[syslog-ng]Syslog-ng 1.6.6 Redhat ES 3.0 - too many open files
Balazs Scheidler
syslog-ng@lists.balabit.hu
Wed, 30 Mar 2005 09:51:54 +0200
On Tue, 2005-03-29 at 13:08 -0500, henry@shoelacecity.com wrote:
>
> I've sucessfully beaten down the memory leak issues I've been
> experiencing thanks to Balazs suggested patches.
>
> I am now experiencing a different sort of "leak". I worked back
> from the log files to identify the problem, but not the cause.
>
> I restart syslog-ng weekly. Towards the end of each week, I notice
> log messages:
>
> syslog-ng[15710]: STATS: dropped 12828
> syslog-ng[15710]: Error initializing raw socket, spoof- source support
> disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open
> files)
> syslog-ng[15710]: Error initializing raw socket, spoof- source support
> disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open
> files)
> syslog-ng[15710]: Error initializing raw socket, spoof- source support
> disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open
> files)
>
> A quick "lsof -c syslog-ng" revealed a few hundred open files. I
> restarted syslog-ng and checked for open files - the number was about
> 25.
> In the past hour of monitoring, that number has jumped to over 70.
> The "files" that appear to be increasing are these (from the output
> of lsof) :
>
> syslog-ng 17081 root 61u raw 51703353
> 00000000:00FF->00000000:0000 st=07
> syslog-ng 17081 root 62u raw 51711769
> 00000000:00FF->00000000:0000 st=07
> syslog-ng 17081 root 63u raw 51721047
> 00000000:00FF->00000000:0000 st=07
> syslog-ng 17081 root 64u raw 51727149
> 00000000:00FF->00000000:0000 st=07
> syslog-ng 17081 root 65u raw 51738764
> 00000000:00FF->00000000:0000 st=07
>
>
> My syslog-ng.conf specifies only 4 real log file to write to, and one
> pipe(for mysql writing), and two UDP destinations (spoof enabled).
>
> CPU utilization on the machine is less than 5%, and there's plenty of
> free memory.
Hmmm it is strange, you most certainly have an fd leak, even though the
libnet context (ie. the raw socket) is initialized at destination
initialization time and destroyed at deinitialization time, seemingly
properly.
This is only done on initialization and configuration file reload. Are
you HUP-ing syslog-ng very often? I can't see how so many raw sockets
accumulated, assuming that one fd is leaked for each HUP.
--
Bazsi