Configuring syslog-ng with merlin firmware

[Adamm]

Sounds like the destructive "sed" operation is for poor souls running the vanilla syslog. So for you running syslog-ng, commenting that out without performance degradation. No? A better way than to have a band-aid over another band-aid.

That's essentially the issue. The stock sed binary doesn't have the "--follow-symlinks" flag, nor does syslogd have the "custom config" option enabled at build time which would be even more ideal as I could then store Skynet logs in their own file.

 

[elorimer]

That's essentially the issue. The stock sed binary doesn't have the "--follow-symlinks" flag, nor does syslogd have the "custom config" option enabled at build time which would be even more ideal as I could then store Skynet logs in their own file.

It's a little more than that. This one line is there to remove a line from the system log that Skynet thinks gets logged by chron to syslog.log. It uses a destructive sed command on syslog.log, instead of copying to a temp file, doing sed there, and copying back the file (all of which sed is doing itself), which I think could follow the symlink (not sure, haven't tried it).

But with syslog-ng running, syslogd isn't running and isn't writing to syslog.log. That chron isn't written over there in the first place, and that sed command doesn't do anything but overwrite the symlink with something that I haven't quite figured out. So my kludge is to restore things. Commenting out that line in skynet would work fine too, except that each time skynet updates I'd have to remember to do that again.

Instead, syslog-ng is picking up what the chron logs. Over there, I am filtering out skynet's messages into its own file, rotating it when necessary. If I wanted to I could just have syslog-ng drop the chron messages.

This isn't a criticism of skynet; which is why I'm going on about it here and not there. Everyone using both will have this issue. But @kvic is having a bit of fun with us, isn't he? Poor souls and bandaids indeed.

 

[elorimer]

I'll post this here as it is related, but it is really about logrotate and the obvious thing I missed.

In order that the messages file not get to big for the webgui to handle, I rotate the logs, with this in my config:

# system-specific logs may be also be configured here.
/opt/var/log/messages {
size 2M
rotate 4
postrotate
    killall -HUP syslog-ng
endscript
}

What I couldn't seem to figure out is that no matter what I put in for the size 2M line (even if I put in weekly), the log rotates every time the logrotate job runs, and even though none of the logs exceed 2MB. I keep only 4, and syslog-ng is restarted, so the rest of this is working. Because I've left the global at weekly, I think if I just left that line out the log should rotate weekly. But somehow it was always run every day.

I think the reason is that I took the cron job from #43 in this thread, Configuring syslog-ng with merlin firmware

I hadn't focused on the "-f" cli option, which forces the rotation of all logs regardless of the particular settings. That was my problem.

Another thing I've noticed, is that the logrotate.conf doesn't have a default directory for logs to rotate, although you can do wildcards. So you should have a system-specific log for each syslog-ng generated log you create. Under no circumstances should you try to have a configuration for /opt/var/log/*.log, because that would stomp all over Diversion's own logrotation.

Also, I think it might be good practice to use the appicable subdirectory for both syslog-ng and logrotate for your own configurations. I recently stupidly did opkg update, opkg upgrade for stubby and got 3.19 of syslog-ng, which stomped on my setup. I had forgotten @kvic warned about exactly this.

Sorry for the length; I thought this might be helpful to others.

 

[cmkelley]

I've had a go at creating a HOWTO for setting up syslog-ng. It's written around moving the iptables logs off into their own log, and includes solutions for keeping the symlinks working. I'd like to have someone who doesn't have syslog-ng set up on their router (or someone with a spare router they can set up to avoid familial discord) give it a go.

*** HOWTO: Use syslog-ng to relocate iptables logs generated by Skynet ***

Purpose: use syslog-ng to replace syslogd, and relocate skynet logs.

