[rsyslog] Problems with cloned syslogging to central loghost

[Anders Synstad]

This is a bit out of scope I'd think, but here we go.
I'm attempting to use cloning on a loadbalancer, to clone my log traffic 
to a development loghost. The idea is to the same amount of log traffic 
on my development server, as I get on my production server. In theory nice.

To get it working, I had to add some iptables rules to rewrite the 
destination address of the logpackages, otherwise the kernel would just 
drop them:

Chain PREROUTING (policy ACCEPT 40 packets, 4057 bytes)
 pkts bytes target     prot opt in     out     source 
destination
  163 26207 NETMAP     udp  --  *      *       0.0.0.0/0 
10.27.23.11         10.27.23.100/32
    0     0 NETMAP     udp  --  *      *       0.0.0.0/0 
10.27.23.12         10.27.23.100/32



And for most parts, this works nice. However, I just discovered the 
following:


[..]
011-04-13T00:15:09.840275+02:00 loghost01 possible SYN flooding on port 
10515. Sending cookies.
2011-04-13T00:15:10.473383+02:00 loghost01 netstream session 0xe0a7190 
will be closed due to error
2011-04-13T00:15:19.610531+02:00 loghost01 netstream session 0xe2151a0 
will be closed due to error
2011-04-13T00:15:19.647328+02:00 loghost01 netstream session 0xe216820 
will be closed due to error
2011-04-13T00:15:19.652144+02:00 loghost01 netstream session 0xe0aa160 
will be closed due to error
2011-04-13T00:15:24.585523+02:00 loghost01 netstream session 0xe054720 
will be closed due to error
2011-04-13T00:15:27.772918+02:00 loghost01 netstream session 0xe055660 
will be closed due to error
[..]
2011-04-13T00:16:14.312158+02:00 loghost01 epoll_ctl failed on fd 1023, 
id 0/0xe218b20, op 1 with File exists
2011-04-13T00:16:14.312168+02:00 loghost01 epoll_ctl failed on fd 1023, 
id 0/0xe218b20, op 1 with File exists
2011-04-13T00:16:14.312175+02:00 loghost01 epoll_ctl failed on fd 1023, 
id 0/0xe218b20, op 1 with File exists
2011-04-13T00:16:14.312181+02:00 loghost01 epoll_ctl failed on fd 1023, 
id 0/0xe218b20, op 1 with File exists
2011-04-13T00:16:14.312189+02:00 loghost01 epoll_ctl failed on fd 1023, 
id 0/0xe218b20, op 1 with File exists
2011-04-13T00:16:14.312194+02:00 loghost01 epoll_ctl failed on fd 1023, 
id 0/0xe218b20, op 1 with File exists
[..]


My guess is that this configuration doesn't work great with tcp 
syslogging. However, the "epoll_ctl failed on fd" goes absolutely 
mental. So far today, it's logged 5.6G worth of just that error :)

So two questions;

1) Is there a way to make rsyslog put the network interface in 
promiscuous mode for logging, so I don't need these rewrite rules, and 
it acts more like a silent observer (like SNORT and friends).


2) Is "epoll_ctl failed on fd" error something that perhaps is related 
to an unhandled exception in rsyslog? Or at least an exception that 
isn't handled very gracefully?




Regards,
Anders Synstad
Basefarm AS
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com