id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1248	syslog UDP sockets growing until 28230 connections.	olivier.gondouin@…		"On Linux server with large number of traffic, using syslog for remote logging output cause UDP syslog connections to grow until 28230 connections after few days and then block any other new UDP connections.

system is Ubuntu Trusty (14.04), with self compiled nginx 1.8.0 remote logging use this kind of configuration in several virtual hosts

{{{
access_log syslog:server=10.99.0.47,facility=local1,severity=info main;
error_log syslog:server=10.99.0.47,facility=local1,severity=error notice;
}}}

for counting the number of connection and 28230 limit:

{{{
  netstat -au | grep ESTABLISHED | wc -l
}}}

the accumulated connections are of this kind (using netstat -aun):
{{{
udp        0      0 10.99.10.16:51676        10.99.0.47:514          ESTABLISHED
}}}

They keep the state ESTABLISHED 

Default {{{net.core.somaxconn = 30000}}} is used on this system. After nginx has reached 28230 connections the only solution to resolve the issue is to restart nginx to free connections.
"	defect	closed	minor		nginx-core	1.8.x	invalid	syslog connections saturation		Linux pepitaweb11 3.13.0-100-generic #147-Ubuntu SMP Tue Oct 18 16:48:51 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux	"nginx version: nginx/1.8.0
built with OpenSSL 1.0.1f 6 Jan 2014
TLS SNI support enabled
configure arguments: --prefix=/opt/nginx-1.8.0 --user=www-data --group=www-data --with-http_gzip_static_module --with-http_gunzip_module --with-http_ssl_module --with-http_spdy_module --with-http_flv_module --with-http_mp4_module --with-http_secure_link_module --with-http_dav_module --with-http_realip_module --with-file-aio --with-debug --with-http_stub_status_module --with-pcre --with-pcre-jit --with-pcre=/opt/arc/build/pcre-8.36
"