I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here? @version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); }; source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); }; # Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
Hi, Can you show me the output of "syslog-ng -Fevd" on your client after restarting? (you can find more information about debugging syslog-ng on my blog: http://pzolee.blogs.balabit.com/) Rory Toma írta:
I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); };
source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); };
# Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
The problem has been alleviated somewhat by moving to a 64-bit platform. Since these generally have a different set of tcp defaults, there is probably a tcp value(s) that need tuning. I do notice on this one, that after I reboot a client, it takes a few minutes for the logs to start flowing, but flow they do. I can show you the output, but it's quite long. On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
Hi,
Can you show me the output of "syslog-ng -Fevd" on your client after restarting?
(you can find more information about debugging syslog-ng on my blog: http://pzolee.blogs.balabit.com/)
Rory Toma írta:
I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); };
source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); };
# Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
Syslog-n tries to reconnect in every 60th seconds to server by default. Perhaps, the first attempt was not succes and you need wait for the second attempt so it can take 1-2 minutes. If you reduce the "time_reopen()" on your _client's_ configuration, it can be faster. I also have an other theory, if you are using flow-control on client side, and the server is a bit overloaded, syslog-ng can stop reading the source (and sending to the server). Just show a few debug lines after starting syslog-ng on client and a few lines on server in the same time. (because syslog-ng will send a few log about the state of connections, e.g.: accepted or closed) 2010.01.22. 22:11 keltezéssel, Rory Toma írta:
The problem has been alleviated somewhat by moving to a 64-bit platform. Since these generally have a different set of tcp defaults, there is probably a tcp value(s) that need tuning. I do notice on this one, that after I reboot a client, it takes a few minutes for the logs to start flowing, but flow they do.
I can show you the output, but it's quite long.
On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
Hi,
Can you show me the output of "syslog-ng -Fevd" on your client after restarting?
(you can find more information about debugging syslog-ng on my blog: http://pzolee.blogs.balabit.com/)
Rory Toma írta:
I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); };
source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); };
# Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.campin.net/syslog-ng/faq.html
-- pzolee
I am not using syslog-ng on the client. I am using rsyslog. On 1/22/10 2:57 PM, Zoltán Pallagi wrote:
Syslog-n tries to reconnect in every 60th seconds to server by default. Perhaps, the first attempt was not succes and you need wait for the second attempt so it can take 1-2 minutes. If you reduce the "time_reopen()" on your _client's_ configuration, it can be faster.
I also have an other theory, if you are using flow-control on client side, and the server is a bit overloaded, syslog-ng can stop reading the source (and sending to the server).
Just show a few debug lines after starting syslog-ng on client and a few lines on server in the same time. (because syslog-ng will send a few log about the state of connections, e.g.: accepted or closed)
2010.01.22. 22:11 keltezéssel, Rory Toma írta:
The problem has been alleviated somewhat by moving to a 64-bit platform. Since these generally have a different set of tcp defaults, there is probably a tcp value(s) that need tuning. I do notice on this one, that after I reboot a client, it takes a few minutes for the logs to start flowing, but flow they do.
I can show you the output, but it's quite long.
On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
Hi,
Can you show me the output of "syslog-ng -Fevd" on your client after restarting?
(you can find more information about debugging syslog-ng on my blog: http://pzolee.blogs.balabit.com/)
Rory Toma írta:
I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); };
source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); };
# Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
______________________________________________________________________________
Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
-- pzolee
Ok, then show the debug logs of server syslog-ng when you restart rsyslog, please. You may need to check the debug logs of rsyslog as well (I've never used rsyslog, but you can more information on the rsyslog webpage: http://www.rsyslog.com/doc-troubleshoot.html) I would like to help you, but I can't find out the reason for this behavior without any information, so please tell me as much information as possible. 2010.01.23. 0:02 keltezéssel, Rory Toma írta:
I am not using syslog-ng on the client. I am using rsyslog.
On 1/22/10 2:57 PM, Zoltán Pallagi wrote:
Syslog-n tries to reconnect in every 60th seconds to server by default. Perhaps, the first attempt was not succes and you need wait for the second attempt so it can take 1-2 minutes. If you reduce the "time_reopen()" on your _client's_ configuration, it can be faster.
I also have an other theory, if you are using flow-control on client side, and the server is a bit overloaded, syslog-ng can stop reading the source (and sending to the server).