It’s assumed the following are installed (otherwise you wouldn’t need this in the first place!):

1. Asuswrt-Merlin
2. jffs scripts enabled in firmware
3. Entware (preferably installed using amtm, see SNB forums)
4. Skynet 6.7.0 or higher (preferably installed using amtm, see SNB forums)

It’s also assumed that you are fairly comfortable with the command line, and that you know how to edit text files on the router. The editors ‘nano’ and ‘vi’ are part of the base firmware, a full ‘vim’ and I’m sure other editors are available in Entware.

First, install syslog-ng and logrotate* from Entware:

# opkg install syslog-ng logrotate

* = logrotate is technically not required, but a very good idea. There are reports that if the system log gets too big, the webGUI will have issues trying to read it if you click on the System Log tab.

Personally, I take the unix “do one thing only, and do it well” to the extreme. Although I think most people just have one huge syslog-ng.conf file with everything in it, I like the idea of separate files for seapare log actions. In order for this all this to work properly using this approach, the /opt/etc/syslog-ng.conf file needs a minor tweak to move the @include line to before the log line (make sure to move it, not just copy it, there should be only 1 @include line):

# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"

log {
        source(src);
        source(net);
        source(kernel);
        destination(messages);
};

The reason for this is that if the @include line is after the log line, everything will still be logged in messages, and the whole point of this is to keep excessive messages out of the system log!

Next, create a file in /opt/etc/syslog-ng.d/ for the filter. I called it “skynet” but you can call it whatever you want, the name doesn't matter. Note that it shouldn’t be executable. Fire up your favorite editor and paste the below in:

# Skynet creates a lot of log messages, put them elsewhere
# Skynet setup now allows scraping a specified file

# this is the file to have Skynet scrape
destination d_skynet {
        file("/opt/var/log/skynet-0.log");
};

filter f_blocked {
        match("BLOCKED -" value("MESSAGE"));
};

# value("PROGRAM") matches to logger -t PROGRAM
filter f_skynet {
        match("Skynet: " value("MSGHDR"));
};

# this logs f_blocked to d_skynet and nowhere else
log {
        source(src);
        source(kernel);
        filter(f_blocked);
        destination(d_skynet);
        flags(final);
};

# this logs f_skynet to d_skynet but allows it to pass to messages
log {
        source(src);
        source(kernel);
        filter(f_skynet);
        destination(d_skynet);
};

#eof

The above strips all the BLOCKED messages from iptables, putting them in a file where Skynet can use them for statistics, but still allows the normal skynet messages to go into the system logs (normally /opt/var/log/messages with syslog-ng). All of this could just as easily be copied into the /opt/etc/syslog-ng, just make sure it’s copied immediately before the log line. To ensure the configuration is correct, use:

# syslog-ng -s

If that runs without errors, then syslog-ng believes all the scripts are correct. Now, fire up the Skynet configuration script:

# /jffs/scripts/firewall

From the menu, select option 11 (Settings), then option 10 (Syslog Location) from the sub-menu, then option 1 (syslog.log) to change the location of syslog. Enter:

/opt/var/log/skynet-0.log

It is vital that this file match the file in the “destination” section of the skynet configuration file. Otherwise Skynet won’t be able to gather statistics. No need to change the syslog-1 file location, it won’t exist with syslog-ng running and syslogd stopped.

Now we need to make sure syslogd is stopped at every boot, and syslog-ng is started. In the /opt/etc/init.d directory there should be a file called S01syslog-ng. It’s probably easiest to replace the entire thing with the following:

#!/bin/sh

# separate killing syslogd and linking syslog.log;
# symlink might get broken even if syslogd not running

kill_syslogd (){
    # kill any/all running syslogd
    if [ ! "X$(pidof syslogd)" = "X" ]; then
        killall syslogd
    fi

    # webGUI System Log = /tmp/syslog.log
    if [ ! -L "/tmp/syslog.log" ]; then
        cat /tmp/syslog.log >> /opt/var/log/messages
        rm /tmp/syslog.log /tmp/syslog.log-1
        ln -s /opt/var/log/messages /tmp/syslog.log
    fi

