SYSLOG_LOG Εrror

Hello. I had some problems with csf which I resolved. Now I have another syslog error. Please help

Operating system**|Ubuntu Linux 22.04
| — | — | — | — |
|Webmin version|2.111|Usermin version|2.010|
|Virtualmin version|7.10.0|

I get these in the email

Time: Fri May 24 19:18:50 2024 +0300
Error: Failed to detect code [nYVHpc4UXrIKNYDRiVOe39ASLK] in SYSLOG_LOG [/var/log/messages]

SYSLOG may not be running correctly on myhostname

That’s not a message you’d get on a stock Virtualmin installation. What is generating that email?

Generally syslog is not expected to be running, or even installed, on an Ubuntu 22.04 system.

As I wrote the message about CSF

May 24 18:38:49 cp lfd[21697]: SYSLOG CHECK Failed to detect check line [MwDVvgpQgWr90MjGvwv5iTHdHr] sent to SYSLOG
May 24 18:48:50 cp lfd[22941]: SYSLOG CHECK Failed to detect check line [XHQjo9X7nrjTMCUeOhIvffxQbmWv] sent to SYSLOG
May 24 18:58:50 cp lfd[23819]: SYSLOG CHECK Failed to detect check line [t0HIFWinzanx4uBcwq7SBCDOpka4G] sent to SYSLOG
May 24 19:08:50 cp lfd[24653]: SYSLOG CHECK Failed to detect check line [OW60nIe4kFE7a4NT8zDwf213] sent to SYSLOG
May 24 19:18:50 cp lfd[26310]: SYSLOG CHECK Failed to detect check line [nYVHpc4UXrIKNYDRiVOe39ASLK] sent to SYSLOG
May 24 19:28:50 cp lfd[27507]: SYSLOG CHECK Failed to detect check line [Dzg1rbIkqnh52dlb4] sent to SYSLOG

Ah, I don’t know anything about CSF, but maybe someone else can help.

I’d guess you need to install and setup rsyslog (syslog is no longer a standard part of Linux systems, it has been replaced by journald).

Seems like you’re having a lot of problems with CSF, I think you’d be better served by a stock Virtualmin system until you know more about this stuff.

I remember this message popped up for me from time to time as well. I think restarting the rsyslog, lfd, and csf services fixed it. Log file permissions could also be a source of this problem.

It is also possible to disable this check somewhere in the CSF configuration.

Furthermore, I’d like to point out again that you don’t need to worry about any of it. FirewallD and Fail2Ban already do all the work. You don’t need to micromanage blocks from bots trying to brute force your SMTP password. Just make sure you and your users use strong passwords and forget about it.

Default should be disabled, where are you seeing these messages
image

csf mentions in the description that the (perl Sys…syslog module) must be installed. How can I know if it is installed or not on the Server?

Log lfd messages to SYSLOG in addition to /var/log/lfd.log. You must have the
perl module Sys::Syslog installed to use this feature

I don’t know and I want you to tell me if I don’t have the syslog module, will I have all the attack records in the log file??

I’d don’t think you need to do that.

Should I turn this setting off?

I did, I don’t see any errors.

I also added this to the csf.pignore

to stop all those messages

EXE:/usr/lib/postfix/sbin/pickup
EXE:/usr/lib/dovecot/anvil
EXE:/usr/sbin/php-fpm8.1
EXE:/usr/sbin/milter-greylist
EXE:/usr/sbin/opendkim
EXE:/usr/lib/systemd/systemd-networkd
EXE:/usr/lib/dovecot/stats
EXE:/usr/bin/freshclam
EXE:/usr/bin/perl
EXE:/usr/lib/systemd/systemd-timesyncd
EXE:/usr/sbin/rsyslogd
EXE:/usr/lib/postfix/sbin/tlsmgr
EXE:/usr/lib/postfix/sbin/qmgr
EXE:/usr/lib/dovecot/imap-login
EXE:/usr/lib/postfix/sbin/smtpd
EXE:/usr/lib/dovecot/imap

Do you have this setting on 3??

0 = Allow those options listed above to be used and configured
1 = Disable all the options listed above and prevent them from being used
2 = Disable only alerts about this feature and do nothing else
3 = Restrict syslog/rsyslog access to RESTRICT_SYSLOG_GROUP ** RECOMMENDED **
RESTRICT_SYSLOG = “3”

Yep I went with 3

Is this the error your getting?

I changed a setting and I see that I have no syslog errors now and the sys.log logs normally. I changed SYSLOG_LOG= /var/log/messages to > /var/log/syslog

For /var/log/syslog

May 25 13:05:01 cp rsyslogd: action ‘action-3-builtin:omfile’ suspended (module ‘builtin:omfile’), retry 0. There should be messages before this one giving the reason for suspension. [v8.2112.0 try You searched for error 2007 - rsyslog ]
May 25 13:05:01 cp rsyslogd: action ‘action-3-builtin:omfile’ resumed (module ‘builtin:omfile’) [v8.2112.0 try You searched for error 2359 - rsyslog ]
May 25 13:05:01 cp CRON[29491]: (root) CMD (/etc/webmin/status/monitor.pl >/dev/null 2>&1)
May 25 13:05:00 cp kernel: [ 4679.867557] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=00:50:56:4e:2e:e6:74:83:ef:4e:ae:4b:08:00 SRC=165.154.11.225 DST=84.247.LEN=60 TOS=0x00 PREC=0x60 TTL=48 ID=4884 DF PROTO=TCP SPT=42569 DPT=59999 WINDOW=29200 RES=0x00 SYN URGP=0
May 25 13:04:49 cp kernel: [ 4668.864738] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=00:50:56:4e:2e:e6:74:83:ef:4e:ad:b9:08:00 SRC=35.203.210.222 DST=84.247
LEN=44 TOS=0x00 PREC=0x00 TTL=58 ID=54321 PROTO=TCP SPT=53468 DPT=9643 WINDOW=65535 RES=0x00 SYN URGP=0
May 25 13:04:45 cp lfd[27241]: SYSLOG check [7SP8fe7mt37qvalkT0Er]
May 25 13:04:39 cp kernel: [ 4658.186292] Firewall: TCP_IN Blocked IN=eth0 OUT= MAC=00:50:56:4e:2e:e6:74:83:ef:4e:ad:b9:08:00 SRC=78.99.49.58 DST=84.247.***** LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=35048 DF PROTO=TCP SPT=51151 DPT=2222 WINDOW=14520 RES=0x00 SYN URGP=0

Yes, I received this email with the error.

I found information here. Failed to detect code in SYSLOG_LOG - ConfigServer Community Forum

1 Like

yep, I changed back to the /var/log/message and that error came up. All good then.

1 Like