[syslog-ng] TCP recv bug in syslog-ng v2.09?

Clayton Dukes cdukes at gmail.com
Tue Aug 17 20:28:28 CEST 2010


Hey guys,
Are there any known bugs for syslog-ng v2.09  that won't allow a cisco
router to send logs over tcp?
I can see a connection established in syslog-ng.
I also see the message come in via tcpdump, but nothing in syslog-ng's
output.
If I change the router from tcp to udp, messages come in as expected.

*Router config:*

logging source-interface Loopback0
logging 172.18.224.150 <tricon:40,-1|172.18.224.150;majoshi at cisco.com>
logging host 172.18.224.190
<tricon:40,-1|172.18.224.190;majoshi at cisco.com>transport tcp


*syslog-ng config:*

source s_all {
        udp();
        tcp(ip(11.31.130.99) port(8002) max-connections(300));
        tcp(ip(172.18.224.190) port(601) max-connections(300));
};


*debug output:*
I commented out the line above for the other interface (11.31.130.99),
restarted and this is all I see:
Syslog connection accepted;
from='AF_INET(14.3.23.50<tricon:40,-1|(14.3.23.50;majoshi at cisco.com>:63845)',
to='AF_INET(172.18.224.190 <tricon:40,-1|(172.18.224.190;majoshi at cisco.com>
:601)'


*tcpdump:*

14:13:46.914566 IP (tos 0x0, ttl 251, id 4303, offset 0, flags [none], proto
TCP (6), length 134)
    14.3.23.50.63845 > xxx.com.601: Flags [.], seq 230:324, ack 1, win 4128,
length 94


*Router debug:*

*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:19.772<tricon:40,-1|.772;majoshi at cisco.com>:
%SYS-5- <tricon:40,-1|-5-;majoshi at cisco.com>CONFIG_I: Configured from
console by pnoc on vty0 (172.18.224.151) <tricon:40,-1|0
(172.18.224.151);majoshi at cisco.com>
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:20.776<tricon:40,-1|.776;majoshi at cisco.com>:
Released port 15205 <tricon:40,-1|15205;majoshi at cisco.com> in Transport Port
Agent for TCP IP type 1 delay 240000 <tricon:40,-1|240000;majoshi at cisco.com>

*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:20.776<tricon:40,-1|.776;majoshi at cisco.com>:
TCB 0x850 <tricon:40,-1|850;majoshi at cisco.com>F9754<tricon:40,-1|9754;majoshi at cisco.com>destroyed
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCB83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 created
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCB83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 setting property TCP_PID (8)
845083 <tricon:40,-1|(8) 845083;majoshi at cisco.com>E4
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCB83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 setting property
TCP_NO_DELAY (1) 845083 <tricon:40,-1|(1) 845083;majoshi at cisco.com>E8
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCB83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 setting property TCP
keepalive timeout (17) 845084 <tricon:40,-1|(17) 845084;majoshi at cisco.com>
A0
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCP: Random local port generated 63845<tricon:40,-1|63845;majoshi at cisco.com>,
network 1
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCB83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 bound to
14.3.23.50.63845<tricon:40,-1|14.3.23.50.63845;majoshi at cisco.com>

*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
Reserved port 63845 <tricon:40,-1|63845;majoshi at cisco.com> in Transport Port
Agent for TCP IP type 1
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCP: sending SYN, seq 3300233565 <tricon:40,-1|3300233565;majoshi at cisco.com>,
ack 0
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCP0: Connection to
172.18.224.190<tricon:40,-1|172.18.224.190;majoshi at cisco.com>:601,
advertising MSS 536 <tricon:40,-1|536;majoshi at cisco.com>
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.775<tricon:40,-1|.775;majoshi at cisco.com>:
TCP0: state was CLOSED -> SYNSENT [63845 - <tricon:40,-1|63845
-;majoshi at cisco.com>>
172.18.224.190(601)<tricon:40,-1|172.18.224.190(601);majoshi at cisco.com>
]
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.779<tricon:40,-1|.779;majoshi at cisco.com>:
TCP0: state was SYNSENT -> ESTAB [63845 - <tricon:40,-1|63845
-;majoshi at cisco.com>>
172.18.224.190(601)<tricon:40,-1|172.18.224.190(601);majoshi at cisco.com>
]
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.779<tricon:40,-1|.779;majoshi at cisco.com>:
TCP: tcb 83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 connection to
172.18.224.190 <tricon:40,-1|172.18.224.190;majoshi at cisco.com>:601, peer MSS
1460 <tricon:40,-1|1460;majoshi at cisco.com>, MSS is
536<tricon:40,-1|536;majoshi at cisco.com>

*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.779<tricon:40,-1|.779;majoshi at cisco.com>:
TCB83648 <tricon:40,-1|83648;majoshi at cisco.com>E60 connected to
172.18.224.190.601 <tricon:40,-1|172.18.224.190.601;majoshi at cisco.com>
*Aug 17 17 <tricon:40,-1|17
17;majoshi at cisco.com>:34:25.779<tricon:40,-1|.779;majoshi at cisco.com>:
%SYS-6- <tricon:40,-1|-6-;majoshi at cisco.com>LOGGINGHOST_STARTSTOP: Logging
to host 172.18.224.190 <tricon:40,-1|172.18.224.190;majoshi at cisco.com> port
601 <tricon:40,-1|601;majoshi at cisco.com> started - reconnection

______________________________________________________________

Clayton Dukes
______________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100817/7df64716/attachment.htm 


More information about the syslog-ng mailing list