Configuring syslog-ng with merlin firmware

[kvic]

Do you have "-l" option enabled in pixelserv startup? Do you see pixelserv log before the change? See errors if you run syslog-ng in foreground?

To debug in foreground, run:

syslog-ng -F -f /opt/etc/syslog-ng.conf

(remember to stop the existing instance first before trying from command line..)

 

[thelonelycoder]

Is there anything useful statswise I could use with the pixelserv to syslog-ng option for AB-Solution?
Does it present stats as a combined table, meaning it adds them up if found in the syslog if a sighup were sent to pixelserv-tls?

 

[tomsk]

Do you have "-l" option enabled in pixelserv startup? Do you see pixelserv log before the change? See errors if you run syslog-ng in foreground?

That was the problem.... the pixelserv logging has to be enabled before i attempt to restart syslog-ng, otherwise syslog-ng won't run.

Just for info the pixelserv filter with just

filter f_pixelserv { match("pixelserv"); };

was working quite happily in 3.8 for me as well, i assume this method is the better way of doing it though.

 

[tomsk]

Is there anything useful statswise I could use with the pixelserv to syslog-ng option for AB-Solution?
Does it present stats as a combined table, meaning it adds them up if found in the syslog if a sighup were sent to pixelserv-tls?

I have syslog-ng sending my pixelserv and dnsmasq data to loggly where all kinds of interesting things can be done with it. The dnsmasq was a little tricky because a separate log is created for AB rather than sending it to syslog. Luckily syslog-ng can read directly from a log file. Heres my config file for anyone interested.

@version:3.8

options {
    chain_hostnames(no);
    create_dirs(yes);
    flush_lines(0);
    keep_hostname(yes);
    log_fifo_size(256);
    log_msg_size(1024);
    stats_freq(0);
    flush_lines(0);
    use_fqdn(no);
};

### Syslog-ng Logging Directives for Loggly.com ###

template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [a9a9fe07-985b-4129-b42f-de994dae4f03@41058 tag=\"MyAC68U\" ] $MSG\n");
    template_escape(no);
};

destination d_loggly {
    tcp("logs-01.loggly.com" port(6514)
       tls(peer-verify(required-untrusted) ca_dir('/opt/syslog-ng/keys/'))
       template(LogglyFormat));
};

### END Syslog-ng Logging Directives for Loggly.com ###

source src {
    internal();
    unix-stream("/dev/log");
};

source net {
    udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

source s_file {
        file("/tmp/mnt/data/adblocking/logs/dnsmasq.log");
};

filter f_cron { facility(cron); };
#filter f_pixelserv { match("pixelserv"); };
filter f_pixelserv { facility(daemon) and program("pixelserv"); };

destination messages { file("/opt/var/log/messages"); };
destination cron { file("/opt/var/log/cron"); };
destination pixelserv-tls { file("/opt/var/log/pixelserv-tls"); };

log { source(s_file); source(src); filter(f_pixelserv); destination(d_loggly); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_pixelserv); destination(pixelserv-tls); };
log { source(src); destination(messages);flags(fallback); };

When AB rotates the dnsmasq.log i get some complaints from syslog-ng but loggly keeps right on receiving the logs... so it seems to be more of a nuisance warning than anything.. not sure if i can do anything about it

Mar 24 05:20:03 RT-AC68U-4690 tOmsK: AB-Solution counted ads and rotated log files (daily cron job)
Mar 24 05:20:03 RT-AC68U-4690 tOmsK: AB-Solution blocked 193,715 total 4,410 week 1,198 new ads
Mar 24 01:20:14 RT-AC68U-4690 syslog-ng[3434]: The current log file has a mismatching size/inode information, restarting from the beginning; state='affile_sd_curpos(/tmp/mnt/data/adblocking/logs/dnsmasq.log)', stored_inode='163860', cur_file_inode='163870', stored_size='5668647', cur_file_size='236', raw_stream_pos='9109346'

 

[tomsk]

I tried to pick the pixelserv data out of the source stream, but can get it to work reliably with loggly. So i gave the pixelserv-tls.log the same treatment as dnsmasq

source s_pixserv {
         file("/opt/var/log/pixelserv-tls");
};

log { source(s_file); source(s_pixserv); destination(d_loggly); };

Seems to work fine now.... will see what happens when the pixelserv log rotates tonight

 

[kvic]

Is there anything useful statswise I could use with the pixelserv to syslog-ng option for AB-Solution?
Does it present stats as a combined table, meaning it adds them up if found in the syslog if a sighup were sent to pixelserv-tls?

pixelserv-tls statistics is available through "http://<pixelserv ip>/servstats.txt". It's in a parseable format.

