Syslog-ng 3.2 connection timeout with firewall
Hi, I have two syslog-ng 3.2, one client and one server. The two are separated by a firewall and a load balancer. I noticed that after some inactivity I was not able to receive logs from my client. So I started some tcpdump on both servers to check the traffic. From what I see the firewall will close the connection after some time, so when the client sends traffic it gets dropped. I added the keep-alive(yes) and so_keep-alive(yes) and the mark_freq(60) to the configs. But I still do not see keepalive packets with tcpdump. Am I missing other parameters to have "keepalive" traffic sent ? Thank you in advance. ############################################################################# # # Configuration file syslog-ng.conf.client # @version: 3.2 @include "scl.conf" # add global settings options { # Disable DNS usage to gain the process time use_dns(no); flush_lines(1); flush_timeout(500); mark(59); }; source s_TCP { tcp( port(555) flags(no-parse) ); }; source s_syslogng { internal(); }; destination d_syslogng { file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log"); }; destination d_TCP { tcp ( "server1" port(556) keep-alive(yes) so_keepalive(yes) flags(no_multi_line) flush_lines(1) flush_timeout(500) log_fifo_size(4096) template("$MSG\n") template_escape(no) ); }; .... ############################################################################# # # Configuration file syslog-ng.conf.server # @version: 3.2 @include "scl.conf" # add global settings options { # Disable DNS usage to gain the process time use_dns(no); flush_lines(1); flush_timeout(500); mark(59); }; source s_TCP_555 { tcp( port(555) flags(no-parse) max-connections(200) use_dns(no) ); }; source s_TCP_556 { tcp( port(556) flags(no-parse) so_keepalive(yes) use_dns(no) ); }; source s_syslogng { internal(); }; destination d_syslogng { file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log"); }; destination d_local { file("/opt2/syslog-ng/logs/$YEAR$MONTH$DAY.TNT.Messages.log" log_fifo_size(8192) template("$MSG\n") template_escape(no) ); }; ...
On Tue, 2012-01-03 at 17:46 -0500, André Larose wrote:
Hi,
I have two syslog-ng 3.2, one client and one server. The two are separated by a firewall and a load balancer. I noticed that after some inactivity I was not able to receive logs from my client. So I started some tcpdump on both servers to check the traffic. From what I see the firewall will close the connection after some time, so when the client sends traffic it gets dropped.
I added the keep-alive(yes) and so_keep-alive(yes) and the mark_freq(60) to the configs. But I still do not see keepalive packets with tcpdump.
keep-alive(yes) is irrelevant, should probably be removed as an option, it only directs syslog-ng to keep the connection open (or no) accross a reload. so-keep-alive(yes) should enable TCP keepalive packets, the interval these are sent is controlled by your host OS. See tcp(7) manual page for more information. mark-freq(59) should have generated a MARK message every 59 seconds. Can't you see that these messages are generated?
I've just tried and it worked with my 3.2 tree. what is your exact version number within 3.2?
Am I missing other parameters to have “keepalive” traffic sent ?
Thank you in advance.
#############################################################################
#
# Configuration file syslog-ng.conf.client
#
@version: 3.2
@include "scl.conf"
# add global settings
options {
# Disable DNS usage to gain the process time
use_dns(no);
flush_lines(1);
flush_timeout(500);
mark(59);
};
source s_TCP {
tcp( port(555)
flags(no-parse)
);
};
source s_syslogng {
internal();
};
destination d_syslogng {
file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log");
};
destination d_TCP {
tcp ( "server1" port(556)
keep-alive(yes)
so_keepalive(yes)
flags(no_multi_line)
flush_lines(1)
flush_timeout(500)
log_fifo_size(4096)
template("$MSG\n")
template_escape(no)
);
};
….
#############################################################################
#
# Configuration file syslog-ng.conf.server
#
@version: 3.2
@include "scl.conf"
# add global settings
options {
# Disable DNS usage to gain the process time
use_dns(no);
flush_lines(1);
flush_timeout(500);
mark(59);
};
source s_TCP_555 {
tcp( port(555)
flags(no-parse)
max-connections(200)
use_dns(no)
);
};
source s_TCP_556 {
tcp( port(556)
flags(no-parse)
so_keepalive(yes)
use_dns(no)
);
};
source s_syslogng {
internal();
};
destination d_syslogng {
file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log");
};
destination d_local {
file("/opt2/syslog-ng/logs/$YEAR$MONTH$DAY.TNT.Messages.log"
log_fifo_size(8192)
template("$MSG\n")
template_escape(no)
);
};
…
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
participants (2)
-
André Larose
-
Balazs Scheidler