Error: Failed to detect code in /var/log/syslog.log or /var/log/messages (lfd)
What this is
You're getting alert emails from lfd (the login failure daemon that ships with the CSF firewall) saying something like:
Error: Failed to detect code [xnxnxnx] in SYSLOG_LOG [/var/log/messages]
referencing /var/log/syslog.log or /var/log/messages. This is lfd's SYSLOG_CHECK feature doing its job: it periodically writes a random code through syslog and then checks that the code actually appeared in the log. When the code never shows up, lfd alerts you, because a server whose syslog isn't recording is a server whose security logging is blind.
So the alert isn't lfd misbehaving. It's lfd correctly reporting that syslog itself isn't logging. The root cause is almost always a known bug in rsyslog's imjournal module (the piece that reads messages from the systemd journal), which stops rsyslog writing messages properly and leaves lfd's test code missing. The bug is documented here: https://bugzilla.redhat.com/show_bug.cgi?id=1088021
First step: one reboot
Reboot the server. This can clear the wedged state and the alerts stop. Note that one reboot is all it takes to find out: if a single reboot doesn't fix it, rebooting again won't either, move on to the real fix below. (After any reboot, remember the started-vs-enabled rule if something else stays down.)
Fix option 1 (recommended): take rsyslog off the imjournal module
This sidesteps the buggy module entirely by letting rsyslog collect local messages itself instead of through the journal:
- Edit
/etc/rsyslog.confwith your favorite editor and adjust the following:- Comment out the
$ModLoad imjournalline - Comment out the
$IMJournalStateFile imjournal.stateline - Change
$OmitLocalLoggingfromontooff - Save the file
- Comment out the
- Restart rsyslog:
systemctl restart rsyslog
(On a cPanel server, the cPanel-managed way is /usr/local/cpanel/scripts/restartsrv rsyslogd.)
- Confirm the restart reports success, then verify logging works end to end:
logger lfd-test-123followed bygrep lfd-test-123 /var/log/messagesshould find your test line. Once real messages flow again, the lfd alerts stop on their own.
Fix option 2 (easier, not recommended): disable lfd's syslog checking
This silences the alarm rather than fixing the logging, so your logs may still be incomplete. Perform at your own risk:
- Edit
/etc/csf/csf.confand changeSYSLOG_CHECKfrom1to0, then save. - Restart lfd:
systemctl restart lfd
- Confirm the restart reports success. The alerts stop, but do check now and then that
/var/log/messagesis actually receiving entries.
Still need help?
You can open a support ticket. So we can help on the first reply, it's worth mentioning:
- the VPS hostname or IP,
- the exact lfd alert text,
- whether
/var/log/messagesis currently receiving any new lines at all.
Related questions
- "What does the lfd 'Failed to detect code in SYSLOG log' email mean?"
- "Why is /var/log/messages empty or not updating?"
- "How do I fix the rsyslog imjournal bug?"
- "Is it safe to turn off SYSLOG_CHECK in csf.conf?"