I've had a go at creating a HOWTO for setting up syslog-ng. It's written around moving the iptables logs off into their own log, and includes solutions for keeping the symlinks working. I'd like to have someone who doesn't have syslog-ng set up on their router (or someone with a spare router they can set up to avoid familial discord) give it a go.
*** HOWTO: Use syslog-ng to relocate iptables logs generated by Skynet ***
Purpose: use syslog-ng to replace syslogd, and relocate skynet logs.
It’s assumed the following are installed (otherwise you wouldn’t need this in the first place!):
- Asuswrt-Merlin
- jffs scripts enabled in firmware
- Entware (preferably installed using amtm, see SNB forums)
- Skynet 6.7.0 or higher (preferably installed using amtm, see SNB forums)
It’s also assumed that you are fairly comfortable with the command line, and that you know how to edit text files on the router. The editors ‘nano’ and ‘vi’ are part of the base firmware, a full ‘vim’ and I’m sure other editors are available in Entware.
First, install syslog-ng and logrotate* from Entware:
Code:
# opkg install syslog-ng logrotate
* = logrotate is technically not required, but a very good idea. There are reports that if the system log gets too big, the webGUI will have issues trying to read it if you click on the System Log tab.
Personally, I take the unix “do one thing only, and do it well” to the extreme. Although I think most people just have one huge syslog-ng.conf file with everything in it, I like the idea of separate files for seapare log actions. In order for this all this to work properly using this approach, the /opt/etc/syslog-ng.conf file needs a minor tweak to move the @include line to before the log line (make sure to move it, not just copy it, there should be only 1 @include line):
Code:
# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"
log {
source(src);
source(net);
source(kernel);
destination(messages);
};
The reason for this is that if the @include line is after the log line, everything will still be logged in messages, and the whole point of this is to keep excessive messages out of the system log!
Next, create a file in /opt/etc/syslog-ng.d/ for the filter. I called it “skynet” but you can call it whatever you want, the name doesn't matter. Note that it shouldn’t be executable. Fire up your favorite editor and paste the below in:
Code:
# Skynet creates a lot of log messages, put them elsewhere
# Skynet setup now allows scraping a specified file
# this is the file to have Skynet scrape
destination d_skynet {
file("/opt/var/log/skynet-0.log");
};
filter f_blocked {
match("BLOCKED -" value("MESSAGE"));
};
# value("PROGRAM") matches to logger -t PROGRAM
filter f_skynet {
match("Skynet: " value("MSGHDR"));
};
# this logs f_blocked to d_skynet and nowhere else
log {
source(src);
source(kernel);
filter(f_blocked);
destination(d_skynet);
flags(final);
};
# this logs f_skynet to d_skynet but allows it to pass to messages
log {
source(src);
source(kernel);
filter(f_skynet);
destination(d_skynet);
};
#eof
The above strips all the BLOCKED messages from iptables, putting them in a file where Skynet can use them for statistics, but still allows the normal skynet messages to go into the system logs (normally /opt/var/log/messages with syslog-ng). All of this could just as easily be copied into the /opt/etc/syslog-ng, just make sure it’s copied immediately before the log line. To ensure the configuration is correct, use:
If that runs without errors, then syslog-ng believes all the scripts are correct. Now, fire up the Skynet configuration script:
From the menu, select option 11 (Settings), then option 10 (Syslog Location) from the sub-menu, then option 1 (syslog.log) to change the location of syslog. Enter:
Code:
/opt/var/log/skynet-0.log
It is vital that this file match the file in the “destination” section of the skynet configuration file. Otherwise Skynet won’t be able to gather statistics. No need to change the syslog-1 file location, it won’t exist with syslog-ng running and syslogd stopped.
Now we need to make sure syslogd is stopped at every boot, and syslog-ng is started. In the /opt/etc/init.d directory there should be a file called S01syslog-ng. It’s probably easiest to replace the entire thing with the following:
Code:
#!/bin/sh
# separate killing syslogd and linking syslog.log;
# symlink might get broken even if syslogd not running
kill_syslogd (){
# kill any/all running syslogd
if [ ! "X$(pidof syslogd)" = "X" ]; then
killall syslogd
fi
# webGUI System Log = /tmp/syslog.log
if [ ! -L "/tmp/syslog.log" ]; then
cat /tmp/syslog.log >> /opt/var/log/messages
rm /tmp/syslog.log /tmp/syslog.log-1
ln -s /opt/var/log/messages /tmp/syslog.log
fi
# make /jffs/syslog.log and log-1 directories if not already
# prevents system log rotater from writing to jffs
if [ ! -d "/jffs/syslog.log" ]; then
rm /jffs/syslog.log
mkdir /jffs/syslog.log
fi
if [ ! -d "/jffs/syslog.log-1" ]; then
rm /jffs/syslog.log-1
mkdir /jffs/syslog.log-1
fi
}
ENABLED=yes
PROCS=syslog-ng
ARGS=""
PREARGS=""
PRECMD="kill_syslogd"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
. /opt/etc/init.d/rc.func
Almost there! All that remains is to set up logrotate. I suggest adding the following 2 lines to your /opt/etc/logrotate.conf file:
logroate also supports externally-sourced configuration files. The below could just as easily be pasted at the end of /opt/etc/logrotate.conf, but I choose to put it in /opt/etc/logrotate.d/syslog-ng
Code:
/opt/var/log/messages {
minsize 1024k
postrotate
/usr/bin/killall -HUP syslog-ng
endscript
}
The logrotate configuration options aren’t complex and you can change settings to your liking. If you choose to enable compression of rotated logs, you need to add “delaycompress” to your logrotate.conf as well so the first rotated log won’t be compressed. This is not for readability, this prevents problems due to the way that some programs access their logs.
Lastly the following line to the end of the post-mount script:
Code:
cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf #rotate logs daily @ 00:05#"
Now, if you're feeling lucky, you should be able to just reboot the router and all will be working. If you want to get it going without a reboot, enter the following at the command prompt:
Code:
# /opt/etc/init.d/S01syslog-ng start
# cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf #rotate logs daily @ 00:05#"
I also have another syslog-ng file to move the WLCEVENTD messages off to their own file.
The big challenge will be moving the dcd crashes to their own file (or dumping them completely). It's a multi-line message so I think it's not as simple as looking for the dcd line.