Are you receiving too many LFD SYSLOG check failed messages from your server?
Login Failure Daemon aka LFD is a server security mechanism that triggers email alerts during attacks.
However, LFD can fail when there is a problem in reading the underlying log files.
At Bobcares, we frequently deal with server security queries as a part of our Server Management Services.
Today, we’ll see how we fixed the LFD SYSLOG Check Failed error for our customer.
When does the LFD SYSLOG Check Failed message appear?
Before diving deeper into the error message, let’s take a quick look at LFD.
Login Failure Daemon is a process that constantly scans the server log files. Thus it can track any unauthorized login attempts including brute force attacks. Moreover, LFD has a built-in mechanism to block users after a particular number of failures. In effect, it works as a total solution to avoid login compromises.
LFD sends email notifications to the server owner regarding any events. The events can be IP block, unusual access, configuration errors and many more.
Recently, one of our customers came with the LFD failure message on his fresh server running cPanel & Cloudlinux 7.
The email with the subject “LFD on sharedserver.xxx.com: SYSLOG Check Failed” appeared as:
What causes the LFD SYSLOG Check Failed message?
We’ll now move on and see what causes the LFD SYSLOG check failed messages.
LFD works by reading the server log files. When the underlying log service fails, it throws errors.
A log file of any service records all user actions, service events, user-specific details, time of access, etc. It is the rsyslog service that is responsible for the centralized logging of all the logs.
If for some reason, there is a problem with the rsyslog daemon, the logs will not be updated properly. This can further cause LFD failure as well.
How we fixed SYSLOG Check failed message
It’s time now to see how our Dedicated Engineers fixed the LFD failure on the customer’s server.
As the first step, we checked whether the log service was working correctly on the server. For this, we searched the logs for the code received in the mail.
grep XMxMLwHlbhANz0SysWEHEt9 /var/log/messagesIn the case of rotated logs, we check the entire log folder together with compressed logs. However, we could not find the correct entry in the logs.
Therefore, it indicated a problem with rsyslog.
We then checked and confirmed that rsyslog was running fine on the server.
service rsyslog statusFurther, we checked the rsyslog configuration and saw that local logging was disabled. This prevented the correct logging and created problems with the LFD.
So we enabled the local logging by toggling the OmitLocalLogging variable in the syslog configuration available at /etc/rsyslog.conf. Also, we adjusted the imjournal settings and proceeded with a service restart.
Since it was a cPanel server, we used the commands:
/scripts/restartsrv_rsyslog
systemctl restart systemd-journaldHowever, the system-journald failed to restart with an error.
[root@sharedserverxx systemd]# systemctl list-units --all | grep journal
systemd-journal-catalog-update.service loaded active exited Rebuild Journal Catalog
systemd-journal-flush.service loaded inactive dead Flush Journal to Persistent Storage
● systemd-journald.service loaded failed failed Journal Service
● systemd-journald.socket loaded failed failed Journal SocketFinally, we had to reboot the server to make the systemd-journald working again.
We verified the rsyslog settings from WHM >> Service Configuration >> Service Manager
That fixed LFD and it started working successfully.
[Need help with debugging LFD errors on your server? We can help you.]
Conclusion
In short, the LFD SYSLOG Check Failed message appears when there are problems with the log files on the server. In this write-up, we saw how our Support Engineers fixed it by modifying the rsyslog configuration on a cPanel server.
0 Comments