[syslog-ng] Syslog-ng returning a TCP Reset

Fri Mar 18 09:02:24 CET 2011

Hi Andy,

Thank you for the detailed report.
This seems to be a syslog-ng bug, we'll try to reproduce the problem internally 
and correct it. We'll keep you posted.

Regards,

Robert

On 03/17/2011 05:17 PM, Andy Ruch wrote:

> Hello,
>
> I was evaluating syslog-ng and have come across a strange problem. When
> connecting to syslog-ng using the 'syslog' source, syslog-ng will return a TCP
> Reset at random intervals. The interesting thing about this error is it only
> seems to appear when the message length varies between logs. After some
> experimenting, I was able to reproduce the error using loggen to send logs from
> a file. However, when loggen generates its own fixed length messages, syslog-ng
> will receive everything properly.
>
> I'm concerned about the reliability of syslog-ng. I don’t want it to close the
> connection if it gets overloaded. I know that I can add some options to improve
> performance, but that seems like a patch and not a fix. I would think syslog-ng
> would utilize TCP flow control to prevent the sender from sending too fast.
>
> Am I doing something wrong? Does this look like a bug or have I just reached the
> max performance of syslog-ng? Any help is appreciated.
>
> Below I’ve included some information about the commands that I was running as
> well as my system setup.
>
> Thanks,
> Andy
>
>
>
> ***** Details *****
>
>   - Two machine setup (one sender and one receiver)
>   - Receiver is using an evaluation copy of Syslog-PE-4.0.1a (but I first saw
> this issue using open source version 3.2.2 )
>   - CentOS 5.5
>
> ***** Send Command *****
>
> This is the console output that I receive from loggen. As you can see, the
> failure did not happen every time. In this particular case, it was the second
> execution that failed. I normally just run it back to back until it fails.
>
> $  ./loggen -P -r 40000 -R /tmp/syslog_10-40 10.64.27.38 6514
> average rate = 16503.22 msg/sec, count=50000, time=3.297, (last) msg size=112,
> bandwidth=1627.75 kB/sec
> $ ./loggen -P -r 40000 -R /tmp/syslog_10-40 10.64.27.38 6514
> Send error Connection reset by peer5 msg/sec
> average rate = 15483.69 msg/sec, count=15435, time=0.9968, (last) msg size=114,
> bandwidth=1527.27 kB/sec
>
> ***** Send File *****
>
> The following pattern was put into a file and repeated for a total of 50,000
> lines. I tried to attach the complete file but it was too large for this mailing
> list.
>
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Mar 16 10:35:28 guinness syslog-tester[proc-1234]:
> xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
>
>
> ***** Syslog-ng.conf *****
>
> @version: 4.0
>
> options {
> };
>
> ######
> # sources
> source s_local {
> # message generated by Syslog-NG
> internal();
> # standard Linux log source (this is the default place for the syslog()
> # function to send logs to)
> unix-stream("/dev/log");
> # messages from the kernel
> file("/proc/kmsg" program_override("kernel"));
>
> };
>
> source s_net {
>      syslog( ip(0.0.0.0) transport("tcp") port(6514) );
> };
>
> ######
> # destinations
> destination d_messages { file("/var/log/messages"); };
>
> destination d_tmp_file { file("/tmp/log_messages"); };
>
> ######
> # paths
> log {
> source(s_local);
> destination(d_messages);
> };
>
> log {
>      source(s_net);
>      destination(d_tmp_file);
>      flags(flow-control);
> };
>
>
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.campin.net/syslog-ng/faq.html
>