[syslog-ng]syslog-ng throttling and event reporter

Russell Adams syslog-ng@lists.balabit.hu
Mon, 7 Jul 2003 09:05:10 -0500


I'm using Event Reporter on my Windows servers to forward their event
log to my syslog-ng server.

Recently, I've switched all of my Linux syslog clients to use TCP to
speak to the syslog-ng server, without any problems.

I've just enabled TCP on Event Reporter, and its behaving rather
unusually. I'm seeing 30+ open TCP connections from the one Windows
host I've enabled TCP on, and am experiencing messages that I'm
frequently hitting my max connections value of 100 open connections.

Is anyone running a similar configuration and seen similar problems?

I suspect that Event Reporter is using one connection per message, as
silly as that sounds. Its wild to contemplate it leaving those
connections open.

If its not a known problem, I'll break out a sniffer to see whats
going on.

Russell