List of Articles Icon

Knowledge Base

Guides and answers for your VPS, the client area, and billing

Error: Failed to detect code in /var/log/syslog.log or /var/log/messages (lfd)

What this is

You're getting alert emails from lfd (the login failure daemon that ships with the CSF firewall) saying something like:

Error: Failed to detect code [xnxnxnx] in SYSLOG_LOG [/var/log/messages]

referencing /var/log/syslog.log or /var/log/messages. This is lfd's SYSLOG_CHECK feature doing its job: it periodically writes a random code through syslog and then checks that the code actually appeared in the log. When the code never shows up, lfd alerts you, because a server whose syslog isn't recording is a server whose security logging is blind.

So the alert isn't lfd misbehaving. It's lfd correctly reporting that syslog itself isn't logging. The root cause is almost always a known bug in rsyslog's imjournal module (the piece that reads messages from the systemd journal), which stops rsyslog writing messages properly and leaves lfd's test code missing. The bug is documented here: https://bugzilla.redhat.com/show_bug.cgi?id=1088021

First step: one reboot

Reboot the server. This can clear the wedged state and the alerts stop. Note that one reboot is all it takes to find out: if a single reboot doesn't fix it, rebooting again won't either, move on to the real fix below. (After any reboot, remember the started-vs-enabled rule if something else stays down.)

This sidesteps the buggy module entirely by letting rsyslog collect local messages itself instead of through the journal:

  1. Edit /etc/rsyslog.conf with your favorite editor and adjust the following:
    • Comment out the $ModLoad imjournal line
    • Comment out the $IMJournalStateFile imjournal.state line
    • Change $OmitLocalLogging from on to off
    • Save the file
  2. Restart rsyslog:
systemctl restart rsyslog

(On a cPanel server, the cPanel-managed way is /usr/local/cpanel/scripts/restartsrv rsyslogd.)

  1. Confirm the restart reports success, then verify logging works end to end: logger lfd-test-123 followed by grep lfd-test-123 /var/log/messages should find your test line. Once real messages flow again, the lfd alerts stop on their own.

This silences the alarm rather than fixing the logging, so your logs may still be incomplete. Perform at your own risk:

  1. Edit /etc/csf/csf.conf and change SYSLOG_CHECK from 1 to 0, then save.
  2. Restart lfd:
systemctl restart lfd
  1. Confirm the restart reports success. The alerts stop, but do check now and then that /var/log/messages is actually receiving entries.

Still need help?

You can open a support ticket. So we can help on the first reply, it's worth mentioning:

  • the VPS hostname or IP,
  • the exact lfd alert text,
  • whether /var/log/messages is currently receiving any new lines at all.
  • "What does the lfd 'Failed to detect code in SYSLOG log' email mean?"
  • "Why is /var/log/messages empty or not updating?"
  • "How do I fix the rsyslog imjournal bug?"
  • "Is it safe to turn off SYSLOG_CHECK in csf.conf?"
Last reviewed: 2026-07-03