[syslog-ng] syslog-ng stops accepting new connections every 100-110 minutes

Matt Pinkham westphalia at gmail.com
Wed Jul 29 17:34:42 CEST 2009


No, it is not a concurrent TCP limit issue as this data stream is a single
connection.  I do not see the max-connections message in the messages log
either.


On Wed, Jul 29, 2009 at 11:22 AM, Matt Pinkham <westphalia at gmail.com> wrote:

> For the last 24 hours on versions 2.0.4, 2.1.4, & 3.0.3 syslog-ng will stop
> taking new connections via a listening port every 100-110 minutes (aka it
> will hang up immediately).  It will never recover on its own and has to be
> restarted.  I haven't figured out the exact interval but hopefully that will
> be close enough to work with (note that the traffic is fairly low -- 10
> mesgs/sec -- 500K-600K data/min).  I had a program logging data locally via
> /dev/log into a named directory and then moved this program to a remote
> server.  That remote server does not seem to be having an issue.  I have
> observed this issue on two separate servers (RHEL4.[image: Cool] that were
> taking this data feed.  I have tried with flush_lines/sync & time_reopen
> commented out with no difference as well as log_fifo_size,
> log_mesg_size,so_recvbuf commented out.  There are no obvious messages about
> why syslog-ng stops working (even with debug and verbose enabled).  Note
> that these two servers (that stop working) are behind an Alteon 2424 switch
> (although I have other feeds to other servers working fine behind this
> switch).  Ideas?  Need more data?
>
> ==syslog will stop accepting connections==
> [root at server]# telnet localhost 514
> Trying 127.0.0.1...
> Connected to localhost.localdomain (127.0.0.1).
> Escape character is '^]'.
> Connection closed by foreign host.
>
> ==top section of 3.0 syslog-ng.conf==
> options { flush_lines (0);
>           time_reopen (10);
>           log_fifo_size (10000);
>           long_hostnames (off);
>           use_dns (no);
>           use_fqdn (no);
>           create_dirs (no);
>           dir_perm (0755);
>           perm (0644);
>           chain_hostnames(no);
>           keep_hostname (yes);
>           stats_freq (3600);
>           log_msg_size(65536);
>         };
>
> source remote {
>         udp(ip(0.0.0.0) port(514) so_rcvbuf(1048576));
>         tcp(ip(0.0.0.0) port(514) max-connections(50) so_rcvbuf(1048576));
> };
>
> ==logging data like this===
> filter f_data     { match("Data:"); };
> destination d_data   {
> file("/var/log/data/data-$R_MONTH$R_DAY$R_HOUR$R_MIN"); };
> log { source(remote); filter(f_data); destination(d_data); };
>
>
>


-- 
Some men see things as they are and ask why. I see things that never were
and ask for initiative rolls.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20090729/90976ca2/attachment-0001.htm 


More information about the syslog-ng mailing list