On one of my servers, I get pretty hefty mailserver action. I also do remote syslog using syslog-ng and stunnel. Today I started noticing a few of these messages in the logs.


Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100


On one of my servers, I get pretty hefty mailserver action. I also do remote syslog using syslog-ng and stunnel. Today I started noticing a few of these messages in the logs.


Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100
Sep 5 14:00:02 comp syslog-ng[22273]: Error accepting AF_UNIX connection, opened connections: 100, max: 100


At first I was confused, because this is a syslog client sending logs to my internal syslog server. Along with piping it through stunnel, I also write local logs for simplicity and so other admins can have easy access to these logs. Looking at the error, I initially thought it was thinking it was a syslog host and was receiving connections to write (like my internal syslog server). I finally realized that this meant that there were too many connections from various services trying to write logs.. specifically mail connections.

Over the last few months, I’ve been steadily increasing mail traffic with additional hosting accounts and the usual spam attacks, etc. I felt that this was somewhat normal and pumping up the max connections wouldn’t be a bad idea any way. Currently the max is set to 100 connections, so I thought I’d crank it up to 500 and see if things are happy.

To do this, find the following line in syslog-ng.conf:


source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };


and add this:


source src { unix-stream("/dev/log" max-connections(500)); internal(); pipe("/proc/kmsg"); };


Remember to restart syslog-ng. If anyone has any experience with pushing connections up, please leave a comment. I’m hoping that I’m not trying to fix the symptom and avoiding the actual problem. I feel this is part of normal growing pains though.