[syslog-ng] I/O error occurred while writing; fd=\'6\', error=\'Connection refused (111)\'

Evan Rempel erempel at uvic.ca
Mon Jun 8 06:03:24 CEST 2009 

Wouldn't things be a lot easier to trouble shoot if syslog-ng just logged the destination name rather than, or in addition to the fd number.
Something like

syslog-ng: I/O error occurred while writing; destination=d_unitylab; error=\'Connection refused (111)\'

I have this problem all of the time, I can not tell which destination is having the problem, and since syslog-ng 
closes the channel when the error occurs, using lsof is of little help.

Evan.
________________________________________
From: syslog-ng-bounces at lists.balabit.hu [syslog-ng-bounces at lists.balabit.hu] On Behalf Of Clayton Dukes [cdukes at gmail.com]
Sent: Sunday, June 07, 2009 8:15 AM
To: Balazs Scheidler
Cc: Syslog-ng users' and developers' mailing list
Subject: Re: [syslog-ng] I/O error occurred while writing;      fd=\'6\',       error=\'Connection refused (111)\'

Alrighty! I think I have the culprit...

> Are you sure that fd=6 refers to the pipe in question? That can be
> checked using lsof.

I checked lsof, but didn't find anything other than a pipe (I think)

syslog-ng  1009       root    7w     FIFO        0,6              1232190 pipe

However an strace did yield some good information, now that I know
what to look for:

1009  write(6, "<187>Jun  7 10:56:54 vnt-cm1d.cis"..., 277) = -1
ECONNREFUSED (Connection refused)

This clued me in that, in fact, you are correct - it's not my perl
pipe that is the problem.
I'd forgotten that I had added some new destinations the other day to
some other servers in the lab, here's the config for that:


# Added destination for Unity servers for Scott and Joe

# Filter all incoming messages for unity server sources
filter f_unitylab { (
    host("^vnt-cm")
    );
};
# Set destination to Joe's lab
destination d_unitylab {
    udp("172.16.106.206" port (514));
};
# Set destnation to Scott's server
destination d_ucsyslog {
    udp("172.16.86.112" port (514));
};

# Log to configured destinations
log {
    source(s_all);
    filter(f_unitylab);
    destination(d_unitylab);
    destination(d_ucsyslog);
};

It looks like I'm getting an ECONNREFUSED from one of the sources (vnt-cm1d)?
I would think the connection refused would be a destination, not a
source - or am I just reading that wrong?

Thanks for your help (and sorry that I forgot about the new config!) :-)


>
> An strace could reveal which system call returned ECONNREFUSED, and that
> could let me find the problem. If you can't make that out  yourself,
> just send me the strace and I'll check. (possibly in private as that may
> contain sensitive information)



On Sun, Jun 7, 2009 at 5:54 AM, Balazs Scheidler<bazsi at balabit.hu> wrote:
> On Sat, 2009-06-06 at 13:33 -0400, Clayton Dukes wrote:
>> Hi Folks,
>> I am the owner of php-syslog-ng...
>> While working on one of my servers, I notice the following error
>> getting repeated (a lot):
>> syslog-ng[23692]: I/O error occurred while writing; fd=\'6\',
>> error=\'Connection refused (111)\'
>>
>> I've done multiple searches but haven't been able to nail down why
>> this error is constantly getting logged into my pipe.
>> I've found google results where Baszi asked the user to try using
>> strace and/or lsof, but I can't gleen anything useful from it (maybe
>> I'm just too dumb :-))
>>
>
> hmm, for a destination pipe, "Connection refused" should not be received
> as an error code.
>
> Quickly checking the Linux kernel sources, I can't see this error code
> in the pipe driver (although this was only a quick grep)
>
> Are you sure that fd=6 refers to the pipe in question? That can be
> checked using lsof.
>
> An strace could reveal which system call returned ECONNREFUSED, and that
> could let me find the problem. If you can't make that out  yourself,
> just send me the strace and I'll check. (possibly in private as that may
> contain sensitive information)
>
>
>> Any help would be greatly appreciated :-)
>>
>> Here's my syslog-ng config:
>>
>> options {
>>         long_hostnames(off);
>>
>>         # doesn't actually help on Solaris, log(3) truncates at 1024 chars
>>         log_msg_size(8192);
>>
>>         # buffer just a little for performance
>>         sync(1);
>>
>>         # memory is cheap, buffer messages unable to write (like to loghost)
>>         log_fifo_size(16384);
>>
>>         # Hosts we don't want syslog from
>>         #bad_hostname("^(ctld.|cmd|tmd|last)$");
>>         bad_hostname("^11.16.254.134$");
>>
>>         # The time to wait before a dead connection is reestablished (seconds)
>>         time_reopen(10);
>>
>>         #Use DNS so that our good names are used, not hostnames
>>         use_dns(yes);
>>         dns_cache(yes);
>>
>>         #Use the whole DNS name
>>         use_fqdn(yes);
>>
>>         keep_hostname(yes);
>>         chain_hostnames(no);
>>
>>         #Read permission for everyone
>>         perm(0644);
>>        # The default action of syslog-ng 1.6.0 is to log a STATS line
>>         # to the file every 10 minutes.  That's pretty ugly after a while.
>>         # Change it to every 12 hours so you get a nice daily update of
>>         # how many messages syslog-ng missed (0).
>>         stats(43200);
>>         };
>>
>> destination d_syslogdb {
>>         pipe("/var/log/mysql.pipe",
>>         template
>> ("'$HOST''$FACILITY''$PRIORITY''$LEVEL''$TAG''$YEAR-$MONTH-$DAY''$HOUR:$MIN:$SEC''$PROGRAM''$MSG'\n")
>>         template_escape(yes)
>>         );
>> };
>>
>> log {
>> source(s_all); destination(d_syslogdb);
>> };
>>
>>
> --
> Bazsi
>
>
>



--
______________________________________________________________

Clayton Dukes
______________________________________________________________
______________________________________________________________________________
Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
FAQ: http://www.campin.net/syslog-ng/faq.html

More information about the syslog-ng mailing list