 

[kvic]

That was the problem.... the pixelserv logging has to be enabled before i attempt to restart syslog-ng, otherwise syslog-ng won't run.

I doubt it...I'll test when I reboot next time (my pixelserv-tls has been running non-stop over 90 days...).

It's standard interprocess communication between them. So shall not have dependency on the sequence of their launch.

Just for info the pixelserv filter with just

filter f_pixelserv { match("pixelserv"); };

was working quite happily in 3.8 for me as well, i assume this method is the better way of doing it though.

In v2.1 I used "match()" in filters but it didn't pick up any log in v3.8. Change to "program()" works in v3.8. It's more efficient anyway..

 

[tomsk]

In v2.1 I used "match()" in filters but it didn't pick up any log in v3.8. Change to "program()" works in v3.8. It's more efficient anyway..

After i switched to "program()" i started to get big chunks of what seemed to be partial pixelserv log data bleeding through into the syslog output.

Mar 23 14:46:48 RT-AC68U-4690 syslog-ng[3434]: Syslog connection established; fd='5', server='AF_INET(54.236.79.251:6514)', local='AF_INET(0.0.0.0:0)'
Mar 23 18:53:18 RT-AC68U-4690 tOmsK: hello world
Mar 23 16:53:39 RT-AC68U-4690 20Buddyfight%20Wiki%2Ctitle.Purgatory%20Knights%2Cdescription.%22Purgatory%20Knights%22%20(%E7%85%89%E3%82%8C%E3%82%93%E7%8D%84%E3%81%94%E3%81%8F%E9%A8%8E%E3%81%8D%E5%A3%AB%E3%81%97%E5%9B%A3%E3%81%A0%E3%82%93%E3%80%80Rengokukishidan)%20is%20a%20series%20of%20%E3%80%8AArmordragon%E3%80%8B%2Curl.http%3A%2F%2Fbuddyfight%252Ewikia%252Ecom%2Fwiki%2FPurgatory_Knights%2Cimage.http%3A%2F%2Fvignette2%252Ewikia%252Enocookie%252Enet%2Fbuddyfight%2Fimages%2F3%2F3b%2FBT04-0105EN%252Epng%2Frevis HTTP/1.1
Mar 23 16:53:59 RT-AC68U-4690 ts%20Leader%252C%20Demios%20Sword%20%22Chaos%20Execution!%22%2Cdescription.English%3A%20Purgatory%20Knights%20Leader%252C%20Demios%20Sword%20%22Chaos%20Execution!%22%20Kanji%3A%20%E7%85%89%E7%8D%84%E9%A8%8E%E5%A3%AB%E5%9B%A3%E5%9B%A3%2Curl.http%3A%2F%2Fbuddyfight%252Ewikia%252Ecom%2Fwiki%2FPurgatory_Knights_Leader%252C_Demios_Sword_%2522Chaos%2Cimage.http%3A%2F%2Fvignette1%252Ewikia%252Enocookie%252Enet%2Fbuddyfight%2Fimages%2F7%2F74%2FD-BT01A-EB01-0012EN%252Ep HTTP/1.1
Mar 23 16:54:45 RT-AC68U-4690

I noticed you used a .log suffix for your pixelserv log, so i tried that along with the "no-multi-line" flag. Seems to have stopped now...not not sure which one fixed the problem ( if indeed it is fixed at all) Could this be an issue with the log entry length .... I'm wondering if i need to use flow control, of adjust some buffer lengths? There is a log-msg-size() file source option which defaults to 8192.... global is currently set at 1024

 

[kvic]

After i switched to "program()" i started to get big chunks of what seemed to be partial pixelserv log data bleeding through into the syslog output.

I mostly went with default as you could see very few items in my "options" section. When the message is too long (haven't checked how long), I see it gets truncated with "[truncated]" at the front of the messages. I didn't see you have program name and process id between host name and the message..

