lfd on server.example.com: SYSLOG Check Failed

You are receiving such messages on your cPanel/CentOS server with CSF installed?

Time: Wed Aug 23 13:31:28 2017 -0500
Error: Failed to detect code [bBBeGfELFkMEGUV4fi] in SYSLOG_LOG [/var/log/messages]

SYSLOG may not be running correctly on server.example.com

These messages are sent by lfd(Login Failure Daemon- part of the Config Server Firewall CSF). It’s not an lfd issue. The issue is with the rsyslog. It is not logging correctly.

There are some options to fix this issue.

First make sure rsyslog is running. Use service rsyslog status command:

root@web [~]# service rsyslog status
Redirecting to /bin/systemctl status  rsyslog.service
* rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2017-08-19 07:39:49 EDT; 4 days ago
 Main PID: 207 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           `-207 /usr/sbin/rsyslogd -n

Aug 19 07:39:49 web systemd[1]: Starting System Logging Service...
Aug 19 07:39:49 web systemd[1]: Started System Logging Service.
root@web [~]#

If it’s not running, try to start it with service rsyslog start:

root@web [~]# service rsyslog status
Redirecting to /bin/systemctl status  rsyslog.service
* rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2017-08-23 16:06:25 EDT; 7s ago
  Process: 4056 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 4056 (code=exited, status=0/SUCCESS)

Aug 23 16:06:13 web systemd[1]: Starting System Logging Service...
Aug 23 16:06:13 web systemd[1]: Started System Logging Service.
Aug 23 16:06:25 web systemd[1]: Stopping System Logging Service...
Aug 23 16:06:25 web systemd[1]: Stopped System Logging Service.
root@web [~]# service rsyslog start
Redirecting to /bin/systemctl start  rsyslog.service
root@web [~]# service rsyslog status
Redirecting to /bin/systemctl status  rsyslog.service
* rsyslog.service - System Logging Service
   Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2017-08-23 16:06:51 EDT; 4s ago
 Main PID: 4146 (rsyslogd)
   CGroup: /system.slice/rsyslog.service
           `-4146 /usr/sbin/rsyslogd -n

Aug 23 16:06:51 web systemd[1]: Starting System Logging Service...
Aug 23 16:06:51 web systemd[1]: Started System Logging Service.
root@web [~]#

Now, let’s check if rsyslog is logging correctly, log a test message:

root@web [~]# logger -p auth.notice "log test"
root@web [~]# grep "log test" /var/log/messages
root@web [~]#

If you don’t see your message rsyslog is not working correctly. To fix this you will need to edit the file /etc/rsyslog.conf. These lines must to commented out:

#$ModLoad imjournal # provides access to the systemd journal
#$IMJournalStateFile imjournal.state

and this option changed to off

$OmitLocalLogging off

To comment a line in the rsyslog.conf file, add a # sign at the beginning of the line.

Then restart the rsyslog with service rsyslog restart:

root@web [~]# service rsyslog restart
Redirecting to /bin/systemctl restart  rsyslog.service
root@web [~]#

Test again if the logging is working correctly:

root@web [~]# logger -p auth.notice "log test"
root@web [~]# grep "log test" /var/log/messages
Aug 23 16:09:06 web root: log test
root@web [~]#

Now, everything is running fine and you should not receive any more messages from lfd regarding rsyslog.

Share this post: