Project

General

Profile

Actions

Regression #16362

open

syslogd can die if a remote syslog server refuses connection

Added by Steve Wheeler about 2 months ago. Updated about 8 hours ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
Logging
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
25.11
Release Notes:
Default
Affected Version:
2.8.0
Affected Architecture:
All

Description

When a remote syslog server is configured for logging but that host replies to syslog traffic with 'connection refused' it can cause syslogd to be killed in pfSense.

So that requires the remote host to be UP (responds to ARP) and not blocking the connection and not accepting syslog traffic.

Logged locally:

Aug 11 16:05:07     syslogd         sendto: Connection refused 

After some time syslogd will die without logging anything.

Tested: 25.07, 2.8.0, 2.8.1-RC


Related issues

Has duplicate Bug #16458: syslog crashed if remote syslog server is temp. not reachableDuplicate

Actions
Actions #1

Updated by Kristof Provost about 2 months ago

I can't reproduce this.

In my test I did see that syslogd noticed the error (ECONNREFUSED) and then marked the destination as UNUSED. It will then no longer attempt to deliver to that destination.
Arguably that's wrong, because this could be a temporary error so I'd argue it should keep trying, but syslogd does not exit.

I'll post a review to upstream freebsd to address that bit.

When you say "After some time" is that after a few seconds, minutes, hours, days, ...?

Actions #2

Updated by Steve Wheeler about 2 months ago

In my test setup it was of the order of 10mins.

Actions #3

Updated by Steve Wheeler 15 days ago

  • Status changed from New to Feedback

This looks to be fixed in 25.11 after the recent patches to syslogd. I can no longer replicate it there.

Actions #4

Updated by Dave Anderson 7 days ago

This is driving us slightly crazy on our various 2.8.1 installs. I have gone so far as to add crontab entries to restart syslogd hourly on some of them...and every now and again still miss half an hour of logs.

Is it possible to swap to the newer syslog that would be analagous to the 25.11 dev branch on 2.8.1?

Thanks!

Actions #5

Updated by Steve Wheeler 6 days ago

As a workaround to prevent the syslogd process being killed before that patched version is available you can add firewall rules to prevent it seeing the 'refused' response from the server.

To do that you need to add a floating outbound UDP pass rule to match the syslog traffic with 'state type' set to none in the advanced options.

Then also a block rule for the ICMP reply from the server on the appropriate interface.

With those in place the syslog process in pfSense will just keep sending logs.

Actions #6

Updated by Dave Anderson 4 days ago

Hm. Seems to happen less frequently but still happened once in the last 48hrs across four 2.8.1 pfSense CE installs.

rules created:
floating udp source: this firewall (self), dest: <ip of syslog server>, port <syslog destport in use>, action: pass, quick: true, direction:any

on interface syslog server is on:
icmp, source: <ip of syslog server>, dest: this firewall (self), action: block

Did I misinterpret the instructions? Anything I missed?

Thanks!

Actions #7

Updated by Jim Pingle about 9 hours ago

  • Has duplicate Bug #16458: syslog crashed if remote syslog server is temp. not reachable added
Actions #8

Updated by → luckman212 about 8 hours ago

This was happening to me with 25.07.1 but I can't reproduce it with the latest dev snapshots eg 25.11.a.20250927.0600

Actions

Also available in: Atom PDF