Hi, I am running rsyslog 5.8.3 as a central log collector which then sends the log messages to an archive using tls encryption. When the log message rate increases, I start seeing log messages like this:
rsyslog: netstream session 0x8b05ef0 will be closed due to error [try http://www.rsyslog.com/e/2165 ] The logging does not stop and the tcp connection to the remote archive does not break, though - it just starts spewing out these messages up to two times per minute. I enabled additional debugging, and the logfile contained this: 9275.065615635:40976b70: netstream 0x41000c50 with new data 9275.065635173:40976b70: error during recv on NSD 0x41000b88: Connection reset by peer 9275.065641798:40976b70: gtlsRcv return. nsd 0x413fff98, iRet -2165, lenRcvBuf 0, ptrRcvBuf 0 9275.065648064:40976b70: Called LogError, msg: netstream session 0x41000c50 will be closed due to error 9275.065675043:40976b70: main Q: entry added, size now log 6919, phys 6951 entries 9275.065682225:40976b70: main Q: EnqueueMsg advised worker start 9275.065707944:40976b70: --------<NSDSEL_PTCP> calling select, active fds (max 19): 14 15 16 19 On the receiving end I get no notification of an error happening at all. Following is the configuration the I use: $MaxMessageSize 64k $RepeatedMsgReduction off $EscapeControlCharactersOnReceive off $WorkDirectory /var/rsyslog # default location for work (spool) files $ModLoad imtcp $ModLoad imudp $ModLoad imptcp $ModLoad omuxsock $ModLoad impstats $InputPTCPServerListenIP 127.0.0.1 $InputPTCPServerRun 10100 $PStatsInterval 300 # log local syslog messages back to syslog-ng $OMUxSockSocket /dev/tosyslog if $programname startswith 'rsyslog' then :omuxsock: if $programname startswith 'rsyslog' then ~ $ActionQueueType LinkedList $ActionQueueFileName srvrfwd $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $ActionQueueMaxDiskSpace 819200 $DefaultNetstreamDriver gtls $DefaultNetstreamDriverCAFile /etc/ca/cacert.pem $DefaultNetstreamDriverCertFile /etc/client.pem $DefaultNetstreamDriverKeyFile /etc/client.key $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode x509/certvalid $InputTCPServerStreamDriverMode 0 $InputTCPServerRun 10101 $UDPServerRun 10101 *.* @@(o,z0)loghost:5077;RSYSLOG_SyslogProtocol23Format If you need more data from the debug log, just ask. This is also easy to reproduce, therefore I am able to try some things if you come up with suggestions what happens there and how to get rid of those error messages. Thank you for your help! Best regards, Andreas Grosse _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com
