Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Syslog service in pfSense v2.8.1 often stop itself

    Scheduled Pinned Locked Moved General pfSense Questions
    73 Posts 21 Posters 11.6k Views 21 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S Offline
      stephenw10 Netgate Administrator
      last edited by

      Yes, that's the bug discussed here. The workaround rules will prevent it. https://redmine.pfsense.org/issues/16362#note-5

      1 Reply Last reply Reply Quote 0
      • provelsP Offline
        provels @aldomoro
        last edited by

        @aldomoro Possibly the best use of Service Watchdog. Maybe the only one! :)

        Peder

        MAIN - pfSense+ 25.07.1-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

        1 Reply Last reply Reply Quote 0
        • G Offline
          geovaneg
          last edited by geovaneg

          Hi,

          Same problem here:

          "Nov 2 22:00:02 pfsense syslogd: sendto: Connection refused" (system.log)

          PfSense CE 2.8.1, remote logging enabled.

          Anothers instances 2.8 running OK.

          Workaround: whatchdog

          Thanks.

          Geovane

          1 Reply Last reply Reply Quote 0
          • T Offline
            tyros
            last edited by

            Same problem here on 2.8.1

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              Applying the workaround firewall rules will prevent it seeing the refusals so will not stop.

              1 Reply Last reply Reply Quote 0
              • G Offline
                geovaneg
                last edited by

                Hi,

                Apparently the rule isn't working because the traffic counters aren't incrementing. There's a "let out anything IPv4 from firewall host itself" rule with higher precedence that seems to be capturing UDP traffic to the remote syslog server, even though the new rule is of the "floating" type.

                @28 pass out inet all flags S/SA keep state (if-bound) allow-opts label "let out anything IPv4 from firewall host itself" ridentifier 1000003613
@46 pass quick inet proto udp from (self:3) to 10.0.1.19 no state label "USER_RULE: rule to avoid syslog stop bug" label "id:1762800608" ridentifier 1762800608

                Geovane

                M 1 Reply Last reply Reply Quote 0
                • M Online
                  mcury Rebel Alliance @geovaneg
                  last edited by

                  @geovaneg said in Syslog service in pfSense v2.8.1 often stop itself:

                  Apparently the rule isn't working because the traffic counters aren't incrementing.

                  Yeap, they should increment.

                  82800c5e-e2fa-443d-966f-daf60c958949-image.png

                  dead on arrival, nowhere to be found.

                  1 Reply Last reply Reply Quote 0
                  • G Offline
                    geovaneg
                    last edited by

                    This is a VPN server located in the DMZ... It has no LAN interface, only a WAN and IPSEC interface, and the counters are not incrementing despite continuous traffic to the log server.

                    be345213-0d0e-407e-b226-9fdece1e5073-image.png

                    I might be forgetting something obvious, but I reviewed the settings and tested it more than twice.

                    Geovane

                    1 Reply Last reply Reply Quote 0
                    • G Offline
                      geovaneg
                      last edited by

                      In any case, the watchdog isn't the perfect solution, but it did the job.

                      thanks

                      Geovane

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Looks like you might have the source port set to 514 instead of the destination.

                        In your first screenshot it's not shown as an OUT rule also but it looks like you corrected that.

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          taz3146
                          last edited by

                          Same ongoing issue, remote syslog enabled, it seems rather random, but mostly when the logging machine is down, which is a linux vm on proxmox host.

                          1 Reply Last reply Reply Quote 0
                          • B Offline
                            Bria1972 @stephenw10
                            last edited by

                            @slu said in Syslog service in pfSense v2.8.1 often stop itself:

                            @jrey years ago there was a p1 release:
                            https://docs.netgate.com/pfsense/en/latest/releases/2-3-5-p1.html

                            Thanks for the source

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.