[syslog-ng]Syslog-ng 1.6.6 Redhat ES 3.0 - too many open files

Balazs Scheidler syslog-ng@lists.balabit.hu
Wed, 30 Mar 2005 09:51:54 +0200 

On Tue, 2005-03-29 at 13:08 -0500, henry@shoelacecity.com wrote:
> 
> I've sucessfully beaten down the memory leak issues I've been
> experiencing thanks to Balazs suggested patches. 
> 
> I am now experiencing a different sort of "leak".     I worked back
> from the log files to identify the problem, but not the cause. 
> 
> I restart syslog-ng weekly.  Towards the end of each week, I notice
> log messages: 
> 
> syslog-ng[15710]: STATS: dropped 12828 
> syslog-ng[15710]: Error initializing raw socket, spoof- source support
> disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open
> files) 
> syslog-ng[15710]: Error initializing raw socket, spoof- source support
> disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open
> files) 
> syslog-ng[15710]: Error initializing raw socket, spoof- source support
> disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open
> files) 
> 
> A quick "lsof -c syslog-ng" revealed a few hundred open files.   I
> restarted syslog-ng and checked for open files - the number was about
> 25. 
> In the past hour of monitoring, that number has jumped to over 70.
>  The "files" that appear to be increasing are these (from the output
> of lsof) : 
> 
> syslog-ng 17081 root   61u   raw                     51703353
> 00000000:00FF->00000000:0000 st=07 
> syslog-ng 17081 root   62u   raw                     51711769
> 00000000:00FF->00000000:0000 st=07 
> syslog-ng 17081 root   63u   raw                     51721047
> 00000000:00FF->00000000:0000 st=07 
> syslog-ng 17081 root   64u   raw                     51727149
> 00000000:00FF->00000000:0000 st=07 
> syslog-ng 17081 root   65u   raw                     51738764
> 00000000:00FF->00000000:0000 st=07 
> 
> 
> My syslog-ng.conf specifies only 4 real log file to write to, and one
> pipe(for mysql writing), and two UDP destinations (spoof enabled).  
> 
> CPU utilization on the machine is less than 5%, and there's plenty of
> free memory. 

Hmmm it is strange, you most certainly have an fd leak, even though the
libnet context (ie. the raw socket) is initialized at destination
initialization time and destroyed at deinitialization time, seemingly
properly.

This is only done on initialization and configuration file reload. Are
you HUP-ing syslog-ng very often? I can't see how so many raw sockets
accumulated, assuming that one fd is leaked for each HUP.

-- 
Bazsi