[syslog-ng]Syslog-ng 1.6.6 Redhat ES 3.0 - too many open files

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Tue, 29 Mar 2005 13:08:00 -0500 

This is a multipart message in MIME format.
--=_alternative 0064114C85256FD3_=
Content-Type: text/plain; charset="US-ASCII"

I've sucessfully beaten down the memory leak issues I've been experiencing 
thanks to Balazs suggested patches.

I am now experiencing a different sort of "leak".     I worked back from 
the log files to identify the problem, but not the cause.

I restart syslog-ng weekly.  Towards the end of each week, I notice log 
messages:

syslog-ng[15710]: STATS: dropped 12828
syslog-ng[15710]: Error initializing raw socket, spoof- source support 
disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open 
files)
syslog-ng[15710]: Error initializing raw socket, spoof- source support 
disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open 
files)
syslog-ng[15710]: Error initializing raw socket, spoof- source support 
disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open 
files)

A quick "lsof -c syslog-ng" revealed a few hundred open files.   I 
restarted syslog-ng and checked for open files - the number was about 25.
In the past hour of monitoring, that number has jumped to over 70.  The 
"files" that appear to be increasing are these (from the output of lsof) :

syslog-ng 17081 root   61u   raw                     51703353 
00000000:00FF->00000000:0000 st=07
syslog-ng 17081 root   62u   raw                     51711769 
00000000:00FF->00000000:0000 st=07
syslog-ng 17081 root   63u   raw                     51721047 
00000000:00FF->00000000:0000 st=07
syslog-ng 17081 root   64u   raw                     51727149 
00000000:00FF->00000000:0000 st=07
syslog-ng 17081 root   65u   raw                     51738764 
00000000:00FF->00000000:0000 st=07


My syslog-ng.conf specifies only 4 real log file to write to, and one 
pipe(for mysql writing), and two UDP destinations (spoof enabled). 

CPU utilization on the machine is less than 5%, and there's plenty of free 
memory.

Any thoughts?  I'd hate to have to restart syslog-ng daily. 



--=_alternative 0064114C85256FD3_=
Content-Type: text/html; charset="US-ASCII"


<br><font size=2 face="sans-serif">I've sucessfully beaten down the memory
leak issues I've been experiencing thanks to Balazs suggested patches.</font>
<br>
<br><font size=2 face="sans-serif">I am now experiencing a different sort
of &quot;leak&quot;. &nbsp; &nbsp; I worked back from the log files to
identify the problem, but not the cause.</font>
<br>
<br><font size=2 face="sans-serif">I restart syslog-ng weekly. &nbsp;Towards
the end of each week, I notice log messages:</font>
<br>
<br><font size=2 face="sans-serif">syslog-ng[15710]: STATS: dropped 12828</font>
<br><font size=2 face="sans-serif">syslog-ng[15710]: Error initializing
raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW
allocation failed: Too many open files)</font>
<br><font size=2 face="sans-serif">syslog-ng[15710]: Error initializing
raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW
allocation failed: Too many open files)</font>
<br><font size=2 face="sans-serif">syslog-ng[15710]: Error initializing
raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW
allocation failed: Too many open files)</font>
<br>
<br><font size=2 face="sans-serif">A quick &quot;lsof -c syslog-ng&quot;
revealed a few hundred open files. &nbsp; I restarted syslog-ng and checked
for open files - the number was about 25.</font>
<br><font size=2 face="sans-serif">In the past hour of monitoring, that
number has jumped to over 70. &nbsp;The &quot;files&quot; that appear to
be increasing are these (from the output of lsof) :</font>
<br>
<br><font size=2 face="sans-serif">syslog-ng 17081 root &nbsp; 61u &nbsp;
raw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
51703353 00000000:00FF-&gt;00000000:0000 st=07</font>
<br><font size=2 face="sans-serif">syslog-ng 17081 root &nbsp; 62u &nbsp;
raw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
51711769 00000000:00FF-&gt;00000000:0000 st=07</font>
<br><font size=2 face="sans-serif">syslog-ng 17081 root &nbsp; 63u &nbsp;
raw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
51721047 00000000:00FF-&gt;00000000:0000 st=07</font>
<br><font size=2 face="sans-serif">syslog-ng 17081 root &nbsp; 64u &nbsp;
raw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
51727149 00000000:00FF-&gt;00000000:0000 st=07</font>
<br><font size=2 face="sans-serif">syslog-ng 17081 root &nbsp; 65u &nbsp;
raw &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;
51738764 00000000:00FF-&gt;00000000:0000 st=07</font>
<br>
<br>
<br><font size=2 face="sans-serif">My syslog-ng.conf specifies only 4 real
log file to write to, and one pipe(for mysql writing), and two UDP destinations
(spoof enabled). </font>
<br>
<br><font size=2 face="sans-serif">CPU utilization on the machine is less
than 5%, and there's plenty of free memory.</font>
<br>
<br><font size=2 face="sans-serif">Any thoughts? &nbsp;I'd hate to have
to restart syslog-ng daily. </font>
<br>
<br>
<br>
--=_alternative 0064114C85256FD3_=--