Syslog service in pfSense v2.8.1 often stop itself

dennypage

@KOM said in Syslog service in pfSense v2.8.1 often stop itself:

Why would you need a whole new snapshot for something that could be fixed via System Patches?

Binaries cannot be updated via System Patches.

stephenw10

That's a compile time fix, it can't be applied via System Patches.

jrey

@stephenw10

wasn't suggesting a "patch" in the current "pf"sense of a patch

On the other hand it is just a binary file, that could be provided and copied into place.

For those not willing to play with "Alpha" builds the release of 25.07.2 would be a great alternative, rather then having to wait for beta or even final release of 25.11

Maybe the "patch system" should have the ability to deliver a hot fix for certain binaries in the future?
somewhat surprising that since BSD at the core a patch could be created with bsdiff and bspatch both of which are available and actually installed as part of the package.

Annoying issues (and not that there are that many, this is one) could likely be fixed by providing this ability to either install a new file or run a binary patch, without having to wait for a full drop of the next version.
(the problem with patching vs copying, is as we have seen in that past, the files where different in the same "release" from one day to the next. Refresh my memory when was that 23.xx, I'd have to look it up)

point is when there is a will there is a way..

stephenw10

Yes we are looking at options.

slu

@jrey years ago there was a p1 release:
https://docs.netgate.com/pfsense/en/latest/releases/2-3-5-p1.html

aclrgt

Hello,
I'm experiencing the same problem with a client after updating to 25.07.1
I can also confirm that the problem occurs because we have a remote syslog server under maintenance.
Pf's syslogd should continue to work in this scenario.
I hope a fix is found soon.
Thank you,

KOM

@dennypage Huh. I did not know that.

stephenw10

As a workaround you can prevent the syslogd process seeing the connection rejection message from the server by adding firewall walls.

You need to pass the syslog traffic outbound with state set to 'none'. And block the incoming icmp rejection if it's not already blocked.

It then just keeps sending to the server.

vmillan69

I have the same problem but with version 25.07.1 of pfsense+ and I am in PCI non-compliance. I think it is not that the remote server is not available for me, it is a bug in the version and it is critical.

jrey

@vmillan69 said in Syslog service in pfSense v2.8.1 often stop itself:

I think it is not that the remote server is not available for me,

if it is not this specifically -- then more information is likely required to offer any suggestions --

same issue with code reference
https://forum.netgate.com/topic/198418/25.07-unbound-pfblocker-python-syslog/43?_=1758219580156

stephenw10

Yes if you're not seeing 'connection refused logged then it's not the same issue. In which case the more info you can give us the better.

aclrgt

@stephenw10 said in Syslog service in pfSense v2.8.1 often stop itself:

As a workaround you can prevent the syslogd process seeing the connection rejection message from the server by adding firewall walls.

You need to pass the syslog traffic outbound with state set to 'none'. And block the incoming icmp rejection if it's not already blocked.

It then just keeps sending to the server.

Thanks for the tips

mcury

Workaround tested on 25.07.1 and working, thanks @stephenw10

Follow for reference:

pfSense LAN: 192.168.50.254/24
Syslog: 192.168.50.253
Syslog port: UDP 1514


========
Status / System Logs / Settings
Remote Logging Options

Source Address: LAN
IP Protocol: IPv4
Remote log servers: 192.168.50.253:1514
========

Two floating rules:

Action: Pass
Interface: LAN
Direction: out
IPv4
Protocol: UDP
Source: 192.168.50.254
Source port: 514
Destination: 192.168.50.253
Destination port: 1514
State type: None
Description: WORKAROUND 16362

Action: Block
Quick: ticked
Interface: LAN
Direction: in
IPv4
Protocol: ICMP
ICMP Subtypes: Destination unreachable
Source: 192.168.50.253
Destination: 192.168.50.254
Description: WORKAROUND 16362

thetravellor

@mcury I will try your workaround.

I have just applied 25.11 dev and can confirm that it does not solve the syslog issue.

stephenw10

Hmm, 25.11-dev has the patched syslogd. Are you still seeing the connection refused message? What's the last thing(s) logged?

slu

said in Syslog service in pfSense v2.8.1 often stop itself:

"Service Watchdog" at the moment, maybe a workaround?

I can answer this myself (we rebooted yesterday our syslog server), service watchdog working:

20:43:00 Service Watchdog detected service syslogd stopped. Restarting syslogd (System Logger 
Daemon)

tsmalmbe

@slu How did you implement this - I have never added anything custom to the watchdog.

slu

@tsmalmbe not sure what's exactly your question because the custom, but here are the steps:

install Service_Watchdog package
Services / Service Watchdog
Add New Service
select syslogd

Done :)

tsmalmbe

@slu Yes exactly I needed this very obvious steps clearly spelled out to me :) Thank you.

provels

FWIW, I see the service stop randomly, too, but I just use a second HDD mounted on the system drive for my remote logging, so no remote syslog server that might require FW rules. I'd suggest turning on notifications on Watchdog as well so you can check logs.