Syslog fails on 2.8.1 when remote syslog server goes down
-
I run several pfSenses. One setup is a cluster. I have upgraded on member of the cluster to 2.8.1, the other still on 2.8.0.
First - the syslogging source-ip issue that was introduced on 2.8.0 is now fixed, a big thanks for that. The thing essentially broke a bunch of my Splunk rules, and with 2.8.1 it is now working again.
However, I see another worrying thing on 2.8.1. When I restart my Splunk listener (a HF), pfSense 2.8.1 stops logging where as 2.8.0 continues logging. I have to manually go into logging settings and press "save" on 2.8.1 to get the logs going again. The 2.8.0 pfSense just kept going and did not mind that the syslog receiver was down.
As this is udp, it baffles me a bit. My other 2.8.1's behaved the same way - I lost logging from 3 pfSenses at the same moment the HF was restarted.
The difference between 2.8.0 and 2.8.1 behavior exists I would say.
-
T tsmalmbe referenced this topic on
-
S sokeada referenced this topic on
-
See: https://forum.netgate.com/topic/198792/syslog-service-in-pfsense-v2.8.1-often-stop-itself/
Let's keep it in that thread.
-
I just had a second occasion where alarm forwarding was stopped. I had to / cleared the logs to activate remote logging again.
Some weeks ago. my impression was that the problem was caused by large numbers of alarms
Today the cause may have been the fact that my graylog server was temporarily not available. I did change the graylog its network address.
-
See the workaround in the above linked thread.
Let's keep discussion there to avoid confusion.
-
S stephenw10 locked this topic