Actions
Bug #16477
open
syslog-ng 4.8.1 stops processing files after log rotation
Status:
New
Priority:
Normal
Assignee:
-
Category:
syslog-ng
Target version:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
2.8.1
Affected Plus Version:
Affected Architecture:
amd64
Description
Environment:
pfSense: 2.8.1-RELEASE
syslog-ng: 4.8.1 (compiled Sep 9 2025)
Hardware: Intel Xeon E5-2630L v3, 16GB RAM
Configuration:
source s_suricata_files {
file("/var/log/suricata/suricata_bge313693/eve.json" flags(no-parse) follow-freq(1));
file("/var/log/suricata/suricata_bge410085/eve.json" flags(no-parse) follow-freq(1));
file("/var/log/suricata/suricata_bge528435/eve.json" flags(no-parse) follow-freq(1));
};
Symptoms:
Process running but stopped forwarding logs
lsof showed no open file descriptors to eve.json files
Occurred after Suricata log rotation (eve.json → eve.json.timestamp)
persist file exists at /var/db/syslog-ng.persist
- Process running
syslog_ng is running as pid 90322
- But no files open
lsof -p 90322 | grep eve.json
(no output)
- Stats showing zero processing
syslog-ng-ctl stats
Workaround:
killall -9 syslog-ng
service syslog-ng restart
Updated by Jim Pingle 10 days ago
- Project changed from pfSense to pfSense Packages
- Category changed from Logging to syslog-ng
- Release Notes deleted (
Default)
Actions