Syslog service in pfSense v2.8.1 often stop itself
-
If it's actually external you can add the work-around stateless floating rules to prevent the connection refused message.
-
@stephenw10 If directed at me, it's not external. It's a second HDD internal to the FW, mounted as a directory on the system SSD. Not complaining.
-
No sorry that was at the previous poster. The workaround rule won't work for traffic to syslog-ng locally.
-
Stopped again this AM at 00:15, random interval. Maybe something to do with daily log rotation, GZipping the log, dunno. Just info, not an issue for me anyway.
6 Matched General Log Entries. (Maximum 500) Oct 23 00:15:02 php-cgi 95349 notify_monitor.php: Message sent to provels Oct 23 00:15:02 syslogd kernel boot file is /boot/kernel/kernel Oct 14 00:15:03 php-cgi 10330 notify_monitor.php: Message sent to provels Oct 14 00:15:02 syslogd kernel boot file is /boot/kernel/kernel Oct 3 00:15:03 php-cgi 55524 notify_monitor.php: Message sent to provels Oct 3 00:15:02 syslogd kernel boot file is /boot/kernel/kernelThe top of today's default.log.
Oct 23 00:00:00 fw syslog-ng[13248]: Configuration reload request received, reloading configuration; Oct 23 00:00:00 fw syslog-ng[13248]: Configuration reload finished; Oct 23 00:10:00 fw syslog-ng[13248]: Log statistics; processed='destination(_DEFAULT)=183', dropped='global(internal_source)=0', processed='global(internal_source)=183', queued='global(internal_source)=0', processed='global(msg_clones)=0', processed='source(_DEFAULT)=183', processed='src.internal(_DEFAULT#0)=183', processed='global(sdata_updates)=0', stamp='src.internal(_DEFAULT#0)=1761195600', queued='global(scratch_buffers_count)=0', processed='global(payload_reallocs)=178', processed='center(queued)=183', processed='center(received)=183', queued='global(scratch_buffers_bytes)=0' Oct 23 00:15:02 localhost syslogd: restart Oct 23 00:15:02 localhost syslogd: kernel boot file is /boot/kernel/kernel Oct 23 00:15:02 localhost php-cgi[95349]: notify_monitor.php: Message sent to provels -
Hi
We use Graylog as remote syslog. If server with Graylog has outage, e.g. is restarted due to updates, syslogd is stopped in pfSense 2.8.1. We did not have this issue in v2.8.0.
Aldomoro
-
Yes, that's the bug discussed here. The workaround rules will prevent it. https://redmine.pfsense.org/issues/16362#note-5
-
@aldomoro Possibly the best use of Service Watchdog. Maybe the only one! :)
-
Hi,
Same problem here:
"Nov 2 22:00:02 pfsense syslogd: sendto: Connection refused" (system.log)
PfSense CE 2.8.1, remote logging enabled.
Anothers instances 2.8 running OK.
Workaround: whatchdog
Thanks.
Geovane
-
Same problem here on 2.8.1
-
Applying the workaround firewall rules will prevent it seeing the refusals so will not stop.
-
Hi,
Apparently the rule isn't working because the traffic counters aren't incrementing. There's a "let out anything IPv4 from firewall host itself" rule with higher precedence that seems to be capturing UDP traffic to the remote syslog server, even though the new rule is of the "floating" type.
@28 pass out inet all flags S/SA keep state (if-bound) allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000003613 @46 pass quick inet proto udp from (self:3) to 10.0.1.19 no state label "USER_RULE: rule to avoid syslog stop bug" label "id:1762800608" ridentifier 1762800608Geovane
-
@geovaneg said in Syslog service in pfSense v2.8.1 often stop itself:
Apparently the rule isn't working because the traffic counters aren't incrementing.
Yeap, they should increment.
-
This is a VPN server located in the DMZ... It has no LAN interface, only a WAN and IPSEC interface, and the counters are not incrementing despite continuous traffic to the log server.
I might be forgetting something obvious, but I reviewed the settings and tested it more than twice.
Geovane
-
In any case, the watchdog isn't the perfect solution, but it did the job.
thanks
Geovane
-
Looks like you might have the source port set to 514 instead of the destination.
In your first screenshot it's not shown as an OUT rule also but it looks like you corrected that.
-
Same ongoing issue, remote syslog enabled, it seems rather random, but mostly when the logging machine is down, which is a linux vm on proxmox host.
-
@slu said in Syslog service in pfSense v2.8.1 often stop itself:
@jrey years ago there was a p1 release:
https://docs.netgate.com/pfsense/en/latest/releases/2-3-5-p1.htmlThanks for the source
