I got bitten by this bug this week. There is a Problem in syslog-ng-2.1.3.ebuild that causes it to eat up all memory and CPU when remote logging via UDP is enabled and the remote host replies with ICMP port unreachable. The problem is especially bad on boxes with AMD64 and lots of ram, since it can take the whole system down with it. This has been fixed in version 2.1.4, as reported in [1]. I already unmasked 2.1.4 and installed it, which fixed the problem for me. I hope that a version bump to 2.1.4 can be done soon. [1] http://www.syslog.org/forum/syslog-ng/syslog-ng-forwarding-to-remote-host-dies-when-remote-host-goes-down/
More info about this bug: https://lists.balabit.hu/pipermail/syslog-ng/2009-March/012701.html The split-out patch: --- a/src/afsocket.c +++ b/src/afsocket.c @@ -912,6 +912,8 @@ afsocket_dd_notify(LogPipe *s, LogPipe *sender, gint notify_code, gpointer user_ { case NC_CLOSE: case NC_WRITE_ERROR: + log_writer_reopen(self->writer, NULL); + msg_error("Connection broken", evt_tag_int("time_reopen", self->time_reopen), NULL);
2.1.4 is already in the tree. If you need features from it, you should unmask it locally.
I already unmasked it locally, but IMHO the stable version shouldn't have such a major bug. I don't like the idea of unmasking this package on 30+ machines. Why can't 2.1.4 be pushed to stable?
