,nop,wscale 7>
Any ideas what could be causing the connection to drop -
but only on this
server?
The "EOF" occurred while idle means that syslog-ng sensed incoming data on a simplex channel, this should only happen if the remote end is closing the channel.
Please start tcpdump on the given connection and check what kind of packets go through when the connection is broken.
You should see a FIN packet or a packet data has data payload. This should never happen.
-- Bazsi
Not seeing it:
[root@buran tmp]# tcpdump port 5142 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes 19:15:46.504529 IP kyushu-vpn-cli.denmantire.com.38378 > buran.denmantire.com.5142: S 3593561021:3593561021(0) win 5840 <mss 1460,sackOK,timestamp 347293143 0,nop,wscale 2> 19:15:46.506014 IP buran.denmantire.com.5142 > kyushu-vpn-cli.denmantire.com.38378: S 3279541618:3279541618(0) ack 3593561022 win 5792 <mss 1460,sackOK,timestamp 47028610 347293143,nop,wscale 7> 19:15:46.720099 IP kyushu-vpn-cli.denmantire.com.38378 > buran.denmantire.com.5142: . ack 1 win 1460 <nop,nop,timestamp 347293280 47028610> 19:15:46.720119 IP kyushu-vpn-cli.denmantire.com.38378 > buran.denmantire.com.5142: P 1:101(100) ack 1 win 1460 <nop,nop,timestamp 347293280 47028610> 19:15:46.720128 IP buran.denmantire.com.5142 > kyushu-vpn-cli.denmantire.com.38378: . ack 101 win 46 <nop,nop,timestamp 47028664 347293280> 19:15:46.720505 IP buran.denmantire.com.5142 > kyushu-vpn-cli.denmantire.com.38378: R 1:1(0) ack 101 win 46 <nop,nop,timestamp 47028664 347293280> 19:15:46.785157 IP kyushu-vpn-cli.denmantire.com.38378 > buran.denmantire.com.5142: P 101:183(82) ack 1 win 1460 <nop,nop,timestamp 347293422 47028664> 19:15:46.785204 IP buran.denmantire.com.5142 > kyushu-vpn-cli.denmantire.com.38378: R 3279541619:3279541619(0) win 0
Jun 26 19:15:46 kyushu.denmantire.com syslog-ng: syslog-ng startup succeeded Jun 26 19:15:46 kyushu.denmantire.com syslog-ng[20057]: EOF occurred while idle; fd='5' Jun 26 19:15:46 kyushu.denmantire.com syslog-ng[20057]: Connection broken; time_reopen='60'
-- tim --
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html