[syslog-ng] Missing one log message when destination unavailable for short period of time.

Balazs Scheidler bazsi77 at gmail.com
Thu May 7 17:45:28 UTC 2020


The tcp stack of the host would return success for the first message that
follows a tcp connection termination.

We have no way of knowing that it was actually sent or not, the host kernel
doesn't return this information.

Syslog-ng tries to detect connection termination proactively and as long as
we don't have a message to write we should detect the closing connection
and avoid the loss of the upcoming message. Please check if syslog-ng
detects the closing connection, it should report this in its debug log
level, look for something like "eof detected on an idle connection".

The complete solution to this is application level acknowledgement, which
is an extra protocol layer over tcp.

Syslog-ng PE has rltp for this purpose but that's a proprietary feature and
I found its extra overhead is rarely needed.

Bazsi

On Thu, May 7, 2020, 19:03 Ali Shirvani <aj.shirvani at gmail.com> wrote:

> Hi all,
>
> I tried to setup simple relay with syslog-ng, it receives log on one port
> and forward to the destination. It works fine when destination is
> available, but when destination unavailable for a short period of time and
> then became available I miss one log entry.
>
> For example assume that I send simple numbers with logger command to
> syslog-ng, from 0 to 100, when I receive 50 on destination I stop its
> listener and start it again, in this case the first log entry that I
> receive is 52 instead of 51.
>
> Here is my syslog-ng.conf:
>
> @version: 3.26
>
> options {
>   time_reopen(5);
> };
>
> source s_network {
>   network(
>     ip("127.0.0.1")
>     port(514)
>     transport("udp")
>   );
> };
>
> destination d_network {
>   network(
>     "127.0.0.1"
>     port(5514)
>     transport("udp")
>   );
> };
>
> log {
>   source(s_network);
>   destination(d_network);
> };
>
> Would you please help me to resolve this issue?
>
> Regards,
> Ali
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200507/e33ee548/attachment-0001.html>


More information about the syslog-ng mailing list