[syslog-ng] TCP Resets

Fried, Zoltán zoltan.fried at balabit.com
Fri Oct 2 14:10:13 CEST 2015


Hi,

I checked your config file and I did not find max-connections() option. The
default value is 10 for this options.
Increase value of it to necessary value. Maybe help this.

BR.
Zoli

On Mon, Sep 28, 2015 at 10:57 PM, Michael Starks <
syslog-ng-list at michaelstarks.com> wrote:

> I am running syslog-ng 3.4.7 as distributed by ELSA. I have a problem
> whereby nxlog agents (v2.9.1347) making a new TCP connection to the
> syslog-ng server repeatedly show lines like this in nxlog.log:
> 2015-09-28 14:28:25 INFO reconnecting in 1 seconds
>
> Many connections are working, but it especially has a problem with new
> agents coming online. Sometimes when I restart syslog-ng it helps, but
> not always.
>
> Other than the standard ELSA config, I am simply also writing to a
> filesystem destination. If I remove the elsa.pl destination, I still
> have problems.
>
> The problem isn't necessarily related to just nxlog agents. I also have
> a Cisco proxy that is using TCP to send logs, and that is also getting
> RSTs sent to it.
>
> I tried v3.6.3 and that didn't seem to help.
>
> A packet capture shows the SYN from the agent, a SYN ACK, another SYN,
> then a FIN *prior* to the data packet being received. Immediately after
> the data packet, the log server sends a RST. As a result, I have a bunch
> of TIME_WAITs open.
>
> No host firewall is running.
>
> I am currently only bursting to about 350 EPS and I have syslog-ng
> running in the foreground looking for dropped packets like so (there
> haven't been any): /usr/local/syslog-ng-3.4.7/sbin/syslog-ng -Ftvd 2>&1
> | grep "dropping messages"
>
> Any assistance would be greatly appreciated!
>
> Currently loaded syslog-ng.conf:
> # cat /usr/local/syslog-ng/etc/syslog-ng.conf
> @version: 3.2
>
>
>
> options {
>
>         log_fifo_size(30000);
>
>         #threaded(yes); # enable if using Syslog-NG 3.3.x
>
>         use_dns (no); # IMPORTANT! A busy syslog server can become
> unresponsive if DNS lookups fail, so we disable them.
>
>         use_fqdn (no);
>
>         keep_hostname (yes);
>
> };
>
>
>
> source s_network {
>
>         # no-multi-line means parse message as-is, newlines included, to
> allow for multi-line messages
>
>         tcp(flags(no-multi-line));
>
>         udp(flags(no-multi-line));
>
> };
>
>
>
> source s_internal {
>
>         internal();
>
> };
>
>
>
> source s_realtime {
>
>         pipe("/data/elsa/tmp/realtime" flags(expect-hostname));
>
> };
>
>
>
> source s_import {
>
>         pipe("/data/elsa/tmp/import" flags(expect-hostname
> syslog-protocol));
>
> };
>
>
>
> source s_ops {
>
>         unix-dgram("/data/elsa/tmp/ops" flags(expect-hostname
> syslog-protocol no-multi-line));
>
> };
>
>
>
> parser p_db {
>
>         db-parser(file("/usr/local/elsa/node/conf/merged.xml"));
>
> };
>
>
>
> filter f_rewrite_cisco_program { match('^(%[A-Z\_]+\-\d\-[0-9A-Z\_]+):
> ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches"
> "nobackref")); };
>
> filter f_rewrite_cisco_program_2 {
>
> match('^[\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:
> [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")
> flags("store-matches" "nobackref")); };
>
> filter f_rewrite_cisco_program_3 { match('^\d+[ywdh]\d+[ywdh]: (%[^:]+):
> ([^\n]+)' value("MSGONLY") type("pcre") flags("store-matches"
> "nobackref")); };
>
> filter f_rewrite_cisco_program_4 { match('^\d{6}:
>
> [\*\.]?(?:Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)\s+\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}(?:\.\d+)?(?:
> [A-Z]{3})?: (%[^:]+): ([^\n]+)' value("MSGONLY") type("pcre")
> flags("store-matches" "nobackref")); };
>
>
>
> filter f_unclassified { "${.classifier.class}" eq "unknown" };
>
> rewrite r_unparsed { set("98", value("MSGID")); };
>
>
>
> rewrite r_cisco_program {
>
>         set("$1", value("PROGRAM")
> condition(filter(f_rewrite_cisco_program) or
> filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)
> or filter(f_rewrite_cisco_program_4)));
>
>         set("$2", value("MESSAGE")
> condition(filter(f_rewrite_cisco_program) or
> filter(f_rewrite_cisco_program_2) or filter(f_rewrite_cisco_program_3)
> or filter(f_rewrite_cisco_program_4)));
>
> };
>
>
>
> rewrite r_snare {
> subst("MSWinEventLog.+(Security|Application|System).+", "$1",
> value("PROGRAM") flags(global)); };
>
> # URL encode any literal pipes so the tab rewriter doesn't introduce
> ambiguity
>
> rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE") flags(global)
> condition(program("bro_*" type(glob)))); };
>
> #rewrite r_from_pipes { subst('\|', "%7C", value("MESSAGE")
