Henry, You may have considered most of this, but it doesn't hurt to ask-- Is there anything else that's weird with comparing: * `ls -l /proc/<syslog-ng-pid>/fd` * `lsof -c syslog-ng` * `ps -eaf` * `netstat -an` ---------------------------- Also, do you have: * Iptables running * NFS storage? On Wed, 30 Mar 2005 09:59:41 +0200, Balazs Scheidler <bazsi@balabit.hu> wrote:
On Wed, 2005-03-30 at 09:51 +0200, Balazs Scheidler wrote:
On Tue, 2005-03-29 at 13:08 -0500, henry@shoelacecity.com wrote:
My syslog-ng.conf specifies only 4 real log file to write to, and one pipe(for mysql writing), and two UDP destinations (spoof enabled).
CPU utilization on the machine is less than 5%, and there's plenty of free memory.
Hmmm it is strange, you most certainly have an fd leak, even though the libnet context (ie. the raw socket) is initialized at destination initialization time and destroyed at deinitialization time, seemingly properly.
This is only done on initialization and configuration file reload. Are you HUP-ing syslog-ng very often? I can't see how so many raw sockets accumulated, assuming that one fd is leaked for each HUP.
Hmm.. I've now tried to reproduce the problem but without success, I created a spoof-source enabled UDP destination, sent a couple of messages then sent a HUP to syslog-ng, again a couple of messages, HUP and so on a couple of times.
The end result was that I had a single raw socket opened. I'm still curious how many times you HUP syslog-ng in one week to have so many raw sockets accumulated.
Either there's a problem in your libnet library, or something triggers a reinit within syslog-ng without tearing down the previous instance. But I can't reproduce that here.
Another related question is that I see this in your logs that you sent:
syslog-ng[15710]: STATS: dropped 12828 syslog-ng[15710]: Error initializing raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open files) syslog-ng[15710]: Error initializing raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open files) syslog-ng[15710]: Error initializing raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open files)
Can you add the timestamps for these, just to see the interval between those?
-- Bazsi
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/syslog-ng Frequently asked questions at http://www.campin.net/syslog-ng/faq.html