[syslog-ng]Syslog-ng 1.6.6 Redhat ES 3.0 - too many open files

Dave Johnson syslog-ng@lists.balabit.hu
Wed, 30 Mar 2005 16:58:33 -0600


Henry, 

You may have considered most of this, but it doesn't hurt to ask--
Is there anything else that's weird with comparing:
* `ls -l /proc/<syslog-ng-pid>/fd`
* `lsof -c syslog-ng`
* `ps -eaf`
* `netstat -an` 

----------------------------
Also, do you have:
* Iptables running
* NFS storage?

On Wed, 30 Mar 2005 09:59:41 +0200, Balazs Scheidler <bazsi@balabit.hu> wrote:
> On Wed, 2005-03-30 at 09:51 +0200, Balazs Scheidler wrote:
> > On Tue, 2005-03-29 at 13:08 -0500, henry@shoelacecity.com wrote:
> > >
> > >
> > >
> > > My syslog-ng.conf specifies only 4 real log file to write to, and one
> > > pipe(for mysql writing), and two UDP destinations (spoof enabled).
> > >
> > > CPU utilization on the machine is less than 5%, and there's plenty of
> > > free memory.
> >
> > Hmmm it is strange, you most certainly have an fd leak, even though the
> > libnet context (ie. the raw socket) is initialized at destination
> > initialization time and destroyed at deinitialization time, seemingly
> > properly.
> >
> > This is only done on initialization and configuration file reload. Are
> > you HUP-ing syslog-ng very often? I can't see how so many raw sockets
> > accumulated, assuming that one fd is leaked for each HUP.
> >
> 
> Hmm.. I've now tried to reproduce the problem but without success, I
> created a spoof-source enabled UDP destination, sent a couple of
> messages then sent a HUP to syslog-ng, again a couple of messages, HUP
> and so on a couple of times.
> 
> The end result was that I had a single raw socket opened. I'm still
> curious how many times you HUP syslog-ng in one week to have so many raw
> sockets accumulated.
> 
> Either there's a problem in your libnet library, or something triggers a
> reinit within syslog-ng without tearing down the previous instance. But
> I can't reproduce that here.
> 
> Another related question is that I see this in your logs that you sent:
> 
> 
> syslog-ng[15710]: STATS: dropped 12828
> syslog-ng[15710]: Error initializing raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open files)
> syslog-ng[15710]: Error initializing raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open files)
> syslog-ng[15710]: Error initializing raw socket, spoof- source support disabled. (libnet_open_raw: SOCK_RAW allocation failed: Too many open files)
> 
> Can you add the timestamps for these, just to see the interval between
> those?
> 
> --
> Bazsi
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng@lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 
>