[syslog-ng] Broken TCP connection

Balazs Scheidler bazsi at balabit.hu
Thu Jan 14 10:12:40 CET 2010 

On Mon, 2010-01-11 at 14:49 -0600, James Pirman wrote:
> pzolee,
>  
> The client happens to be a custom application, so I don't have a
> client config, and flow control doesn't really apply on the client
> side.  I was able to setup a test environment and recreated the
> problem.  The message immediately before the disconnect message is the
> following:
>  
> <47>1 2010-01-11T14:36:40.239-06:00 server-04 syslog-ng 30082 - [meta
> sequenceId="122761"] debug Destination queue full, dropping message;
> queue_len='1000', mem_fifo_size='1000'
>  
> I am guessing if I don't have flow control on the client side that I
> need to play with the numbers to ensure that none of the buffers ever
> get filled up.  Is this correct?

That message alone should not cause syslog-ng to initiate a disconnect.
Do you have TLS enabled?

The only reasons syslog-ng disconnects are:
  * either some kind of protocol format issue
  * or an EOF on the client side

Protocol errors are logged. The exact reasons with messages follow:

          msg_error("Error reading frame header",
                    evt_tag_int("fd", self->super.transport->fd),
                    evt_tag_errno("error", errno),
                    NULL);

          msg_error("Invalid frame header", 
                    evt_tag_printf("header", "%.*s", (gint) (i - self->buffer_pos), &self->buffer[self->buffer_pos]),
                    NULL);

              msg_error("Incoming frame larger than log_msg_size()",
                        evt_tag_int("log_msg_size", self->buffer_size - LPFS_FRAME_BUFFER),
                        evt_tag_int("frame_length", self->frame_len),
                        NULL);

As I see with the syslog() protocol, EOFs are not logged, only with 
the traditional protocol.  I've added this log message with this patch
to OSE 3.1, but you should be able to apply it to 3.0 as well.

commit bbc248bc8a577a299036d2ab6898d72f657fc7a0
Author: Balazs Scheidler <bazsi at balabit.hu>
Date:   Thu Jan 14 10:11:33 2010 +0100

    logproto: added log message about EOF in the new style syslog protocol handler

Are you sure that it wasn't the client which sent a FIN packet in 
the first place? Can you show at least the end of tcpdump -rn <pcap file>?

-- 
Bazsi

More information about the syslog-ng mailing list