[syslog-ng] syslog-ng v3.0.4 stops receiving remote logs

Mike Duncan Mike.Duncan at noaa.gov
Fri Sep 18 19:49:03 CEST 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We are running into an issue using syslog-ng v3.0.3 and v3.0.4. After
about 1minute or so, all external/remote hosts can no longer log to the
logging server (syslog-ng). We run udp only and have something around
300-400 hosts logging to the server. The local logging seems to be okay
even after the remote logging ceases. We are not getting any indication
from syslog-ng (logs or stdout) that there is an issue unless we run it
in debug mode.

Firstly, we tried to ensure the rmem and wmem were set to handle
everything. We were seeing some 30million packet receive errors, so
bumped up the settings from 8MB to 16MB. This did not help resolve the
issue.

Secondly, after looking through mailing lists and various posts online,
we thought the issue to be the 0byte-udp-packet bug as mentioned here:
https://bugzilla.balabit.com/show_bug.cgi?id=32. When running v3.0.3 in
debug mode with trace enabled, we saw the EOF error messages which lead
us to download v3.0.4, apply the patch and compile. Unfortunately, we
are still having the same issue as before but no EOF error messages this
time.

ulimit is set to unlimited and at most, we only get 30-40 fd's opened.
So, we are at a loss and hoping to get some input from here. Here are
some details...(sorry for wrapping issues)...

netstat -su snippet
===========================
Udp:
    259879531 packets received
    709190 packets to unknown port received.
    29579106 packet receive errors
    328899408 packets sent
    RcvbufErrors: 29579106

netstat -anp snippet
===========================
udp   16776712      0 0.0.0.0:514             0.0.0.0:*
          -


sysctl snippet
===========================
net.core.rmem_default = 16777216
net.core.rmem_max = 16777216
net.core.wmem_default = 16777216
net.core.wmem_max = 16777216

syslog-ng.conf snippets
===========================
options {
      chain_hostnames(0);
      time_reopen(10);
      time_reap(360);
      log_fifo_size(2048);
      create_dirs(yes);
      group(adm);
      perm(0640);
      dir_perm(0755);
      use_dns(yes);
      #log_msg_size(2048);
      stats_freq(0);
      bad_hostname("^gconfd$");
};

source s_all {
        internal();
        unix-stream("/dev/log");
        file("/proc/kmsg" program_override("kernel: "));
        udp(ip(0.0.0.0) port(514));
};

#example remote logging
destination df_windows { file("/var/log/windows.log"); };
filter f_windows { program("MSWinEventLog"); };
log { source(s_all); filter(f_windows); destination(df_windows);
flags(final); };

#another example
destination df_networkdevice { file("/var/log/networkdevice.log"); };
filter f_2e { host("2e[0-9]") or host("2eg[0-9]"); }; #2nd floor East
log { source(s_all); filter(f_2e); destination(df_networkdevice);
flags(final); };

uname -a
=============================
Linux logalot 2.6.24-24-server #1 SMP Fri Jul 24 23:27:55 UTC 2009 i686
GNU/Linux

ps ax | grep syslog
=============================
 2201 ?        S      0:00 supervising syslog-ng
 2202 ?        Ss     0:00 /opt/syslog-ng/sbin/syslog-ng --no-caps


Are we running into a limit of some sort or a bug or more likely -- are
we missing something? Any help is appreciated. If you need more
information, just let me know.

Thanks.

- --
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkqzyA4ACgkQnvIkv6fg9hZdiQCgkO6wW8yo9AC49f7E+sEQxD7J
nH4AmwYNG/zsLJugvy+apqrueG+UR4TS
=Y6Ol
-----END PGP SIGNATURE-----


More information about the syslog-ng mailing list