[syslog-ng] Syslog-ng 3.2 connection timeout with firewall

André Larose andre.larose at telus.com
Tue Jan 10 14:57:07 CET 2012 

Hi,

I found the timeout issue.  It turns out that the keep_alive is not generated by Syslog-NG but by the OS.

I adjusted the following values:
tcp_keepalive_time
tcp_keepalive_intvl
tcp_keepalive_probes

First in the live Kernel with the command :
sysctl -w  net.ipv4.tcp_keepalive_time=180 net.ipv4.tcp_keepalive_intvl=180 net.ipv4.tcp_keepalive_probes=9

Then I made it permanent with adding to /etc/sysctl.conf:
cat >>/etc/sysctl.conf <<EOF

#
# Keepalive parameters for the syslog-ng
#
net.ipv4.tcp_keepalive_time = 180
net.ipv4.tcp_keepalive_intvl = 180
net.ipv4.tcp_keepalive_probes = 9

EOF

You can verify your work is done with the following command:
sysctl  net.ipv4.tcp_keepalive_time net.ipv4.tcp_keepalive_intvl net.ipv4.tcp_keepalive_probes

net.ipv4.tcp_keepalive_time = 180
net.ipv4.tcp_keepalive_intvl = 180
net.ipv4.tcp_keepalive_probes = 9

I found the information from this URL: http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html

Maybe it could be mentioned in the documentation that the so_keep-alive  option can be tweaked at the kernel level.


Regards,



------------------------------



Message: 8

Date: Tue, 3 Jan 2012 17:46:06 -0500

From: Andr? Larose <andre.larose at telus.com<mailto:andre.larose at telus.com>>

Subject: [syslog-ng] Syslog-ng 3.2 connection timeout with firewall

To: "syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>" <syslog-ng at lists.balabit.hu<mailto:syslog-ng at lists.balabit.hu>>

Message-ID:

      <BDB004F99074254BBCEE3AB94F31FDF5435439F706 at WP40066.corp.ads<mailto:BDB004F99074254BBCEE3AB94F31FDF5435439F706 at WP40066.corp.ads>>

Content-Type: text/plain; charset="iso-8859-1"



Hi,



I have two syslog-ng 3.2, one client and one server.  The two are separated by a firewall and a load balancer. I noticed that after some inactivity I was not able to receive logs from my client. So I started some tcpdump on both servers to check the traffic.  From what I see the firewall will close the connection after some time, so when the client sends traffic it gets dropped.



I added the keep-alive(yes) and so_keep-alive(yes) and the mark_freq(60) to the configs. But I still do not see keepalive packets with tcpdump.



Am I missing other parameters to have "keepalive" traffic sent ?



Thank you in advance.





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20120110/dd16cef0/attachment.htm

More information about the syslog-ng mailing list