Mar 26 11:17:30 Phaeo pixelserv[16393]: ( 4) 192.168.1.100: pagead2.googlesyndication.com GET /pagead/js/adsbygoogle.js HTTP/1.1
Mar 26 11:17:31 Phaeo pixelserv[16393]: [truncated] (13) 192.168.1.100: pixel.facebook.com GET /si/ajax/l/render_linkshim_log/?u=http%3A%2F%2Fwww.post852.com%2F%3Fp%3D210038&h=ATNP6EMZ_5hK4onvtf5tJjVPdeFP7cTIMj326lU1SkqWUc-1E0ZcgfKgKPOarqOud_Evyb1QFk2Ay8eoEa2n8FMa44rfHTobEPpYqTLLcoV9njy2b6vQ-QAFs6GmPajuxyqMHI7mKaNjjsJRI9juxEauoeor&enc=AZNumQRHl-gil4AuHFYWBHJlUW5RYYoBnYM1Eb-gXmjZAPMywVgSPoP0vIhSwWGalcWPwQvDm_ubSe_uKqP3arw8gFnR07HUaZNFdEIv1CVUEMto8bp79RobCZW-tu8pKpSGKiMwoTlmArhRY7unC0gRAsLFfDfWyUmdU9mwNTvrjU4DfuEO9Dkv7TwalzTtGOl3DbLDShdXFy08_EObCbfA&d&__a=1&__af=iw&__be=-1&__dyn=5V5yAW8-aFoFxp2umeKIGAyqomUOqfoOfAKGgS8UIyrWqF1ejxTCWzGwDzQHUlUF7zFGCxi7pHxuqE88HyWDyV9B88x2axuF8WVpenKtojF3EKm9DAxaFTxG6oHDh8Sm6vCAzq_h6umegmVV8-cx2jCoO8gpx25VoGqF9QiayogyVoWbCAwBxrKuaC_Q4LiQ48Ccy8Cu4rld2plzFk8XA-49pkUhxmnh4dy8gAwzCyFKiq9Dpby4u4rGVaADhp8C9F16&__pc=PHASED%3ADEFAULT&__req=d&__rev=2915971&__user=100015563618921&asyncSignal=2072&fb_dtsg=AQHtrH7JiuVC%3AAQFfGSiBhHAV&ttstamp=265817211611472557410511786675865817010271831056610

 

[tomsk]

I didn't see you have program name and process id between host name and the message..

Yes that is the weird part..... there is no program name or process id, but its definitely pixelsev data. Must be a setting somewhere within syslog that is causing this. In your example , you are being told that you are only getting the front of the message. In my case I'm getting the tail end.
Thanks for the info...will fish around some more and see if i can get to the bottom of it.

 

[MarCoMLXXV]

As this thread seems somewhat quiet lately, and I was looking wether it's possible to replace syslogd with syslog-ng, I'm wondering wether someone managed to get it working properly? Reading through the posts it seems quite a hassle.

I just contacted the support department of Papertrail (www.papertrailapp.com - free for home users) who have developed a remote_syslog daemon (v2) which should work with the ARMv7 architecture in my RT-AC68U. At least, they mention support for ARM has been added last year, but I can't find the binary they mention in the release notes of one of the former beta's, so I mailed them. Maybe this could be an easier solution for others reading this thread, as I have a feeling remote logging starts quite late during booting, there's info on the router in syslog which doesn't get send to Papertrail. Also, the remote_syslog2 daemon offers options to aggregate other logfiles if you want it to. If anyone is interested too, I'll keep you posted.

 

[kvic]

As this thread seems somewhat quiet lately, and I was looking wether it's possible to replace syslogd with syslog-ng, I'm wondering wether someone managed to get it working properly? Reading through the posts it seems quite a hassle.

To get started, it's very simple. Install syslog-ng from Entware, and replace /opt/etc/init.d/S01syslog-ng with my version from #10.

Restart your router. All syslog messages (including bootlogs) simply go into /opt/var/log/messages on your USB stick.

That's it!

Now start learning to use filtering features in syslog-ng (and logrotate which controls how log files roll forward) that'll be a separate topic. And you'll end up with well organised logs just like a full-blown Linux system.

My RT-AC56U has been a syslog server where it receives syslog messages from other devices such as my Edgerouter X and Apple Airport. Works very well for me.

Anyhow, keep us posted on your adventure into online loggers.

 

[MarCoMLXXV]

That sounds simple indeed. Was under the impression after reading the earlier posts that it would be more of a hassle. Anyway, received an auto reply that the people at Papertrail will reply Tuesday at the earliest, due to a holiday, so I needed something new to tinker with in the meantime anyway This will do just fine, so thanks for the confirmation @kvic!

 

[tomsk]

As this thread seems somewhat quiet lately, and I was looking wether it's possible to replace syslogd with syslog-ng, I'm wondering wether someone managed to get it working properly? Reading through the posts it seems quite a hassle.

I have syslog-ng working quite well now... my earlier problem with the pixelserv logs was resolved by simply increasing the log_msg_size.

