View previous topic :: View next topic |
Author |
Message |
SoylentGreen l33t
Joined: 19 Aug 2005 Posts: 904 Location: The Hostel
|
Posted: Wed May 23, 2007 10:28 am Post subject: [SOLVED] syslog-ng and max number of connections |
|
|
since i updated to syslog-ng 2.0.4 i see the following in my syslog:
Code: |
syslog-ng[8827]: Number of allowed concurrent connections exceeded; num='10', max='10'
|
i am using the syslog from the gentoo wiki. infact of the above error, my last service does not start (webmin in my case).
i do not think this is a bug, but i guess i have to set the max number of connection somewhere in he syslog.conf? where?
any hints?
Last edited by SoylentGreen on Wed May 23, 2007 12:27 pm; edited 1 time in total |
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Wed May 23, 2007 10:36 am Post subject: |
|
|
max-connections() has a default of 10 and is an option to the source object; e.g. source s_stream { unix-stream("/dev/log" max-connections(20)); }; _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
SoylentGreen l33t
Joined: 19 Aug 2005 Posts: 904 Location: The Hostel
|
Posted: Wed May 23, 2007 10:45 am Post subject: |
|
|
ah, thx. this isnt in the manpage..
should i change
Code: |
source src { unix-stream("/dev/log"); internal(); };
|
to
Code: |
source src { unix-stream("/dev/log"); max-connections(20); };
|
or is the "internal" important?
ps: i guess the extra closing bracket "(20))" is a typo?
//edit: hmm, no, i get syntax errors then ;(
heres my conf:
Code: |
# /etc/syslog-ng/syslog-ng.conf
# From the Gentoo Linux Security Guide
# http://www.gentoo.org/doc/en/gentoo-security.xml
# Creative Commons - Attribution / Share Alike License
# http://creativecommons.org/licenses/by-sa/2.0
options {
long_hostnames(off);
sync(0);
stats(43200);
};
#source where to read log
source src { unix-stream("/dev/log"); internal(); };
source kernsrc { file("/proc/kmsg"); };
#define destinations
destination authlog { file("/var/log/auth.log"); };
destination syslog { file("/var/log/syslog"); };
destination cron { file("/var/log/cron.log"); };
destination daemon { file("/var/log/daemon.log"); };
destination kern { file("/var/log/kern.log"); };
destination lpr { file("/var/log/lpr.log"); };
destination user { file("/var/log/user.log"); };
# Should be maillog (Without dot) as it was the default on logwatch
destination mail { file("/var/log/maillog"); };
destination mailinfo { file("/var/log/mail.info"); };
destination mailwarn { file("/var/log/mail.warn"); };
destination mailerr { file("/var/log/mail.err"); };
destination newscrit { file("/var/log/news/news.crit"); };
destination newserr { file("/var/log/news/news.err"); };
destination newsnotice { file("/var/log/news/news.notice"); };
destination debug { file("/var/log/debug"); };
destination messages { file("/var/log/messages"); };
destination console { usertty("root"); };
destination console_all { file("/dev/tty12"); };
destination xconsole { pipe("/dev/xconsole"); };
#create filters
filter f_auth { facility(auth); };
filter f_authpriv { facility(auth, authpriv); };
filter f_syslog { not facility(authpriv, mail); };
filter f_cron { facility(cron); };
filter f_daemon { facility(daemon); };
filter f_kern { facility(kern); };
filter f_lpr { facility(lpr); };
filter f_mail { facility(mail); };
filter f_user { facility(user); };
filter f_debug { not facility(auth, authpriv, news, mail); };
filter f_messages { level(info..warn)
and not facility(auth, authpriv, mail, news); };
filter f_emergency { level(emerg); };
filter f_info { level(info); };
filter f_notice { level(notice); };
filter f_warn { level(warn); };
filter f_crit { level(crit); };
filter f_err { level(err); };
filter f_failed { match("failed"); };
filter f_denied { match("denied"); };
#connect filter and destination
log { source(src); filter(f_authpriv); destination(authlog); };
log { source(src); filter(f_syslog); destination(syslog); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_daemon); destination(daemon); };
log { source(kernsrc); filter(f_kern); destination(kern); };
log { source(src); filter(f_lpr); destination(lpr); };
log { source(src); filter(f_mail); destination(mail); };
log { source(src); filter(f_user); destination(user); };
log { source(src); filter(f_mail); filter(f_info); destination(mailinfo); };
log { source(src); filter(f_mail); filter(f_warn); destination(mailwarn); };
log { source(src); filter(f_mail); filter(f_err); destination(mailerr); };
log { source(src); filter(f_debug); destination(debug); };
log { source(src); filter(f_messages); destination(messages); };
log { source(src); filter(f_emergency); destination(console); };
#default log
log { source(src); destination(console_all); };
|
|
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Wed May 23, 2007 11:00 am Post subject: |
|
|
SoylentGreen wrote: | ah, thx. this isnt in the manpage..
