[syslog-ng] Constant disconnects

Wed Jun 27 05:17:58 CEST 2007

I started seeing this kind of behaviour on my syslog-ng clients when I updated my syslog-ng server
to 2.0.4 and tracked it down to the newely added support of TCPWrappers. There was no clue on the
client machines since the rejection occured on the syslog-ng server.

Just adding my $0.02 so that nothing was overlooked.

Evan.

Tim Boyer wrote:
>>On Tue, 2007-06-26 at 10:45 -0400, Tim Boyer wrote:
>>
>>>I'm running 2.0.0, and have eight remote servers logging to 
>>
>>a central
>>
>>>server.  Seven of those servers are running fine; the 
>>
>>eighth keeps getting
>>
>>>log messages like this:
>>>
>>>Jun 26 10:41:33 kyushu.denmantire.com syslog-ng[6829]: 
>>
>>syslog-ng starting
>>
>>>up; version='2.0.0'
>>>Jun 26 10:41:33 kyushu.denmantire.com syslog-ng: syslog-ng 
>>
>>startup succeeded
>>
>>>Jun 26 10:41:33 kyushu.denmantire.com syslog-ng[6829]: EOF 
>>
>>occurred while
>>
>>>idle;fd='5'
>>>Jun 26 10:41:33 kyushu.denmantire.com syslog-ng[6829]: 
>>
>>Connection broken;
>>
>>>time_reopen='60'
>>>
>>>My first assumption was a firewall problem, but tcpdump 
>>
>>says that data's
>>
>>>getting there:
>>>
>>>10:42:49.013423 IP kyushu-vpn-cli.denmantire.com.37759 >
>>>buran.denmantire.com.5142: S 1168830611:1168830611(0) win 5840 <mss
>>>1460,sackOK,timestamp 316509070 0,nop,wscale 2>
>>>10:42:49.014768 IP buran.denmantire.com.5142 >
>>>kyushu-vpn-cli.denmantire.com.37759: S 
>>
>>845996771:845996771(0) ack 1168830612
>>
>>>win 5792 <mss 1460,sackOK,timestamp 39334539 316509070,nop,wscale 7>
>>>
>>>Any ideas what could be causing the connection to drop - 
>>
>>but only on this
>>
>>>server?
>>
>>The "EOF" occurred while idle means that syslog-ng sensed 
>>incoming data
>>on a simplex channel, this should only happen if the remote end is
>>closing the channel.
>>
>>Please start tcpdump on the given connection and check what kind of
>>packets go through when the connection is broken.
>>
>>You should see a FIN packet or a packet data has data payload. This
>>should never happen.
>>
>>-- 
>>Bazsi
> 
> 
> Not seeing it:
> 
> [root at buran tmp]# tcpdump port 5142
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
> 19:15:46.504529 IP kyushu-vpn-cli.denmantire.com.38378 >
> buran.denmantire.com.5142: S 3593561021:3593561021(0) win 5840 <mss
> 1460,sackOK,timestamp 347293143 0,nop,wscale 2>
> 19:15:46.506014 IP buran.denmantire.com.5142 >
> kyushu-vpn-cli.denmantire.com.38378: S 3279541618:3279541618(0) ack
> 3593561022 win 5792 <mss 1460,sackOK,timestamp 47028610 347293143,nop,wscale
> 7>
> 19:15:46.720099 IP kyushu-vpn-cli.denmantire.com.38378 >
> buran.denmantire.com.5142: . ack 1 win 1460 <nop,nop,timestamp 347293280
> 47028610>
> 19:15:46.720119 IP kyushu-vpn-cli.denmantire.com.38378 >
> buran.denmantire.com.5142: P 1:101(100) ack 1 win 1460 <nop,nop,timestamp
> 347293280 47028610>
> 19:15:46.720128 IP buran.denmantire.com.5142 >
> kyushu-vpn-cli.denmantire.com.38378: . ack 101 win 46 <nop,nop,timestamp
> 47028664 347293280>
> 19:15:46.720505 IP buran.denmantire.com.5142 >
> kyushu-vpn-cli.denmantire.com.38378: R 1:1(0) ack 101 win 46
> <nop,nop,timestamp 47028664 347293280>
> 19:15:46.785157 IP kyushu-vpn-cli.denmantire.com.38378 >
> buran.denmantire.com.5142: P 101:183(82) ack 1 win 1460 <nop,nop,timestamp
> 347293422 47028664>
> 19:15:46.785204 IP buran.denmantire.com.5142 >
> kyushu-vpn-cli.denmantire.com.38378: R 3279541619:3279541619(0) win 0
>  
> Jun 26 19:15:46 kyushu.denmantire.com syslog-ng: syslog-ng startup succeeded
> Jun 26 19:15:46 kyushu.denmantire.com syslog-ng[20057]: EOF occurred while
> idle; fd='5'
> Jun 26 19:15:46 kyushu.denmantire.com syslog-ng[20057]: Connection broken;
> time_reopen='60'
> 
> -- tim --
> 
> _______________________________________________
> syslog-ng maillist  -  syslog-ng at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Frequently asked questions at http://www.campin.net/syslog-ng/faq.html
> 