I wanted to send both my pixelserv and dnsmasq logs to Loggly service ... pixelserv was quite easy as it sends its logs to syslog anyway, dnsmasq was a bit more tricky because Ab-solution uses dnsmasq logging in a separate file rather than sending it to syslog( the default behaviour). I got around this by using syslog-ng ability to read the log directly from a file.

heres my syslog-ng.conf for those interested in such things.... not particularly elegant , and maybe not the ideal way of doing it...but hey it works

@version:3.9

options {
    chain_hostnames(no);
    create_dirs(yes);
    flush_lines(0);
    keep_hostname(yes);
    log_fifo_size(256);
    log_msg_size(8912);
    stats_freq(0);
    flush_lines(0);
    use_fqdn(no);
};

### Syslog-ng Logging Directives for Loggly.com ###

template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [a9a9fe07-985b-4129-b42f-de994dae4f03@41058 tag=\"MyAC68U\" ] $MSG\n");
    template_escape(no);
};

destination d_loggly {
    tcp("logs-01.loggly.com" port(6514)
       tls(peer-verify(required-untrusted) ca_dir('/opt/syslog-ng/keys/'))
       template(LogglyFormat));
};

### END Syslog-ng Logging Directives for Loggly.com ###

source src {
    internal();
    unix-stream("/dev/log");
};

source net {
    udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

source s_file {
        file("/tmp/mnt/data/adblocking/logs/dnsmasq.log" default-facility(daemon) flags(no-hostname));
};

filter f_cron { facility(cron); };
filter f_pixelserv { facility(daemon) and program("pixelserv"); };
filter f_loggly { (facility(daemon) and program("pixelserv")) or (facility(daemon) and program("dnsmasq")); };

destination messages { file("/opt/var/log/messages"); };
destination cron { file("/opt/var/log/cron"); };
destination pixelserv-tls { file("/opt/var/log/pixelserv-tls"); };

log { source(s_file); source(src); filter(f_loggly); destination(d_loggly); };
log { source(src); filter(f_cron); destination(cron); };
log { source(src); filter(f_pixelserv); destination(pixelserv-tls); };
log { source(src); destination(messages);flags(fallback); };

 

[MarCoMLXXV]

Thanks for sharing your

syslog-ng.conf

@tomsk

 

[MarCoMLXXV]

A second nasty bit. Stop AsusWRT writing a copy of /tmp/syslog.log to /jffs. Search the forum. A couple of threads discussed that. IMO, simply disable this feature regardless you run syslog or syslog-ng.

@kvic, is this the workaround you were referring to in post #2 of this thread, creating empty directories syslog and syslog-1 like @RMerlin suggests in the post linked previously, to stop syslog from being written to /jffs? I'm preparing to switch to syslog-ng, just want to make sure I understand it correctly... It's a bit difficult (at least to me) to get the right search results (as syslog is quite common and searching /jffs/syslog returns every single post containing syslog, so I used Google for a more specific search to find the suggestion I think you were referring to. I read somewhere that will cause you to loose the first part of the syslog(-ng), as the external media aren't mounted yet. Is there a way around that? I would like to have the log(s) complete.

 

[mhofman]

I came up with a slightly different approach:

I'm leaving the Busybox's syslogd in place but sending its logs over a local socket to the syslog-ng instance.
That way if syslogd gets restarted for any reason, it won't conflict with syslog-ng. It also leaves in place the existing mechanism for the GUI logs.
Regarding the startup logs generated before syslog-ng's start, I have syslog-ng open a named pipe, and in the services-start script I wait for the pipe to be available and simply cat the existing logs into it. That way instead of having a few messages lost, there is at worst a few messages duplicated, and all the log messages are processed by syslog-ng and sent to their destinations.

I'm using syslog-ng on the router to collect the logs from my router and access points, process them (replace spaces in tag field), and relay them to a remote logging server.

Step by step instructions:

• Install entware-ng if not already available, and syslog-ng
• Use the following config and services-start script: https://gist.github.com/mhofman/79e9d1bc175deb7d90143a8946f25fbf
  (I couldn't include the code directly here, Cloudflare was bombing on me for some reason)
• remove the syslog.log files in jffs and replace them by directories to prevent the firmware from copying logs to jffs (and back from jffs at reboot)
  
• Use the Web GUI, Admin section, to configure sending logs to the local IP of the router.
• Reboot the router (or start the syslog-ng service manually, before the previous step to not miss any logs)

You could probably listen on the loopback address, but you may need to force the hostname using the host-override() option of the network source, as regular resolution would probably be localhost.

 

[Mazrim]

So what are the major benefits of moving to syslog-ng?

 

[joegreat]

So what are the major benefits of moving to syslog-ng?

Le me google that for you... Found matching article... Showing detailed information: https://en.wikipedia.org/wiki/Syslog-ng

 

[Jack Yaz]

Le me google that for you... Found matching article... Showing detailed information: https://en.wikipedia.org/wiki/Syslog-ng

http://lmgtfy.com/?q=So+what+are+the+major+benefits+of+moving+to+syslog-ng?