[syslog-ng] Broken TCP connection

James Pirman jim_pirman at hotmail.com
Tue Jan 5 18:22:36 CET 2010 

I am currently having an issue with syslog-ng 3.0.4 where my TCP connection between my client and server is lost throughout the day.  By looking at the pcap file from tcpdump I can tell that the TCP connection reset was initiated by the syslog-ng server.  The only information that was initially in the log file regarding this disconnection was the following 2 lines:

 

<45>1 2010-01-05T10:29:32.323-06:00 server-db-01 syslog-ng 29213 - [meta sequenceId="2733719"] notice Syslog connection closed; fd='9', client='AF_INET(192.168.27.218:46326)', local='AF_INET(192.168.27.198:20514)'

 

and 

 

<46>1 2010-01-05T10:29:32.323-06:00 server-db-01 syslog-ng 29213 - [meta sequenceId="2733720"] info Closing log transport fd; fd='9'

 

 

In order to get more information, I set the following flags in init.d: "-v -d -t".

 

This did not give me any more information about the TCP disconnect, however I did notice that a lot of my normal messages were preceeded by the following text:

 

<47>1 2010-01-05T10:29:32.323-06:00 server-db-01 syslog-ng 29213 - [meta sequenceId="2733718"] debug Incoming log entry; line=

 

A normal log message then follows the '=' sign. 

 

A decent percentage of my messages are preceeded by this throughout the day, but just before the disconnect it appears that all of my messages from server-db-01 are preceeded by the debug line.  Any ideas as to what could be going on?  I have included my config file below if that helps.

 

Any assistance would be greatly appreciated.

-Jim

 

@version: 3.0

#Default configuration file for syslog-ng.

#

# For a description of syslog-ng configuration file directives, please read

# the syslog-ng Administrator's guide at:

#

# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html

#

options {

keep_hostname(yes);

keep_timestamp(yes);

frac_digits(3);

};

source all {

internal();

syslog(ip("192.168.27.198") port(20514) transport("tcp") log_fetch_limit(100));

};

destination allclientsfile {

file("/data/local/Logs/server-$YEAR-$MONTH-$DAY.log"

flags(syslog-protocol)

flush_timeout(100)

create_dirs(yes)

dir_owner(jpirman)

dir_group(jpirman)

owner(jpirman)

group(jpirman)

template("$PRIORITY $MESSAGE")

);

};

destination msgserver {

udp("127.0.0.1" port(20515)

flush_timeout(100) 

template("$ISODATE $PROGRAM $PRIORITY $MESSAGE\n"));

};

log { source(all); destination(allclientsfile); destination(msgserver);};

 

 
 		 	   		  
_________________________________________________________________
Hotmail: Powerful Free email with security by Microsoft.
http://clk.atdmt.com/GBL/go/171222986/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100105/1e60e8b6/attachment.htm

More information about the syslog-ng mailing list