[syslog-ng] Bug? Dual destinations on Solaris

Richard Whelan richard.whelan at pipex.net
Wed Aug 23 12:34:14 CEST 2006

Hi All,

I've come across what looks like a bug. Whether it's syslog-ng, stunnel
or Solaris I can't tell. I'm also going to report this to Michal (Stunnel).

The setup/problem is as follows:

I'm effectively re-creating a syslog-ng client/server setup, except, the
traffic is being encrypted using Stunnel, and it's talking to two
servers simultaneously for redundancy.

In order for this to happen, I have stunnel set to listen to two
separate ports on the client, and syslog-ng set to send to the two
separate ports. The configuration, parts of which are below, are working
fine with 6 or so Linux clients, and also appears to work fine with
Solaris 8, but not under Solaris 9.

The config for the stunnel side is: stunnel-4.15

client = yes
cert = /usr/local/ssl/certs/syslog-ng-client.pem
CAfile = /usr/local/ssl/certs/syslog-ng-server.pem
chroot = /var/run/stunnel
pid = /run/stunnel.pid
setuid = stunnel
setgid = stunnel
verify = 3
debug = 7
output = /var/log/stunnel.log
        accept =
        connect = x.x.x.x:5140
        TIMEOUTclose = 0
        accept =
        connect = y.y.y.y:5140
        TIMEOUTclose = 0

As you can see it's set to listen to ports 5140 and 5141 on the
localhost. If you start this first, the process runs fine, and shows up
with a netstat -a:

localhost.5140             *.*                0      0 32768      0 LISTEN
localhost.5141             *.*                0      0 32768      0 LISTEN

The config for the syslog-ng process is: syslog-ng-1.6.11

options { sync (0);
          keep_hostname (yes);
          use_fqdn (yes);
          chain_hostnames (no);
          use_dns (no);
          time_reopen (10);
          time_reap (120);
          log_fifo_size (2048);

source s_local {
                        sun-streams("/dev/log" door("/etc/.syslog_door"));

destination .......
destination d_stunnel { tcp ("" port(5140)); };
destination d_stunnel2 { tcp ("" port(5141)); };

Here showing that two  of the destinations are to tcp ports 5140 and
5141 on the localhost. It seems reasonable enough, and as I mentioned
does work on Linux. However as soon as the syslog-ng process starts, the
stunnel process is either killed or just dies.

The netstat then shows:

localhost.64142      localhost.5141       32768      0 32768      0
localhost.5141       localhost.64142      32768      0 32768      0
localhost.64143      localhost.5140       32768      0 32768      0
localhost.5140       localhost.64143      32768      0 32768      0

and after a while you are just left with the CLOSE_WAIT lines.

I've tried this on two separate Solaris 9 systems, both the same result.
One actually producing a core dump of the stunnel process.

Has anyone seen anything like this, or can shed any light as to why this
may not be working.



-- Richard Whelan Senior Systems & NMS Administrator Pipex
Communications Tel: +44 (0) 1865 381568 Mob: +44 (0) 7786 276020 Web:
http://www.pipex.com This e-mail is subject to:

More information about the syslog-ng mailing list