Regression #16362
open
syslogd can die if a remote syslog server refuses connection
0%
Description
When a remote syslog server is configured for logging but that host replies to syslog traffic with 'connection refused' it can cause syslogd to be killed in pfSense.
So that requires the remote host to be UP (responds to ARP) and not blocking the connection and not accepting syslog traffic.
Logged locally:
Aug 11 16:05:07 syslogd sendto: Connection refused
After some time syslogd will die without logging anything.
Tested: 25.07, 2.8.0, 2.8.1-RC
Related issues
Updated by Kristof Provost about 2 months ago
I can't reproduce this.
In my test I did see that syslogd noticed the error (ECONNREFUSED) and then marked the destination as UNUSED. It will then no longer attempt to deliver to that destination.
Arguably that's wrong, because this could be a temporary error so I'd argue it should keep trying, but syslogd does not exit.
I'll post a review to upstream freebsd to address that bit.
When you say "After some time" is that after a few seconds, minutes, hours, days, ...?
Updated by Steve Wheeler about 2 months ago
In my test setup it was of the order of 10mins.
Updated by Steve Wheeler 15 days ago
- Status changed from New to Feedback
This looks to be fixed in 25.11 after the recent patches to syslogd. I can no longer replicate it there.
Updated by Dave Anderson 7 days ago
This is driving us slightly crazy on our various 2.8.1 installs. I have gone so far as to add crontab entries to restart syslogd hourly on some of them...and every now and again still miss half an hour of logs.
Is it possible to swap to the newer syslog that would be analagous to the 25.11 dev branch on 2.8.1?
Thanks!
Updated by Steve Wheeler 6 days ago
As a workaround to prevent the syslogd process being killed before that patched version is available you can add firewall rules to prevent it seeing the 'refused' response from the server.
To do that you need to add a floating outbound UDP pass rule to match the syslog traffic with 'state type' set to none in the advanced options.
Then also a block rule for the ICMP reply from the server on the appropriate interface.
With those in place the syslog process in pfSense will just keep sending logs.
Updated by Dave Anderson 4 days ago
Hm. Seems to happen less frequently but still happened once in the last 48hrs across four 2.8.1 pfSense CE installs.
rules created:
floating udp source: this firewall (self), dest: <ip of syslog server>, port <syslog destport in use>, action: pass, quick: true, direction:any
on interface syslog server is on:
icmp, source: <ip of syslog server>, dest: this firewall (self), action: block
Did I misinterpret the instructions? Anything I missed?
Thanks!
Updated by Jim Pingle about 9 hours ago
- Has duplicate Bug #16458: syslog crashed if remote syslog server is temp. not reachable added
Updated by → luckman212 about 8 hours ago
This was happening to me with 25.07.1 but I can't reproduce it with the latest dev snapshots eg 25.11.a.20250927.0600