Exceeding the max-open file limitation for the syslog-ng process. Syslog-ng is dropping core files. (4283050)

In this case syslog-ng was reading logs from a directory. The number of logs exceeded the max-open file limitation for syslog-ng on the system.

The soft limit for open files was set to 4096 which is the default. This limit can be increased for syslog-ng.

When syslog-ng starts it opens all log files, so the "--fd-limit" (default: 4096) parameter has to be calculated to be larger than the number of log files.

You can check what the ulimit is set to by running "cat /proc/xxxx/limits" where xxxx is the PID of syslog-ng.

A hard limit is the maximum allowed set by root. A soft limit is the effective value right now.

Resolution 1:

Edit the following file:

/usr/lib/systemd/system/syslog-ng.service

Default:

ExecStart=/opt/syslog-ng/sbin/syslog-ng -F --enable-core $SYSLOGNG_OPTIONS

Increase to 8192:

ExecStart=/opt/syslog-ng/sbin/syslog-ng -F --enable-core --fd-limit 8192 $SYSLOGNG_OPTIONS

Restart the daemon, for example:

systemctl daemon-reload

systemctl reload syslog-ng.service

Resolution 2:

Increase the file limits that Syslog-ng is allowed to open in the kernel:

vi /etc/systemd/system/multi-user.target.wants/syslog-ng.service

[Service]

.....

LimitNOFILE=65535

LimitNOFILESoft=65535