Unfortunately I no longer have the tcpdump since we only keep them for 2 or 3 days. Ever since I increased the parameters the problem has stopped happening. I will have to recreate this again in the test environment to get a new tcpdump. However, because increasing the size stopped the problem, I do not think it is a problem with EOF.
From: bazsi@balabit.hu To: syslog-ng@lists.balabit.hu Date: Thu, 14 Jan 2010 10:12:40 +0100 Subject: Re: [syslog-ng] Broken TCP connection
On Mon, 2010-01-11 at 14:49 -0600, James Pirman wrote:
pzolee,
The client happens to be a custom application, so I don't have a client config, and flow control doesn't really apply on the client side. I was able to setup a test environment and recreated the problem. The message immediately before the disconnect message is the following:
<47>1 2010-01-11T14:36:40.239-06:00 server-04 syslog-ng 30082 - [meta sequenceId="122761"] debug Destination queue full, dropping message; queue_len='1000', mem_fifo_size='1000'
I am guessing if I don't have flow control on the client side that I need to play with the numbers to ensure that none of the buffers ever get filled up. Is this correct?
That message alone should not cause syslog-ng to initiate a disconnect. Do you have TLS enabled?
The only reasons syslog-ng disconnects are: * either some kind of protocol format issue * or an EOF on the client side
Protocol errors are logged. The exact reasons with messages follow:
msg_error("Error reading frame header", evt_tag_int("fd", self->super.transport->fd), evt_tag_errno("error", errno), NULL);
msg_error("Invalid frame header", evt_tag_printf("header", "%.*s", (gint) (i - self->buffer_pos), &self->buffer[self->buffer_pos]), NULL);
msg_error("Incoming frame larger than log_msg_size()", evt_tag_int("log_msg_size", self->buffer_size - LPFS_FRAME_BUFFER), evt_tag_int("frame_length", self->frame_len), NULL);
As I see with the syslog() protocol, EOFs are not logged, only with the traditional protocol. I've added this log message with this patch to OSE 3.1, but you should be able to apply it to 3.0 as well.
commit bbc248bc8a577a299036d2ab6898d72f657fc7a0 Author: Balazs Scheidler <bazsi@balabit.hu> Date: Thu Jan 14 10:11:33 2010 +0100
logproto: added log message about EOF in the new style syslog protocol handler
Are you sure that it wasn't the client which sent a FIN packet in the first place? Can you show at least the end of tcpdump -rn <pcap file>?
-- Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
_________________________________________________________________ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/196390709/direct/01/