[syslog-ng] Syslog-ng 3.2 connection timeout with firewall

André Larose andre.larose at telus.com
Tue Jan 3 23:46:06 CET 2012 

Hi,

I have two syslog-ng 3.2, one client and one server.  The two are separated by a firewall and a load balancer. I noticed that after some inactivity I was not able to receive logs from my client. So I started some tcpdump on both servers to check the traffic.  From what I see the firewall will close the connection after some time, so when the client sends traffic it gets dropped.

I added the keep-alive(yes) and so_keep-alive(yes) and the mark_freq(60) to the configs. But I still do not see keepalive packets with tcpdump.

Am I missing other parameters to have "keepalive" traffic sent ?

Thank you in advance.


#############################################################################
#
# Configuration file syslog-ng.conf.client
#
@version: 3.2
@include "scl.conf"

# add global settings
options {
        # Disable DNS usage to gain the process time
        use_dns(no);
        flush_lines(1);
        flush_timeout(500);
        mark(59);
};

source s_TCP {
        tcp( port(555)
             flags(no-parse)
           );
};

source s_syslogng {
        internal();
};

destination d_syslogng {
        file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log");
};

destination d_TCP {
        tcp ( "server1" port(556)
        keep-alive(yes)
        so_keepalive(yes)
        flags(no_multi_line)
        flush_lines(1)
        flush_timeout(500)
        log_fifo_size(4096)
        template("$MSG\n")
        template_escape(no)
        );
};
....

#############################################################################
#
# Configuration file syslog-ng.conf.server
#
@version: 3.2
@include "scl.conf"

# add global settings
options {
        # Disable DNS usage to gain the process time
        use_dns(no);
        flush_lines(1);
        flush_timeout(500);
        mark(59);
};

source s_TCP_555 {
        tcp( port(555)
             flags(no-parse)
             max-connections(200)
             use_dns(no)
           );
};

source s_TCP_556 {
        tcp( port(556)
             flags(no-parse)
             so_keepalive(yes)
             use_dns(no)
        );
};

source s_syslogng {
        internal();
};

destination d_syslogng {
        file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log");
};

destination d_local {
        file("/opt2/syslog-ng/logs/$YEAR$MONTH$DAY.TNT.Messages.log"
        log_fifo_size(8192)
        template("$MSG\n")
        template_escape(no)
        );
};
...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120103/ee9ae8e0/attachment-0001.htm

More information about the syslog-ng mailing list