[syslog-ng] Broken TCP connection

James Pirman jim_pirman at hotmail.com
Thu Jan 14 19:00:31 CET 2010 

Unfortunately I no longer have the tcpdump since we only keep them for 2 or 3 days.  Ever since I increased the parameters the problem has stopped happening.  I will have to recreate this again in the test environment to get a new tcpdump.  However, because increasing the size stopped the problem, I do not think it is a problem with EOF.  

 

 
> From: bazsi at balabit.hu
> To: syslog-ng at lists.balabit.hu
> Date: Thu, 14 Jan 2010 10:12:40 +0100
> Subject: Re: [syslog-ng] Broken TCP connection
> 
> On Mon, 2010-01-11 at 14:49 -0600, James Pirman wrote:
> > pzolee,
> > 
> > The client happens to be a custom application, so I don't have a
> > client config, and flow control doesn't really apply on the client
> > side. I was able to setup a test environment and recreated the
> > problem. The message immediately before the disconnect message is the
> > following:
> > 
> > <47>1 2010-01-11T14:36:40.239-06:00 server-04 syslog-ng 30082 - [meta
> > sequenceId="122761"] debug Destination queue full, dropping message;
> > queue_len='1000', mem_fifo_size='1000'
> > 
> > I am guessing if I don't have flow control on the client side that I
> > need to play with the numbers to ensure that none of the buffers ever
> > get filled up. Is this correct?
> 
> That message alone should not cause syslog-ng to initiate a disconnect.
> Do you have TLS enabled?
> 
> The only reasons syslog-ng disconnects are:
> * either some kind of protocol format issue
> * or an EOF on the client side
> 
> Protocol errors are logged. The exact reasons with messages follow:
> 
> msg_error("Error reading frame header",
> evt_tag_int("fd", self->super.transport->fd),
> evt_tag_errno("error", errno),
> NULL);
> 
> msg_error("Invalid frame header", 
> evt_tag_printf("header", "%.*s", (gint) (i - self->buffer_pos), &self->buffer[self->buffer_pos]),
> NULL);
> 
> msg_error("Incoming frame larger than log_msg_size()",
> evt_tag_int("log_msg_size", self->buffer_size - LPFS_FRAME_BUFFER),
> evt_tag_int("frame_length", self->frame_len),
> NULL);
> 
> As I see with the syslog() protocol, EOFs are not logged, only with 
> the traditional protocol. I've added this log message with this patch
> to OSE 3.1, but you should be able to apply it to 3.0 as well.
> 
> commit bbc248bc8a577a299036d2ab6898d72f657fc7a0
> Author: Balazs Scheidler <bazsi at balabit.hu>
> Date: Thu Jan 14 10:11:33 2010 +0100
> 
> logproto: added log message about EOF in the new style syslog protocol handler
> 
> Are you sure that it wasn't the client which sent a FIN packet in 
> the first place? Can you show at least the end of tcpdump -rn <pcap file>?
> 
> -- 
> Bazsi
> 
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
> 
 		 	   		  
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/196390709/direct/01/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20100114/25512747/attachment.htm

More information about the syslog-ng mailing list