Just show a few debug lines after starting syslog-ng on client and a few lines on server in the same time. (because syslog-ng will send a few log about the state of connections, e.g.: accepted or closed)
2010.01.22. 22:11 keltezéssel, Rory Toma írta:
The problem has been alleviated somewhat by moving to a 64-bit platform. Since these generally have a different set of tcp defaults, there is probably a tcp value(s) that need tuning. I do notice on this one, that after I reboot a client, it takes a few minutes for the logs to start flowing, but flow they do.
I can show you the output, but it's quite long.
On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
Hi,
Can you show me the output of "syslog-ng -Fevd" on your client after restarting?
(you can find more information about debugging syslog-ng on my blog: http://pzolee.blogs.balabit.com/)
Rory Toma írta:
I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); };
source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); };
# Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
______________________________________________________________________________
Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
-- pzolee
-- pzolee
I'll do my best to get both ends, the client is on read-only flash, so it makes that end difficult. But, as a general question, it has no problem handling the load if it is straight udp. So, I imagine this is an issue with either encryption, or, most likely, TCP. Do you have good pointers on the various syslog tuning params for TCP? thx On 1/23/10 1:17 AM, Zoltán Pallagi wrote:
Ok, then show the debug logs of server syslog-ng when you restart rsyslog, please. You may need to check the debug logs of rsyslog as well (I've never used rsyslog, but you can more information on the rsyslog webpage: http://www.rsyslog.com/doc-troubleshoot.html)
I would like to help you, but I can't find out the reason for this behavior without any information, so please tell me as much information as possible.
2010.01.23. 0:02 keltezéssel, Rory Toma írta:
I am not using syslog-ng on the client. I am using rsyslog.
On 1/22/10 2:57 PM, Zoltán Pallagi wrote:
Syslog-n tries to reconnect in every 60th seconds to server by default. Perhaps, the first attempt was not succes and you need wait for the second attempt so it can take 1-2 minutes. If you reduce the "time_reopen()" on your _client's_ configuration, it can be faster.
I also have an other theory, if you are using flow-control on client side, and the server is a bit overloaded, syslog-ng can stop reading the source (and sending to the server).
Just show a few debug lines after starting syslog-ng on client and a few lines on server in the same time. (because syslog-ng will send a few log about the state of connections, e.g.: accepted or closed)
2010.01.22. 22:11 keltezéssel, Rory Toma írta:
The problem has been alleviated somewhat by moving to a 64-bit platform. Since these generally have a different set of tcp defaults, there is probably a tcp value(s) that need tuning. I do notice on this one, that after I reboot a client, it takes a few minutes for the logs to start flowing, but flow they do.
I can show you the output, but it's quite long.
On 1/22/10 1:26 AM, Zoltán Pallagi wrote:
Hi,
Can you show me the output of "syslog-ng -Fevd" on your client after restarting?
(you can find more information about debugging syslog-ng on my blog: http://pzolee.blogs.balabit.com/)
Rory Toma írta:
I am using syslog-ng-3.0.4-1.rhel on a CentOS-5.4 system. I am using tls, and have a setup as below. Here is what happens. It logs fine. However, if I reboot my client that is sending logs, it no longer works until I restart the syslog-ng server. What do I need to do here?
@version: 3.0 options { flush_lines (3); time_reopen (10); log_fifo_size (1000); long_hostnames (off); use_dns (no); use_fqdn (no); create_dirs (yes); dir_perm (0755); keep_hostname (yes); ts_format("iso"); };
source telo { tcp( port(80) tls( key_file("/export/tls/key.pem") cert_file("/export/tls/cert.pem") peer_verify(optional-untrusted)) ); };
# Myx destinations destination myx_dest_0000 { file("/logs/myx_008161000/$R_YEAR$R_MONTH$R_DAY/$HOS T-$R_YEAR$R_MONTH$R_DAY.log" owner(root) group(root) perm(0644) template("$YEAR- $MONTH-$DAY $HOUR:$MIN:$SEC $MSG\n") template_escape(no)); }; filter myx_filter_0000 { host("myx_001861000[0-9A-F]\{3\}$"); }; log { source(telo); filter(myx_filter_0000); destination(myx_dest_0000); };
______________________________________________________________________________
Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
______________________________________________________________________________ Member info:https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation:http://www.balabit.com/support/documentation/?product=syslog-ng FAQ:http://www.campin.net/syslog-ng/faq.html
-- pzolee
-- pzolee
participants (2)
-
Rory Toma
-
Zoltán Pallagi