The purpose of this article is to help the investigation of syslog connection issues.
It doesn't cover the configuration of syslog sources or destinations.
Syslog connection in the view of Syslog-ng is a client-server connection to transfer standard BSD or IETF syslog formatted messages, using network() or syslog() driver.
Syslog-ng generates status and error messages of syslog connections on the internal() source.
Checking these messages in the system logs can help to find the root cause of a failed syslog connection.
The log message of a syslog connection includes the state, the IP:PORT information and the file descriptor (fd) of the connection.
When a connection fails, the log message also contains an error message which may give a clue about the root cause of the issue.
Syslog connection accepted
A syslog client has connected to syslog-ng server.
Syslog connection accepted; fd='20', client='AF_INET(10.10.10.10:56928)', local='AF_INET(0.0.0.0:2000)'
A syslog connection to a remote server is established. This message appears on syslog-ng client machines.
Syslog connection established; fd='11', server='AF_INET(10.10.10.10:514)', local='AF_INET(0.0.0.0:0)'
A syslog connection is closed normally by the client or by the server. This message appears for both outgoing and incoming syslog connections.
Syslog connection closed; fd='20', client='AF_INET(10.10.10.10:56928)', local='AF_INET(0.0.0.0:2000)'
Syslog connection broken
An established syslog connection was terminated. It can be caused by various reasons, for example timeout or network issue.
Syslog connection broken; fd='15', server='AF_INET(10.10.10.10:514)', time_reopen='60'
Syslog connection failed
A syslog connection can not establish. The error message provides information about the issue.
Syslog connection failed; fd='80', server='AF_INET(192.168.1.2:6514)', error='No route to host (113)', time_reopen='60'
The root cause of a non-working syslog connection mostly caused by two main reason.
Usually it happens when the remote server is not accessible because of a network issue or incorrect configuration.
In such cases syslog-ng client will drop a "Syslog connection failed" message.
When a protocol related issue happens, it is recommended to check the logs of both the syslog server and client. In many cases the syslog server gives more exact error messages.
In such cases the connection can be established, but the server does not accept the log because of a protocol error.
The following example shows the syslog messages of a connection, which is failed because of incorrect syslog format. The client tries to send logs in BSD format instead of IETF.
Syslog client messages
Syslog connection established; fd='11', server='AF_INET(10.10.10.10:601)', local='AF_INET(0.0.0.0:0)'
EOF occurred while idle; fd='11'
Syslog connection broken; fd='11', server='AF_INET(10.10.10.10:601)', time_reopen='60'
Closing log transport fd; fd='11'
Syslog server messages
Syslog connection accepted; fd='36', client='AF_INET(10.10.10.20:37781)', local='AF_INET(10.10.10.10:601)'
Invalid frame header; header=''
Syslog connection closed; fd='36', client='AF_INET(10.10.10.20:37781)', local='AF_INET(10.10.10.10:601)'
As the example shows, protocol issues generate more syslog connection messages, which should be tracked. In a big environment there could be many syslog connection messages from different connections in the same time period.
Track a connection
Syslog message formats: https://support.oneidentity.com/syslog-ng-premium-edition/kb/264126
Common issues of TLS encrypted message transfer: https://support.oneidentity.com/syslog-ng-premium-edition/kb/263658