> flags(global)); };
>
> rewrite r_pipes { subst("\t", "|", value("MESSAGE") flags(global)); };
>
> rewrite r_host { set("$SOURCEIP", value("HOST")); };
>
> rewrite r_extracted_host { set("$pdb_extracted_sourceip", value("HOST")
> condition("$pdb_extracted_sourceip" != "")); };
>
> rewrite r_extracted_timestamp {
>
>         set("$S_UNIXTIME", value("SOURCE"));
>
>         set("$pdb_extracted_timestamp", value("SOURCE")
> condition("$pdb_extracted_timestamp" != ""));
>
> };
>
>
>
> template t_db_parsed {
>
> template("$R_UNIXTIME\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n");
> };
>
> template t_db_parsed_import {
>
> template("$MSGID\t$SOURCE\t$HOST\t$PROGRAM\t${.classifier.class}\t$MSGONLY\t${i0}\t${i1}\t${i2}\t${i3}\t${i4}\t${i5}\t${s0}\t${s1}\t${s2}\t${s3}\t${s4}\t${s5}\n");
> };
>
> template t_ops {
>
> template("$S_UNIXTIME\t$HOST\t$PROGRAM\t$MSGID\t$MSGONLY\t${.SDATA.elsa at 32473.line_number
> }\t${.SDATA.elsa at 32473.pid}\t${.SDATA.elsa at 32473.client
> }\t${.SDATA.elsa at 32473.qid}\t\t\t${.SDATA.elsa at 32473.priority
> }\t${.SDATA.elsa at 32473.file}\t${.SDATA.elsa at 32473.method
> }\t${.SDATA.elsa at 32473.hostname}\t\t\n");
> };
>
> template t_unparsed { template("Unparsed host=$HOST program=$PROGRAM
> msg=$MSGONLY\n"); };
>
>
>
> destination d_elsa { program("perl /usr/local/elsa/node/elsa.pl -c
> /etc/elsa_node.conf" template(t_db_parsed)); };
>
> destination d_elsa_import { program("perl /usr/local/elsa/node/elsa.pl
> -c /etc/elsa_node.conf -f __IMPORT__" template(t_db_parsed_import)); };
>
> destination d_elsa_ops { program("perl /usr/local/elsa/node/elsa.pl -c
> /etc/elsa_node.conf -f __OPS__" template(t_ops)); };
>
> destination d_unclassified { unix-dgram("/data/elsa/tmp/ops"
> flags(syslog-protocol) template(t_unparsed)); };
>
> destination d_debug { unix-dgram("/data/elsa/tmp/debug"
> template(t_db_parsed)); };
>
>
>
> # Custom destination -Mike
>
> destination d_hosts {
>
>   file("/data/logs/$HOST/$HOST.log");
>
> };
>
>
>
> include /etc/elsa_syslog-ng.conf;
>
>
>
> #log {
>
> #        source(s_ops);
>
> #        destination(d_elsa_ops);
>
> #        flags(final);
>
> #};
>
>
>
> #log {
>
> #        source(s_network);
>
> #        source(s_realtime);
>
> #        rewrite(r_host);
>
> #        rewrite(r_cisco_program);
>
> #        rewrite(r_snare);
>
> #        rewrite(r_from_pipes);
>
> #        rewrite(r_pipes);
>
> #        parser(p_db);
>
> #        rewrite(r_extracted_host);
>
> #        ###FILTER_UNPARSED###log { filter(f_unclassified);
> rewrite(r_unparsed); destination(d_unclassified); flags(final); };
>
> #        log { destination(d_elsa); };
>
> #        log { destination(d_debug); };
>
> #};
>
>
>
> #log {
>
> #        source(s_import);
>
> #        rewrite(r_cisco_program);
>
> #        rewrite(r_snare);
>
> #        rewrite(r_from_pipes);
>
> #        rewrite(r_pipes);
>
> #        parser(p_db);
>
> #        rewrite(r_extracted_host);
>
> #        rewrite(r_extracted_timestamp);
>
> #        destination(d_elsa_import);
>
> #};
>
>
> # cat /etc/elsa_syslog-ng.conf
>
> ##################################
>
> ####   Global Options    #########
>
> ##################################
>
>
>
> options {
>
> check_hostname(yes);
>
> create_dirs(yes);
>
> dir_group(log_analyst);
>
> dir_owner(root);
>
> dir_perm(0550);
>
> group(log_analyst);
>
> owner(root);
>
> perm(0640);
>
> # Let's not be vulnerable to DNS attacks and general problems
>
> dns_cache(no);
>
> use_dns(no);
>
> # Keep the original hostname (good for relay servers)
>
> keep_hostname(yes);
>
> # Keep original timestamp (not received time) - this could be forged, so
> use caution during forensincs examinations
>
> keep_timestamp(yes);
>
> };
>
>
>
> ##################################
>
> ###########   Sources    #########
>
> ##################################
>
>
>
> # Source for local system logs
>
> source s_local {
>
> # message generated by Syslog-NG
>
> internal();
>
> # standard Linux log source (this is the default place for the syslog()
>
> # function to send logs to)
>
> unix-stream("/dev/log");
>
> # messages from the kernel
>
> file("/proc/kmsg" program_override("kernel: "));
>
> };
>
>
>
> ##################################
>
> ######### Destinations  ##########
>
> ##################################
>
>
>
>
>
> # This is the directory structure that will be automatically created as
> logs come in
>
> destination d_hosts {
>
>   file("/data/logs/$HOST/$HOST.log");
>
> };
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>


-- 
---
zoli
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20151002/6caae8eb/attachment.htm 


More information about the syslog-ng mailing list