CSF in Virtualmin is running, but logs are empty

I’m opening this thread on the Virtualmin forum because I saw another discussion (closed now) and I have what look to me like a similar issue.

I’ve installed CSF (Firewall version 14.24) following: ConfigServer Security & Firewall | Webmin

(In fact I’ve installed 2 on 2 different vVrtualmin and I have the same issue on both)

I’ve configured it, checked and followed the information from the previous discussion.

• Fail2ban is disable now
• FirewallD is disable now
• Linux Firewall set on boot
• GD perl library has been installed

Firewall status : Enable and running

Check security : Server Score: 39/39

Watch System Log has output (all 4)

Mar  8 21:27:59 wiki lfd[5153]: *User Processing* PID:500 Kill:0 User:zabbix Time:1836 EXE:/usr/sbin/zabbix_agentd CMD:/usr/sbin/zabbix_agentd: listener #9 [waiting for connection]
Mar  8 21:27:59 wiki lfd[5153]: *User Processing* PID:489 Kill:0 User:zabbix Time:1836 EXE:/usr/sbin/zabbix_agentd CMD:/usr/sbin/zabbix_agentd: listener #1 [waiting for connection]

View iptables rules display something

ldf status has output

 lfd.service - ConfigServer Firewall & Security - lfd
     Loaded: loaded (/lib/systemd/system/lfd.service; enabled; preset: enabled)
     Active: active (running) since Sat 2025-03-08 20:57:58 IST; 51min ago
    Process: 1824 ExecStart=/usr/sbin/lfd (code=exited, status=0/SUCCESS)
   Main PID: 1837 (lfd - sleeping)
      Tasks: 1 (limit: 2302)
     Memory: 19.5M
        CPU: 13.337s
     CGroup: /system.slice/lfd.service
             └─1837 "lfd - sleeping"

Mar 08 20:57:57 domain.com systemd[1]: Starting lfd.service - ConfigServer Firewall & Security - lfd...
Mar 08 20:57:58 domain.com systemd[1]: Started lfd.service - ConfigServer Firewall & Security - lfd.

/etc/csf/csf.logfiles shows path for “all” and for Debian. Nothing for Virtualmin.

/var/log/messages
/var/log/lfd.log
/var/log/cxswatch.log

# RedHat:
/var/log/secure

# Debian/Ubuntu:
/var/log/auth.log
/var/log/daemon.log
/var/log/syslog

Test iptables says everything is ok.

I can add that IP Country based filtering is working.
So csf is active and does things.

I have also restarted csf and the server, but View Iptables logs => No logs entries found and View ldf Statistics => No statistical data has been collected yet

Due ?!
What is missing to be sure everything is set properly ?

Maybe ask at https://forum.configserver.com/ would be a better place.

Is it something to do with Debian using systems /journalctl so no real logs are created?

Even if, it is still a question for the CFS folks? Last time I used it was a few decades ago as a cPanel plugin. I don’t see it in my Webmin unused modules list so I’m guessing this is their call.

It installs fine normally (I’ve only used it on “centos” type OS’s), I presume this maybe a OS thing.

For my own interest I install Debian 12 on a Vultr instance.
Installed Virtuamin and add a domain I do tests with.

Installed CSF from the install script and enable module and enable CSF in it config, that basically all I did. I haven’t touched the Filrewalld as it is disabled by the script and it says is not enabled at boot. I see Fail2ban is stopped but is set to start as boot, so I did disable that.

I had a look at Watch System Logs and logs are showing ok.
So not sure why you not seeing them.
Screenshots

image1723×520 62.7 KB

image1527×517 95.9 KB

image1045×444 70.6 KB

image1405×409 86.2 KB

image1307×596 112 KB

Any idea what that is, I don’t have /usr/sbin/zabbix_agentd in my install. Maybe a confict there.

Dear Stefan, thank you for your time.

Can you tell me how it was installed ?
I followed ConfigServer Security & Firewall | Webmin
May you did something different ?

I can see on my server all these logs you are showing on your screenshot.

But I don’t see anything for the iptables_log and lfd statistics.

Screenshot 2025-03-09 at 10.54.272492×824 185 KB

Screenshot 2025-03-09 at 10.54.532492×824 82.1 KB

Screenshot 2025-03-09 at 10.55.012492×824 84.6 KB

On different screenshot of CSF seen on the internet (like there: ConfigServer Security and Firewall (csf) – ConfigServer Services), these are populated and I also see charts that I don’t see anywhere.

Do you see something there ?

About zabbix, I have the issue also if zabbix is not installed.
I have 2 Virtualmin server Debian12 with the same issue and one is fresh install without zabbix.

I follow the docs
https://download.configserver.com/csf/install.txt

I’ve destroyed the VPS now.
I can reinstall tomorrow and check those logs.

To see charts you do need to install something, I can’t remember what off hand.
Bit late and tired now.

The first instance I installed was following this guide too.

Thanks you for your input and I hope you had a great week-end.
FYI, I also asked on the CSF forum and I will update here if a solution is found.

I’m getting the same results, iptables log in the config is

image425×273 12.3 KB

so that needs correcting. Not sure what though.

Look at there website I don’t think you can run this software on Debian 12

image589×262 9.03 KB

I think this is due to the logging system.

There forum seems dead as well, so not sure anything will change.

I appreciate your input and assistance with this, thanks.

I’ve been searching online, and while several posts discuss the issue, I haven’t found a solution yet.

I posted a question in the CSF forum yesterday and still hope to get a response there (the forum isn’t that dead ).

You’re right, official support only extends to Debian 11, which is making me reconsider whether CSF was the best choice for a future-proof solution…

Of course… I just posted the above and found a possible workaround.

After all, CSF is working fine (as far as I can see) and my only issue is with the logs.

In Debian 12, logs are now managed by systemd-journald, and /var/log/syslog does not exist by default, but rsyslog is still available and can be configured to store logs in /var/log/syslog.
I can explore and test later today on my demo server. (will post the results)

Hope it doesn’t break anything on the virtualmin side.
Any thoughts ?

This is a little disturbing since systemd-journald is the new default. I’d guess RH uses them since it was their engineer that came up with it. If CSF can’t work with it, then I guess it could be they aren’t really in active development since this change happened a good while ago.

EDIT: Put it back since @jimr1 was responding to it while I was deleting it.

That said it could take a ‘good while’ to get this to work, this is in response to yor deleted post. But seems like red hat are removing iptables from there repositories so everything may need recoding to suit what is now available

Well, probably the move to nftables is long overdue? That said, CSF seems to concentrate on the RH side of things so it becomes IF they want to keep the script going. It seems to be their hook for their other products so it depends on if that side of things is worthwhile enough to keep it going. Their commercial products always seemed marginally useful to me but my former partner was more convinced. (I talked him out of it) Kind of like fishing lures. They are designed to catch buyers more than fish.

Ok, I have the start of a solution so I’ll write it down here for “the” next guy.
Based on an answer at CSF in Virtualmin is running, but logs are empty - ConfigServer Community Forum.

I installed rsyslog on my Debian12.

apt install rsyslog

syslog and other logs started to populated.

4 new logs appears on CSF

Screenshot 2025-03-10 at 18.21.13558×444 68.1 KB

At csf.conf at the end of the config file, paths are declared.
I changed "IPTABLES_LOG = “/var/log/messages” to "IPTABLES_LOG = “/var/log/syslog”.

Restarted csf and fianlly I can see something on the view iptables log.
It is a bit different from the sample screeshots but at least it displays something.

Screenshot 2025-03-10 at 20.31.062462×956 228 KB