Your message dated Thu, 06 Oct 2011 17:15:17 +0200
with message-id <[email protected]>
and subject line not reproducible
has caused the Debian Bug report #373993,
regarding syslog-ng gives up on remote host after a while
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
373993: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373993
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: syslog-ng
Version: 1.9.11-1
Hey guys,
The problems is that this machine is being fed logs from various remote
sources.
One source in particular a firewall is generating a fairly large amount of
syslog traffic but nothing unusual (a couple of other firewalls seem to
generate the same amount of log traffic to this machine)
After a while, syslog-ng just stops logging the traffic from this one FW!
I also noticed that after Syslog-ng had stopped logging for the remote FW
that it starts sending back ICMP port unreachable messages ....
The "[|syslog]" is interesting because this appears everytime before
syslog-ng gives up on the FW. Interestingly enough netcat exhibits the same
behaviour!
EG: "netcat -l -u -p 514 | strings"
Is the remote FW sending the equivalent of a close session command via UDP?
Is such a thing even a valid idea in UDP?
Any ideas at this stage would be welcome
Cheers
Jan.
tcpdump
-------------------------------SNIP----------------------------
17:54:11.836367 IP 192.168.x.x.514 > 192.168.y.y.514: SYSLOG local4.info,
length: 102
17:54:12.135812 IP 192.168.x.x.514 > 192.168.y.y.514: SYSLOG local4.info,
length: 148
17:54:12.153307 IP 192.168.x.x.514 > 192.168.y.y.514: SYSLOG local4.info,
length: 81
17:54:12.153322 IP 192.168.x.x.514 > 192.168.y.y.514: SYSLOG local4.info,
length: 128
17:54:12.153323 IP 192.168.x.x.514 > 192.168.y.y.514: SYSLOG local4.info,
length: 174
17:54:12.222301 IP 192.168.x.x.514 > 192.168.y.y.514: [|syslog]
17:54:12.291284 IP 192.168.x.x.514 > 192.168.y.y.514: SYSLOG local4.info,
length: 128
17:54:12.291299 IP 192.168.y.y > 192.168.x.x: ICMP 192.168.y.y udp port 514
unreachable, length 164
-------------------------------SNIP----------------------------
dpkg --status syslog-ng
Package: syslog-ng
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 504
Maintainer: SZALAY Attila <[email protected]>
Architecture: i386
Version: 1.9.11-1
Provides: system-log-daemon, linux-kernel-log-daemon
Depends: libc6 (>= 2.3.6-6), util-linux (>= 2.12-10)
Recommends: logrotate
Conflicts: system-log-daemon, linux-kernel-log-daemon
Conffiles:
/etc/default/syslog-ng 4edbb5c22fb517e6a8c1a39d900d30de
/etc/syslog-ng/syslog-ng.conf d887aba60ef569253650b851bf01166f
/etc/init.d/syslog-ng 1b3e2baf5de8201481f2c9bd7500192c
/etc/logrotate.d/syslog-ng 775a55179b39cef42ea808c354b646ee
/etc/logcheck/ignore.d.workstation/syslog-ng
2f070c8acc0cd110d56ba5bf3e841aa5
/etc/logcheck/ignore.d.server/syslog-ng 2f070c8acc0cd110d56ba5bf3e841aa5
/etc/logcheck/ignore.d.paranoid/syslog-ng 2f070c8acc0cd110d56ba5bf3e841aa5
Description: Next generation logging daemon
Syslog-ng tries to fill the gaps original syslogd's were lacking:
* powerful configurability
* filtering based on message content
* portability
* better network forwarding
___________________________________________________
Some people are like Slinkies
They bring a smile to your face when you push them down a flight of stairs.
-- ozmanjusri (601766) as seen on /.
___________________________________________________
Cell Phone: +44 79 0417 4088
E-Mail : [email protected]
___________________________________________________
___________________________________________________________
All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease
of use." - PC Magazine
http://uk.docs.yahoo.com/nowyoucan.html
--- End Message ---
--- Begin Message ---
This is an old bug, with no similar issues filed since. It's also
unreproducible, and to me, sounds very much like a network issue.
--
|8]
--- End Message ---
