[syslog-ng] High volume of syslog message getting dropped

Sat Mar 31 20:46:48 CEST 2012

On Mon, 2012-03-19 at 17:22 -0400, Samuel Petreski wrote:
> I'm running syslog-ng 3.3.4 on FreeBSD 8.2, but am getting choppy logging
> from syslog-ng. I'm continually (every minute or so) getting the following
> messages from syslog-ng,
> 
> Mar 19 17:09:24 system syslog-ng[47183]: Syslog connection accepted;
> fd='51', client='AF_INET(10.33.11.249:24813)', local='AF_INET(0.0.0.0:1470)'
> Mar 19 17:09:25 system syslog-ng[47183]: Syslog connection closed; fd='51',
> client='AF_INET(10.33.11.249:24813)', local='AF_INET(0.0.0.0:1470)'
> Mar 19 17:09:46 system syslog-ng[47183]: Syslog connection accepted;
> fd='25', client='AF_INET(10.166.166.234:50240)',
> local='AF_INET(0.0.0.0:1470)'
> Mar 19 17:09:47 system syslog-ng[47183]: Syslog connection closed; fd='25',
> client='AF_INET(10.166.166.234:50240)', local='AF_INET(0.0.0.0:1470)'
> 
> Most of my hosts sending their logs to syslog-ng are Cisco ASAs and they are
> configured to send their logs securely. Also these devices send syslog
> messages at a very high rate (few of the devices generate logs in excess of
> 10GB/day). 
> 
> My relevant syslog-ng paramenters are as follows,
> 
> ****************
> #global options
> options { chain_hostnames(off); keep_hostname(yes); use_fqdn(off);
> flush_lines(0); stats_freq(360); threaded(yes);
>         dns_cache(2000); dns_cache_expire(87600); flush_lines(10000000);
> flush_timeout(6000); };
> 
> #destination, source and logging
> destination d_cisco_devices { file("/data/log/$HOST-$YEAR$MONTH$DAY.log"
> perm(0400)); };
> 
> source tls_clients {
>         tcp(ip(0.0.0.0) port(1470) max-connections(300)
>         log_iw_size(300000000) log_fetch_limit(2000000)
>         tls( key_file("/etc/syslog-ng.key")
>         cert_file("/etc/syslog-ng.crt")
>         peer_verify(optional-untrusted)) );
> };
> 
> log { source(tls_clients); destination(d_cisco_devices);
> flags(flow-control); };
> 
> ****************
> 
> I've read through the manual and have tried to increase the flush_line,
> log_fetch_limit, log_iw_size parameters but have not been able to fine tune
> its operation. Most of the my recorded syslog messages are for about few
> seconds, and then they start again the next minute. 
> 
> Any help or pointers anyone can provide would be greatly appreciated.
> 

the log messages above indicate that for some reason the syslog
connections break right after being established. This doesn't seem ok.

A quick check on the coe seems to indicate that the router is dropping
the connection. Can you confirm that using tcpdump?

If the connection itself is closed, no wonder that messages get lost.

-- 
Bazsi