[syslog-ng] Syslog-ng 3.2 connection timeout with firewall
Balazs Scheidler
bazsi at balabit.hu
Mon Jan 16 21:48:06 CET 2012
On Tue, 2012-01-03 at 17:46 -0500, André Larose wrote:
> Hi,
>
>
>
> I have two syslog-ng 3.2, one client and one server. The two are
> separated by a firewall and a load balancer. I noticed that after some
> inactivity I was not able to receive logs from my client. So I started
> some tcpdump on both servers to check the traffic. From what I see
> the firewall will close the connection after some time, so when the
> client sends traffic it gets dropped.
>
>
>
> I added the keep-alive(yes) and so_keep-alive(yes) and the
> mark_freq(60) to the configs. But I still do not see keepalive packets
> with tcpdump.
keep-alive(yes) is irrelevant, should probably be removed as an option,
it only directs syslog-ng to keep the connection open (or no) accross a
reload.
so-keep-alive(yes) should enable TCP keepalive packets, the interval
these are sent is controlled by your host OS. See tcp(7) manual page for
more information.
mark-freq(59) should have generated a MARK message every 59 seconds.
Can't you see that these messages are generated?
>
I've just tried and it worked with my 3.2 tree. what is your exact
version number within 3.2?
>
>
> Am I missing other parameters to have “keepalive” traffic sent ?
>
>
>
> Thank you in advance.
>
>
>
>
>
> #############################################################################
>
> #
>
> # Configuration file syslog-ng.conf.client
>
> #
>
> @version: 3.2
>
> @include "scl.conf"
>
>
>
> # add global settings
>
> options {
>
> # Disable DNS usage to gain the process time
>
> use_dns(no);
>
> flush_lines(1);
>
> flush_timeout(500);
>
> mark(59);
>
> };
>
>
>
> source s_TCP {
>
> tcp( port(555)
>
> flags(no-parse)
>
> );
>
> };
>
>
>
> source s_syslogng {
>
> internal();
>
> };
>
>
>
> destination d_syslogng {
>
> file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log");
>
> };
>
>
>
> destination d_TCP {
>
> tcp ( "server1" port(556)
>
> keep-alive(yes)
>
> so_keepalive(yes)
>
> flags(no_multi_line)
>
> flush_lines(1)
>
> flush_timeout(500)
>
> log_fifo_size(4096)
>
> template("$MSG\n")
>
> template_escape(no)
>
> );
>
> };
>
> ….
>
>
>
> #############################################################################
>
> #
>
> # Configuration file syslog-ng.conf.server
>
> #
>
> @version: 3.2
>
> @include "scl.conf"
>
>
>
> # add global settings
>
> options {
>
> # Disable DNS usage to gain the process time
>
> use_dns(no);
>
> flush_lines(1);
>
> flush_timeout(500);
>
> mark(59);
>
> };
>
>
>
> source s_TCP_555 {
>
> tcp( port(555)
>
> flags(no-parse)
>
> max-connections(200)
>
> use_dns(no)
>
> );
>
> };
>
>
>
> source s_TCP_556 {
>
> tcp( port(556)
>
> flags(no-parse)
>
> so_keepalive(yes)
>
> use_dns(no)
>
> );
>
> };
>
>
>
> source s_syslogng {
>
> internal();
>
> };
>
>
>
> destination d_syslogng {
>
> file("/opt/syslog-ng/logs/$YEAR$MONTH$DAY.syslog-ng.log");
>
> };
>
>
>
> destination d_local {
>
> file("/opt2/syslog-ng/logs/$YEAR$MONTH$DAY.TNT.Messages.log"
>
> log_fifo_size(8192)
>
> template("$MSG\n")
>
> template_escape(no)
>
> );
>
> };
>
> …
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
--
Bazsi
More information about the syslog-ng
mailing list