[syslog-ng] Reliability of Remote logging via TCP/Syslog-NG

Balazs Scheidler bazsi at balabit.hu
Wed Jun 15 17:06:40 CEST 2005

On Wed, 2005-06-15 at 06:23 -0700, Nate Campi wrote:
> On Wed, Jun 15, 2005 at 01:24:14PM +0200, Balazs Scheidler wrote:
> > 
> > One other problem is that whenever the server shuts down the connection
> > the client drops a _single_ log message. This is not easy to fix, at
> > least not in the 1.6.x branch. See the mailing list archives for more
> > information. 
> I think we can work around it. Have syslog-ng send a one byte dummy
> message when a connection is brought up, that a receiving syslog-ng will
> always discard. I had to do something like this in a performance testing
> suite I wrote, and I see no reason syslog-ng itself can't do it.
> Sound reasonable?

Sorry, but no. It is not the first message that gets lost, its the last
on the old connection. The kernel happily acks the sent message to
syslog-ng, but in the end it does not actually send it. So there is no
way to determine if that message was actually sent or not.

The only solution I see now is what is implemented in the 1.9.x series:
in addition to write the TCP socket, also read for possible EOF marks.
This way syslog-ng can realize that a connection is closed. There is a
small window of opportunity the same happening, but the window is small.
(e.g. it is possible that the connection breaks, syslog-ng sends a
message and the discover that the connection was broken) but it is still
way better than the current solution.

An interesting question whether the same happens on other IP stacks, or
it is only Linux which shows this behaviour. (because if this is the
case, the Linux kernel could be fixed as well)


More information about the syslog-ng mailing list