Re: [syslog-ng] Syslog-ng returning a TCP Reset

Hi Andy, Thank you for the detailed report. This seems to be a syslog-ng bug, we'll try to reproduce the problem internally and correct it. We'll keep you posted. Regards, Robert On 03/17/2011 05:17 PM, Andy Ruch wrote:

Hello,

I was evaluating syslog-ng and have come across a strange problem. When connecting to syslog-ng using the 'syslog' source, syslog-ng will return a TCP Reset at random intervals. The interesting thing about this error is it only seems to appear when the message length varies between logs. After some experimenting, I was able to reproduce the error using loggen to send logs from a file. However, when loggen generates its own fixed length messages, syslog-ng will receive everything properly.

I'm concerned about the reliability of syslog-ng. I don’t want it to close the connection if it gets overloaded. I know that I can add some options to improve performance, but that seems like a patch and not a fix. I would think syslog-ng would utilize TCP flow control to prevent the sender from sending too fast.

Am I doing something wrong? Does this look like a bug or have I just reached the max performance of syslog-ng? Any help is appreciated.

Below I’ve included some information about the commands that I was running as well as my system setup.

Thanks, Andy

***** Details *****

- Two machine setup (one sender and one receiver) - Receiver is using an evaluation copy of Syslog-PE-4.0.1a (but I first saw this issue using open source version 3.2.2 ) - CentOS 5.5

***** Send Command *****

This is the console output that I receive from loggen. As you can see, the failure did not happen every time. In this particular case, it was the second execution that failed. I normally just run it back to back until it fails.

$ ./loggen -P -r 40000 -R /tmp/syslog_10-40 10.64.27.38 6514 average rate = 16503.22 msg/sec, count=50000, time=3.297, (last) msg size=112, bandwidth=1627.75 kB/sec $ ./loggen -P -r 40000 -R /tmp/syslog_10-40 10.64.27.38 6514 Send error Connection reset by peer5 msg/sec average rate = 15483.69 msg/sec, count=15435, time=0.9968, (last) msg size=114, bandwidth=1527.27 kB/sec

***** Send File *****

The following pattern was put into a file and repeated for a total of 50,000 lines. I tried to attach the complete file but it was too large for this mailing list.

Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

***** Syslog-ng.conf *****

@version: 4.0

options { };

###### # sources source s_local { # message generated by Syslog-NG internal(); # standard Linux log source (this is the default place for the syslog() # function to send logs to) unix-stream("/dev/log"); # messages from the kernel file("/proc/kmsg" program_override("kernel"));

};

source s_net { syslog( ip(0.0.0.0) transport("tcp") port(6514) ); };

###### # destinations destination d_messages { file("/var/log/messages"); };

destination d_tmp_file { file("/tmp/log_messages"); };

###### # paths log { source(s_local); destination(d_messages); };

log { source(s_net); destination(d_tmp_file); flags(flow-control); };

______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html