[syslog-ng] closing inactive or idle incoming connections

Peter Kokai (pkokai) Peter.Kokai at oneidentity.com
Wed Apr 7 05:56:26 UTC 2021


I could not find an option to close a connection if no syslog message is sent.
In spite of that, there is an option to configure tcp-keepalive-time/probes/intervl per network source.


From: syslog-ng <syslog-ng-bounces at lists.balabit.hu> on behalf of Evan Rempel <erempel at uvic.ca>
Sent: 06 April 2021 16:35
To: Syslog-ng users' and developers' mailing list
Subject: [syslog-ng] closing inactive or idle incoming connections

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

Using syslog-ng 3.26 at the moment but can use the latest if the options
are available or easier.

Is there a way to configure the idle timeout for incoming connections.

I have a use case where we want to log from a mobile work force, which
can be anywhere on the internet. This means that our syslog server needs
to be open to the internet. The bad guys are connecting to our port and
not sending anything, just tying up the port.

The port requires a certificate so is "safe", however, the connection is
consumed for approx 2 hours before syslog-ng dropes the connection with

syslog-ng[22490]: Error reading RFC6587 style framed data; fd='3769',
error='Connection timed out (110)'
syslog-ng[22490]: Syslog connection closed; fd='4509',
client='AF_INET()', local='AF_INET()'

Is there a way to configure syslog-ng to drop the connection if it does
not receive the certificate in 60 seconds?

Is there a way to configure syslog-ng to drop the connection if no
syslog messages are received in 10 minutes?



Member info: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7C0d748578f4dc4ce6a31c08d8f9093c2d%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533165375512806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=qifawNmzFxmovAo6121sUhm%2F2ty3QJd6imt6QTvXDFw%3D&reserved=0
Documentation: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7C0d748578f4dc4ce6a31c08d8f9093c2d%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533165375512806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=w1ZOGHfRjkojDFYhzUoVFN5JhAbXYK6Sfh%2BBZ2yzD8o%3D&reserved=0
FAQ: https://nam12.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=04%7C01%7CPeter.Kokai%40oneidentity.com%7C0d748578f4dc4ce6a31c08d8f9093c2d%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637533165375512806%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=do%2FX%2BK3hbvXV5341pRWx6cNiCdd308wucMT2CZUblR0%3D&reserved=0

More information about the syslog-ng mailing list