Bug 31657

Summary:	syslogd stop processing remote host log after a while
Product:	Base System	Reporter:	Romain Griffiths <wid>
Component:	bin	Assignee:	freebsd-bugs (Nobody) <bugs>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	4.4-RELEASE
Hardware:	Any
OS:	Any

Description Romain Griffiths 2001-10-31 10:40:00 UTC

I have a loghost that log syslog message from 2 servers.
After a while (from few minutes to several hours) the syslogd on my loghost stop logging messages.
tcpdump show that servers still send syslog info to the loghost:
11:27:19.111707 ide.syslog > loghost.syslog:  udp 102
but nothing arrive to 
-rw-r--r--  1 root  wheel   18357 Oct 31 10:42 any.log

I have a bad-quality hub to link these machines.

How-To-Repeat: on loghost (10.0.0.10):
in rc.conf:
syslogd_flags="-4 -n -a 10.0.0.2 -a 10.0.0.1"
in syslog.conf:

+10.0.0.1					
*.*;security.none		/space1/log/ide/any.log
security.*			/space1/log/ide/security.log

+10.0.0.2					
*.*;mail.none			/space1/log/mail/any.log
mail.*				/space1/log/mail/mail.log

on 10.0.0.1 syslog.conf:
*.*				@10.0.0.10
on 10.0.0.2 syslog.conf:
*.*				@10.0.0.10

Comment 1 Crist J. Clark 2001-11-02 06:37:39 UTC

On Wed, Oct 31, 2001 at 02:34:58AM -0800, Romain Griffiths wrote:
[snip]

> >Description:
> I have a loghost that log syslog message from 2 servers.
> After a while (from few minutes to several hours) the syslogd on my loghost stop logging messages.
> tcpdump show that servers still send syslog info to the loghost:
> 11:27:19.111707 ide.syslog > loghost.syslog:  udp 102
> but nothing arrive to 
> -rw-r--r--  1 root  wheel   18357 Oct 31 10:42 any.log
> 
> I have a bad-quality hub to link these machines.
> 
> >How-To-Repeat:
> on loghost (10.0.0.10):
> in rc.conf:
> syslogd_flags="-4 -n -a 10.0.0.2 -a 10.0.0.1"
> in syslog.conf:
> 
> +10.0.0.1					
> *.*;security.none		/space1/log/ide/any.log
> security.*			/space1/log/ide/security.log
> 
> +10.0.0.2					
> *.*;mail.none			/space1/log/mail/any.log
> mail.*				/space1/log/mail/mail.log
> 
> on 10.0.0.1 syslog.conf:
> *.*				@10.0.0.10
> on 10.0.0.2 syslog.conf:
> *.*				@10.0.0.10

This is more of something for freebsd-questions.

Can you run syslogd(8) in debug mode (the '-d' option) on the
server. See if it is receiving those incoming messages at all.
On a lossy network, there is a chance that the machines sending out
syslog messages might stop, and not start again, if they think the
remote server is unreachable. But you would not see the network
traffic in that case.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Comment 2 dwmalone 2001-11-02 10:13:50 UTC

On Thu, Nov 01, 2001 at 10:50:04PM -0800, Crist J. Clark wrote:
>  This is more of something for freebsd-questions.

Actually - I think this might be a duplicate of

	http://www.freebsd.org/cgi/query-pr.cgi?pr=31029

which contains a patch.

	David.

Comment 3 Crist J. Clark 2001-11-02 19:34:27 UTC

On Fri, Nov 02, 2001 at 10:13:50AM +0000, David Malone wrote:
> On Thu, Nov 01, 2001 at 10:50:04PM -0800, Crist J. Clark wrote:
> >  This is more of something for freebsd-questions.
> 
> Actually - I think this might be a duplicate of
> 
> 	http://www.freebsd.org/cgi/query-pr.cgi?pr=31029
> 
> which contains a patch.

I wonder if this isn't what really is happening, but the originator
claimed he could still see syslog packets going over the wire to the
server, but the server was not responding. Before we tell him to
patch, we need to figure out if the packets are getting to the log
host or not.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

Comment 4 Crist J. Clark freebsd_committer

2001-11-06 10:55:39 UTC

State Changed
From-To: open->closed

In a private email, the originator informs me it was a syslog.conf(5) 
configuration issue on the server with name resolution and '+hostname' 
blocks.