pfSense

I can't reproduce this.

In my test I did see that syslogd noticed the error (ECONNREFUSED) and then marked the destination as UNUSED. It will then no longer attempt to deliver to that destination.
Arguably that's wrong, because this could be a temporary error so I'd argue it should keep trying, but syslogd does not exit.

I'll post a review to upstream freebsd to address that bit.

When you say "After some time" is that after a few seconds, minutes, hours, days, ...?

In my test setup it was of the order of 10mins.

This is driving us slightly crazy on our various 2.8.1 installs. I have gone so far as to add crontab entries to restart syslogd hourly on some of them...and every now and again still miss half an hour of logs.

Is it possible to swap to the newer syslog that would be analagous to the 25.11 dev branch on 2.8.1?

Thanks!

As a workaround to prevent the syslogd process being killed before that patched version is available you can add firewall rules to prevent it seeing the 'refused' response from the server.

To do that you need to add a floating outbound UDP pass rule to match the syslog traffic with 'state type' set to none in the advanced options.

Then also a block rule for the ICMP reply from the server on the appropriate interface.

With those in place the syslog process in pfSense will just keep sending logs.

Hm. Seems to happen less frequently but still happened once in the last 48hrs across four 2.8.1 pfSense CE installs.

rules created:
floating udp source: this firewall (self), dest: <ip of syslog server>, port <syslog destport in use>, action: pass, quick: true, direction:any

on interface syslog server is on:
icmp, source: <ip of syslog server>, dest: this firewall (self), action: block

Did I misinterpret the instructions? Anything I missed?

Thanks!

This was happening to me with 25.07.1 but I can't reproduce it with the latest dev snapshots eg 25.11.a.20250927.0600