Syslog fails on 2.8.1 when remote syslog server goes down
-
I run several pfSenses. One setup is a cluster. I have upgraded on member of the cluster to 2.8.1, the other still on 2.8.0.
First - the syslogging source-ip issue that was introduced on 2.8.0 is now fixed, a big thanks for that. The thing essentially broke a bunch of my Splunk rules, and with 2.8.1 it is now working again.
However, I see another worrying thing on 2.8.1. When I restart my Splunk listener (a HF), pfSense 2.8.1 stops logging where as 2.8.0 continues logging. I have to manually go into logging settings and press "save" on 2.8.1 to get the logs going again. The 2.8.0 pfSense just kept going and did not mind that the syslog receiver was down.
As this is udp, it baffles me a bit. My other 2.8.1's behaved the same way - I lost logging from 3 pfSenses at the same moment the HF was restarted.
The difference between 2.8.0 and 2.8.1 behavior exists I would say.
-
T tsmalmbe referenced this topic
-
S sokeada referenced this topic
-
See: https://forum.netgate.com/topic/198792/syslog-service-in-pfsense-v2.8.1-often-stop-itself/
Let's keep it in that thread.
