Balazs, It appears the patch is working. I've been running for over an hour with no signs of "file handle leaks". Thank you so much for the support. And Dave, I followed your suggestions and upgraded the kernel as well (after I verified the patches worked). For anyone else searching this list, here are the patches Balazs supplied that fixed my various problems: Fixed memory leak: ----------------------------------------------------------------------------------------------------------------------------- diff -u -r1.25.4.6 afinet.c --- afinet.c 5 Aug 2004 11:35:12 -0000 1.25.4.6 +++ afinet.c 28 Feb 2005 19:17:30 -0000 @@ -653,6 +653,7 @@ if (libnet_write(self->lnet_ctx) < 0) { werror("Error sending raw frame, error: %z", libnet_geterror(self->lnet_ctx)); } + ol_string_free(msg_line); } else { fallback_socket: -- Fixed intel/sparc endian issue for ports !=514: ----------------------------------------------------------------------------------------------------------------------------- diff -u -r1.25.4.6 afinet.c --- afinet.c 5 Aug 2004 11:35:12 -0000 1.25.4.6 +++ afinet.c 3 Mar 2005 12:26:47 -0000 @@ -617,11 +617,10 @@ ADDRESS2SOCKADDR(msg->saddr, sizeof(src_addr), (struct sockaddr *) &src_addr); ADDRESS2SOCKADDR(self->super.dest_addr, sizeof(dst_addr), (struct sockaddr *) &dst_addr); - libnet_clear_packet(self->lnet_ctx); - udp = libnet_build_udp(src_addr.sin_port, - dst_addr.sin_port, + udp = libnet_build_udp(ntohs(src_addr.sin_port), + ntohs(dst_addr.sin_port), LIBNET_UDP_H + msg_line->length, 0, msg_line->data, Fixed "File handle leak" with UDP spoof: ----------------------------------------------------------------------------------------------------------------------------- diff -u -r1.25.4.7 afinet.c --- afinet.c 4 Mar 2005 16:06:38 -0000 1.25.4.7 +++ afinet.c 8 Apr 2005 09:00:15 -0000 @@ -520,7 +520,7 @@ !!(self->super.flags & AFSOCKET_DGRAM)); } #if ENABLE_SPOOF_SOURCE - if (self->spoof_source) { + if (self->spoof_source && !self->lnet_ctx) { UINT8 error[LIBNET_ERRBUF_SIZE]; self->lnet_ctx = libnet_init(LIBNET_RAW4, NULL, error); if (!self->lnet_ctx) { Balazs Scheidler <bazsi@balabit.hu> Sent by: syslog-ng-admin@lists.balabit.hu 04/08/2005 05:03 AM Please respond to syslog-ng@lists.balabit.hu To syslog-ng@lists.balabit.hu cc Subject Re: [syslog-ng]Syslog-ng 1.6.6 Redhat ES 3.0 - too many open files On Thu, 2005-04-07 at 10:01 -0400, henry@shoelacecity.com wrote:
Any further ideas on fixing/debuggering this?
As I see there is some reason which causes syslog-ng to reinit its destination (maybe an ICMP port unreachable error returned by the server?). Although that should be visible from the logs ("error connecting to remote host", or "connection broken to ...") Anyway, syslog-ng should not leak the libnet context in this case and it does, can you check whether this patch works for you? diff -u -r1.25.4.7 afinet.c --- afinet.c 4 Mar 2005 16:06:38 -0000 1.25.4.7 +++ afinet.c 8 Apr 2005 09:00:15 -0000 @@ -520,7 +520,7 @@ !!(self->super.flags & AFSOCKET_DGRAM)); } #if ENABLE_SPOOF_SOURCE - if (self->spoof_source) { + if (self->spoof_source && !self->lnet_ctx) { UINT8 error[LIBNET_ERRBUF_SIZE]; self->lnet_ctx = libnet_init(LIBNET_RAW4, NULL, error); if (!self->lnet_ctx) { Please remember touching afinet.c.x after applying this patch if you don't have scsh installed, then rebuild. -- Bazsi _______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html