should i change
Code: |
source src { unix-stream("/dev/log"); internal(); };
|
to
Code: |
source src { unix-stream("/dev/log"); max-connections(20); };
|
or is the "internal" important?
ps: i guess the extra closing bracket "(20))" is a typo? |
Read more exact
change Code: | source src { unix-stream("/dev/log"); internal(); }; | to Code: | source src { unix-stream("/dev/log") max-connections(20); internal(); }; |
about the ps - no it isn't; it is an option to unix-stream, *not* to s_stream
everything taken from original documentation _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
SoylentGreen l33t
Joined: 19 Aug 2005 Posts: 904 Location: The Hostel
|
Posted: Wed May 23, 2007 11:09 am Post subject: |
|
|
well, if i change like you suggested i get the syntax error i mentioned.
Code: |
syntax error at 15
* Configuration error. Please fix your configfile (/etc/syslog-ng/syslog-ng.conf)
|
line 15 is the line you suggested. |
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Wed May 23, 2007 11:15 am Post subject: |
|
|
are you sure 2.04 is running and not the older 1.6? (syslog-ng -V)
about the documentation: http://www.balabit.com/dl/white_papers/syslog_admin_guide_en.pdf, Page 48 _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
SoylentGreen l33t
Joined: 19 Aug 2005 Posts: 904 Location: The Hostel
|
Posted: Wed May 23, 2007 11:17 am Post subject: |
|
|
yes, 2.0.4 is running and the only one installed, but it doesnt like the line you suggested.
hmm..
will have a look at the pdf now..
hmm, it doesnt like max_connections in my options section either (like this):
Code: |
options {
long_hostnames(off);
sync(0);
stats(43200);
max_connections(20);
};
|
pretty odd, redarding to the pdf it should work.
are you using 2.0.,4 as well, and it works for you? |
|
Back to top |
|
|
SoylentGreen l33t
Joined: 19 Aug 2005 Posts: 904 Location: The Hostel
|
Posted: Wed May 23, 2007 11:41 am Post subject: |
|
|
well, i read:
Code: |
2.0.4
Mon, 14 May 2007 11:47:48 +0200
IMPORTANT NOTES:
* This version of syslog-ng fixes a bug in enforcing the
max-connections() limit for various stream-like sources
(unix-stream and tcp). Previously this limit was not enforced,
thus production environments may use an inadequate value.
Validate your max-connection() settings before upgrading
and check your logs for rejected connections.
|
so there must have changed something. i'll emerge 2.03 to see if this is perhaps a bug?
//edit: doesnt work using 2.03 either |
|
Back to top |
|
|
think4urs11 Bodhisattva
Joined: 25 Jun 2003 Posts: 6659 Location: above the cloud
|
Posted: Wed May 23, 2007 12:17 pm Post subject: |
|
|
got it ... the documentation has a bug!
It must read as max-connections, not max_connections, e.g. source src { unix-stream("/dev/log" max-connections(20)); internal(); pipe("/proc/kmsg"); };
tested and working on a testbox with 2.04 _________________ Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
Back to top |
|
|
SoylentGreen l33t
Joined: 19 Aug 2005 Posts: 904 Location: The Hostel
|
Posted: Wed May 23, 2007 12:26 pm Post subject: |
|
|
duh! good shot
well, a real PIA they sometimes use "_" and sometimes "-" in the very same config file
Code: | source src { unix-stream("/dev/log" max-connections(20)); internal(); pipe("/proc/kmsg"); }; |
does the trick (with or without using kmsg). i just copy&pasted it, worked
//edit: btw, the docu contains both, max-connections *and* max_connections. looks like they good pretty confused themself? |
|
Back to top |
|
|
|