Syslog service in pfSense v2.8.1 often stop itself
-
https://redmine.pfsense.org/issues/16362
sendto: Connection refusedDo you have any idea why it can be refused? I see this only when booting and network not initiated yet or whatever, never happened when everything is up and running.
-
Typically it seems to be when the syslog server is cycling in some way. Archiving perhaps? Seems like an issue for a syslog server to periodically stop accepting logs! But enough people are seeing it that I guess it's a thing.
This looks to be fixed by changes that went into syslogd recently. I can't replicate it in 25.11. -
S stephenw10 referenced this topic
-
@stephenw10 It is not an "issue" for syslogservers to stop accepting logs for the duration of a restart. It is a common fact that this may happen, all syslog receivers are not (or cannot be) clusters. And while this is all UDP, i am (still) a bit baffled why the pfSense syslog would actually even care - it should just spit UDP in that direction and let the receiver worry about ...well, the receiving part.
-
@stephenw10 said in Syslog service in pfSense v2.8.1 often stop itself:
Typically it seems to be when the syslog server is cycling in some way. Archiving perhaps?
In our case we saw this multiple times after reboot and pfSense is ready before all the KVM guests are online for example the syslog server...
Not sure this also happens in 2.8.0, maybe possible.
pfSense Gold subscription
-
Oh it absolutely shouldn't. It's a bug and it's now fixed. https://reviews.freebsd.org/D51995
-
@slu said in Syslog service in pfSense v2.8.1 often stop itself:
Not sure this also happens in 2.8.0, maybe possible.
Yes, it's in 2.8.0 and 2.8.1 and 25.07. Unfortunately.
-
@stephenw10
mhm, I try the "Service Watchdog" at the moment, maybe a workaround?
Will see.. -
ChatGPT overview of the change, seems legit (of course caveat emptor for LLM...)
After D51995, all of the still-fatal cases are local to the pfSense box (syslogd/process/kernel socket). None of the remaining fatal errors are caused by the remote syslog host; the remote/network-state errors were reclassified as transient and no longer make the destination “dead.”
What can still make syslogd drop the destination (and why)
Local to the pfSense box (syslogd / socket / config):
-
EBADF – invalid/closed descriptor used for sendmsg(). Programming/state issue on the sender.
man.freebsd.org -
EACCES – permission denied (e.g., trying to send to a broadcast address without SO_BROADCAST, or lacking permission on a UNIX-domain socket path). Sender-side socket option or filesystem perms.
-
ENOTSOCK – fd is not a socket. Sender bug/misconfiguration.
-
EFAULT – bad user-space buffer/pointer given to sendmsg(). Sender bug.
-
EMSGSIZE – message too large for the socket/protocol to send atomically (e.g., oversize UDP/UNIX-dgram). Sender data/MTU limits at the local stack boundary—not the remote host.
-
Any other unexpected errno not on the new whitelist (e.g., EINVAL, EAFNOSUPPORT, EDESTADDRREQ, ENOTCONN)—all indicate a local misuse/state problem.
Dependent on the remote syslog host or wider network?
None of the still-fatal ones. Host/network conditions like refused connection, no route, host down/unreachable, address not available, buffer pressure, or EAGAIN were explicitly moved to the “transient, keep retrying” bucket and no longer cause F_UNUSED.
-
-
@stephenw10 said in Syslog service in pfSense v2.8.1 often stop itself:
@slu said in Syslog service in pfSense v2.8.1 often stop itself:
Not sure this also happens in 2.8.0, maybe possible.
Yes, it's in 2.8.0 and 2.8.1 and 25.07. Unfortunately.
I was going to look into this and maybe a cronjob "just in case every 3 hours". Let us know the results of your investigation!
-
That patch is in the new 25.11-dev snapshots if you're able to test that. No CE snaps yet.
