[syslog-ng] Broken TCP connection

James Pirman jim_pirman at hotmail.com
Thu Jan 7 15:42:08 CET 2010


Is there anyone that can help with this?  Is there any more information that I need to provide in order for me to get help? I've been dealing with for weeks and am starting to think the only solution is to write my own server.
 


From: jim_pirman at hotmail.com
To: syslog-ng at lists.balabit.hu
Date: Tue, 5 Jan 2010 11:22:36 -0600
Subject: [syslog-ng] Broken TCP connection



I am currently having an issue with syslog-ng 3.0.4 where my TCP connection between my client and server is lost throughout the day.  By looking at the pcap file from tcpdump I can tell that the TCP connection reset was initiated by the syslog-ng server.  The only information that was initially in the log file regarding this disconnection was the following 2 lines:
 
<45>1 2010-01-05T10:29:32.323-06:00 server-db-01 syslog-ng 29213 - [meta sequenceId="2733719"] notice Syslog connection closed; fd='9', client='AF_INET(192.168.27.218:46326)', local='AF_INET(192.168.27.198:20514)'
 
and 
 
<46>1 2010-01-05T10:29:32.323-06:00 server-db-01 syslog-ng 29213 - [meta sequenceId="2733720"] info Closing log transport fd; fd='9'
 
 
In order to get more information, I set the following flags in init.d: "-v -d -t".
 
This did not give me any more information about the TCP disconnect, however I did notice that a lot of my normal messages were preceeded by the following text:
 
<47>1 2010-01-05T10:29:32.323-06:00 server-db-01 syslog-ng 29213 - [meta sequenceId="2733718"] debug Incoming log entry; line=
 
A normal log message then follows the '=' sign. 
 
A decent percentage of my messages are preceeded by this throughout the day, but just before the disconnect it appears that all of my messages from server-db-01 are preceeded by the debug line.  Any ideas as to what could be going on?  I have included my config file below if that helps.
 
Any assistance would be greatly appreciated.
-Jim
 
@version: 3.0
#Default configuration file for syslog-ng.
#
# For a description of syslog-ng configuration file directives, please read
# the syslog-ng Administrator's guide at:
#
# http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html
#
options {
keep_hostname(yes);
keep_timestamp(yes);
frac_digits(3);
};
source all {
internal();
syslog(ip("192.168.27.198") port(20514) transport("tcp") log_fetch_limit(100));
};
destination allclientsfile {
file("/data/local/Logs/server-$YEAR-$MONTH-$DAY.log"
flags(syslog-protocol)
flush_timeout(100)
create_dirs(yes)
dir_owner(jpirman)
dir_group(jpirman)
owner(jpirman)
group(jpirman)
template("$PRIORITY $MESSAGE")
);
};
destination msgserver {
udp("127.0.0.1" port(20515)
flush_timeout(100) 
template("$ISODATE $PROGRAM $PRIORITY $MESSAGE\n"));
};
log { source(all); destination(allclientsfile); destination(msgserver);};
 
 



Hotmail: Powerful Free email with security by Microsoft. Get it now. 		 	   		  
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/196390709/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100107/6a21093d/attachment.htm 


More information about the syslog-ng mailing list