Error connecting to log server
I have a set of Mandrake 9.0 boxes all running the latest version of syslog-ng (1.5.24). I have a centralized log server that is receiving logs from a variety of udp and tcp (syslog-ng) sources. All but one of the devices is able to log to the log server. The error that I get from that one server is: Error connecting to remote host AF_INET(10.1.1.1:5100), reattempting in 10 seconds Now I know that packet is getting there because I can look at an ACL from a router that sits between them: Dec 21 22:25:16 router1/router1 1553: Dec 21 22:28:09.816 pst: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.1.1.1(32830) (FastEthernet1/0 0030.4841.12a4) -> 10.2.1.1(5100), 1 packet This same log server is also successfully receiving tcp logs from other syslog-ng servers without a problem and one of these is on the same subnet as the one that is having the problem connecting. The interesting thing is that even with using 514/udp the traffic does not seem to get to the log server. If I revert back to the standard syslog daemon, life is well again. Richard
On Sat, Dec 21, 2002 at 10:43:37PM -0800, Richard E. Perlotto II wrote:
I have a set of Mandrake 9.0 boxes all running the latest version of syslog-ng (1.5.24). I have a centralized log server that is receiving logs from a variety of udp and tcp (syslog-ng) sources. All but one of the devices is able to log to the log server. The error that I get from that one server is:
Error connecting to remote host AF_INET(10.1.1.1:5100), reattempting in 10 seconds
Now I know that packet is getting there because I can look at an ACL from a router that sits between them:
Dec 21 22:25:16 router1/router1 1553: Dec 21 22:28:09.816 pst: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.1.1.1(32830) (FastEthernet1/0 0030.4841.12a4) -> 10.2.1.1(5100), 1 packet
This same log server is also successfully receiving tcp logs from other syslog-ng servers without a problem and one of these is on the same subnet as the one that is having the problem connecting.
I'd think it is some kind of TCP problem, try tcpdumping the traffic on your syslog host (either the client or the server). ECN might be blocked for instance. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
In the end you are once again correct. While the packets were getting to the log server, the SYN/ACK communication was not being correctly negotiated for the complete two-way handshake. Sorry for the loss of bandwidth... :) Richard
-----Original Message----- From: syslog-ng-admin@lists.balabit.hu [mailto:syslog-ng-admin@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: Sunday, December 22, 2002 9:40 AM To: syslog-ng@lists.balabit.hu Subject: Re: [syslog-ng]Error connecting to log server
On Sat, Dec 21, 2002 at 10:43:37PM -0800, Richard E. Perlotto II wrote:
I have a set of Mandrake 9.0 boxes all running the latest version of syslog-ng (1.5.24). I have a centralized log server that is receiving logs from a variety of udp and tcp (syslog-ng) sources. All but one of the devices is able to log to the log server. The error that I get from that one server is:
Error connecting to remote host AF_INET(10.1.1.1:5100), reattempting in 10 seconds
Now I know that packet is getting there because I can look at an ACL from a router that sits between them:
Dec 21 22:25:16 router1/router1 1553: Dec 21 22:28:09.816 pst: %SEC-6-IPACCESSLOGP: list 100 permitted tcp 10.1.1.1(32830) (FastEthernet1/0 0030.4841.12a4) -> 10.2.1.1(5100), 1 packet
This same log server is also successfully receiving tcp logs from other syslog-ng servers without a problem and one of these is on the same subnet as the one that is having the problem connecting.
I'd think it is some kind of TCP problem, try tcpdumping the traffic on your syslog host (either the client or the server). ECN might be blocked for instance.
-- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
_______________________________________________ syslog-ng maillist - syslog-ng@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/sysl> og-ng
Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
While it took me a little while to get used to the differences, I have been pretty impressed with your product of syslog-ng. My question is for you is how do others get involved seeing what will be planned for future releases, and help test some of those concepts. I can think of several things that would make your tool more useful, but do not know what may already be planned for 1.6+. I am very interested in where this product is going, and the direction of your development. Richard
hi, On Sun, Dec 22, 2002 at 07:32:40PM -0800, Richard E. Perlotto II wrote:
While it took me a little while to get used to the differences, I have been pretty impressed with your product of syslog-ng. My question is for you is how do others get involved seeing what will be planned for future releases, and help test some of those concepts. I can think of several things that would make your tool more useful, but do not know what may already be planned for 1.6+.
I am very interested in where this product is going, and the direction of your development.
syslog-ng 1.6 will be released real soon now, in fact 1.5.24 could have been called 1.6.0rc1. Still to be done until 1.6.0 is released or during the 1.6.x releases: * OpenBSD kernel logging problem should be fixed * MacOS X compatibility problems * configure script testing on different platforms The 2.0 branch of syslog-ng is completely rewritten, it is now based on glib 2.0, so the compilation problems with scsh will be gone. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
participants (3)
-
Balazs Scheidler
-
Richard E. Perlotto II
-
Richard E. Perlotto II