Syslog-ng restarts if server FQDN is refreshed by DNS
718
Created On 01/21/21 23:15 PM - Last Modified 10/30/25 20:20 PM
Symptom
- Syslog server is configured with an FQDN (GUI: Device > Server Profiles > Syslog > [server-profile] > Servers > [syslog-server])
- Syslog server profile is used for log forwarding, such as a log forwarding profile (GUI: Objects > Log Forwarding) or device log settings (GUI: Device > Log Settings)
- System log shows "Syslog connection established to server" with an IP address which is constantly changing. How frequently this happens will depend on how often the IP changes from DNS:
FW(active)> show log system direction equal backward subtype equal "syslog" Time Severity Subtype Object EventID ID Description =============================================================================== xxxx info syslog syslog- 0 Syslog connection established to server['AF_INET.10.0.0.2:514.'] xxxx info syslog syslog- 0 Syslog connection established to server['AF_INET.10.0.0.3:514.'] xxxx info syslog syslog- 0 Syslog connection established to server['AF_INET.10.0.0.4:514.'] xxxx info syslog syslog- 0 Syslog connection established to server['AF_INET.10.0.0.5:514.']
- Logrcvr.log shows entries for "FQDN::dns updated" and "Error: pan_system_service_restart_syslogng" every time the FQDN changes IP:
FW(active)> less mp-log logrcvr.log xxxx FQDN::dns updated. logfwdctx: 0x55555613d8c0, logdata: 0x55556054fbd0 xxxx Error: pan_system_service_restart_syslogng(pan_system_settings.c:15938): SYSNG Failed to restart syslog-ng
Environment
- Palo Alto Firewall
- Any PAN-OS
- Syslog server profile is configured using an FQDN instead of an IP
- The syslog server profile is used for log forwarding
Cause
- Syslog-ng will restart whenever the syslog server IP changes
- If the FQDN resolves to a new IP, syslog-ng will restart
Resolution
- Use a static IP in the syslog server profile