Common connection issues of syslog-ng (4268594)

There can be several reason why a syslog-ng connection does not work. 

This knowledge article contains the most common connection issues of syslog-ng Premium Edition (PE).

Incorrect syslog format

Client

syslog-ng[296]: Syslog connection broken; fd='11', server='AF_INET(10.10.10.10:601)', time_reopen='60'

Server

syslog-ng[553]: Invalid frame header; header='' ^*
syslog-ng[553]: Syslog connection closed; fd='36', client='AF_INET(10.10.10.20:37781)', local='AF_INET(10.10.10.10:601)'

* The error message does not contain the connection IP address and PORT, but the next "Syslog connection closed" message does.

Cause:

The server expects IETF syslog format but the client sends the logs in different format, most probably in BSD syslog format.

Resolution 1:

Check the client's destination configuration if the correct IETF syslog format is set.

syslog-ng Premium Edition:  Configuring IETF-syslog (RFC 5424) format in syslog-ng PE
syslog-ng Store Box: Configuring IETF-syslog (RFC 5424) format in SSB

Resolution 2:

If the client supports only BSD syslog format, change the source configuration on the server.
Note: If there are active clients sending IETF syslogs to the source, you may want to use a separated BSD syslog source for the client, instead of reconfiguring the current one.

syslog-ng Premium Edition:  Configuring BSD-syslog (RFC 3164) format in syslog-ng PE
syslog-ng Store Box: Configuring BSD-syslog (RFC 3164) format in SSB

Message size too large

Error message:

Client

syslog-ng[296]: Syslog connection broken; fd='13', server='AF_INET(192.168.1.100:514)', time_reopen='60'

Server

syslog-ng[553]: Incoming frame larger than log_msg_size(); log_msg_size='65536', frame_length='65559', client='192.168.1.1'

Cause:

The client sends a log message that is greater than the maximum message size set on the server.

Resolution:

Modify the server's log message size option.

syslog-ng Premium Edition: Add log-msg-size(bytes) option to the global option{} section and set a bigger value than the 'frame_length' indicated in the error message, max. 256MB.

options {
     log-msg-size(131072)
}

Syslog-ng Store Box:  Set message size at Log | Options | Options | Message size.