[syslog-ng] increasing number of TCP connections from same number of remote hosts

Nagy Daniel nagy.daniel at t-online.co.hu
Thu Jan 24 12:08:31 CET 2008 

Hello,

On the client fmx23 there is only one TCP connection shown by
netstat, however there are several connection broken messages:

Jan 23 17:16:19 fmx23 syslog-ng[836]: EOF occurred while idle; fd='12'
Jan 23 17:16:19 fmx23 syslog-ng[836]: Connection broken; time_reopen='60'

The clients have syslog-ng 2.0.3.

Daniel



Balazs Scheidler wrote:
> On Thu, 2008-01-24 at 08:39 +0100, Nagy Daniel wrote:
>> Hi,
>>
>> It's syslog-ng v2.0.7 on RHEL4, compiled from source.
>> The system is a log server, it receives logs via TCP from
>> various clients.
>>
>> After restarting syslog-ng, netstat -t shows that each remote
>> host open only one TCP connection to the server, which is normal.
>> The problem is, that the number of established TCP connections
>> is increasing constantly, but the number of clients is the same.
>>
>>
>> For example netstat -t --numeric-ports | grep fmx23 now shows:
>>
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:52391 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:50852 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:50172 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:59367 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:50979 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:55828 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:53013 ESTABLISHED
>> tcp        0      0 barapp1:514
>> fmx23.freemail.privat:50038 ESTABLISHED
>>
>> Why is that? AFAIK there should be only one established connection
>> per client. Is it a server or client problem?
> 
> Hmm.. strange, it should not do that. It is probably a client problem,
> can you check if it is indeed the syslog-ng process that opens these
> connections?
> 
> Can you see messages like this on the client:
> 
>       msg_error("Connection broken",
>                 evt_tag_int("time_reopen", self->time_reopen),
>                 NULL);
> 
> 
> If you enable verbose logging, somewhat more information should be
> displayed about the reasons why syslog-ng reconnects.
> 
>

More information about the syslog-ng mailing list