    # make /jffs/syslog.log and log-1 directories if not already
    # prevents system log rotater from writing to jffs
    if [ ! -d "/jffs/syslog.log" ]; then
        rm /jffs/syslog.log
        mkdir /jffs/syslog.log
    fi

    if [ ! -d "/jffs/syslog.log-1" ]; then
        rm /jffs/syslog.log-1
        mkdir /jffs/syslog.log-1
    fi
}

ENABLED=yes
PROCS=syslog-ng
ARGS=""
PREARGS=""
PRECMD="kill_syslogd"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Almost there! All that remains is to set up logrotate. I suggest adding the following 2 lines to your /opt/etc/logrotate.conf file:

missingok
notifempty

logroate also supports externally-sourced configuration files. The below could just as easily be pasted at the end of /opt/etc/logrotate.conf, but I choose to put it in /opt/etc/logrotate.d/syslog-ng

/opt/var/log/messages {
    minsize 1024k
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

The logrotate configuration options aren’t complex and you can change settings to your liking. If you choose to enable compression of rotated logs, you need to add “delaycompress” to your logrotate.conf as well so the first rotated log won’t be compressed. This is not for readability, this prevents problems due to the way that some programs access their logs.

Lastly the following line to the end of the post-mount script:

cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf #rotate logs daily @ 00:05#"

Now, if you're feeling lucky, you should be able to just reboot the router and all will be working. If you want to get it going without a reboot, enter the following at the command prompt:

# /opt/etc/init.d/S01syslog-ng start
# cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf #rotate logs daily @ 00:05#"

I also have another syslog-ng file to move the WLCEVENTD messages off to their own file. The big challenge will be moving the dcd crashes to their own file (or dumping them completely). It's a multi-line message so I think it's not as simple as looking for the dcd line.

 

[elorimer]

Scattered around are some posts about how @cmkelley goes about removing the dcd crash lines from syslog. I don't have an 86U so I don't see these lines, but I gather they are several lines in a row, each starting with a time stamp. Syslog-ng has a few multi-line functions, including multi-line garbage(); syslog-ng defines a multi-line message as a message with new-line characters in it, and treats everything between an expression (like a time stamp) and the next occurrence of the expression as a single line, disregarding new line characters.

What I think @cmkelley is trying to do is discard two or more related messages, and I agree I don't see a way to do that, other than a filter which matches any of those related messages, or several filters matching the messages.

 

[cmkelley]

Scattered around are some posts about how @cmkelley goes about removing the dcd crash lines from syslog. I don't have an 86U so I don't see these lines, but I gather they are several lines in a row, each starting with a time stamp. Syslog-ng has a few multi-line functions, including multi-line garbage(); syslog-ng defines a multi-line message as a message with new-line characters in it, and treats everything between an expression (like a time stamp) and the next occurrence of the expression as a single line, disregarding new line characters.

What I think @cmkelley is trying to do is discard two or more related messages, and I agree I don't see a way to do that, other than a filter which matches any of those related messages, or several filters matching the messages.

There are 18 lines of the dcd crash message.

So, I think the multi-line-prefix and multi-line-suffix functions will allow defining the start and end of a multi-line message. I agree multi-line-garbage is not the way to go.

 

[elorimer]

I've had a go at creating a HOWTO for setting up syslog-ng

Awesome job!!

I particularly like your idea of pointing skynet at its own log file, after it has been sorted by syslog-ng. I have skynet pointed at my messages file, so I have in the webgui all the skynet blocks from the last hour. Your way is way better. Does it also leave the hourly skynet message out of messages?

A couple of quibbles: I think your messages filter should also go in the included file, so the base file only has the defaults, and no filtering. That avoids having to move the "include" line. Also, you don't care if updating syslog-ng writes a new .conf.

Also, I think your PRECMD script is more complicated than it needs to be, but I'll try it.

Also, shouldn't we deal with the DROP IN messages?

 

[elorimer]

There are 18 lines of the dcd crash message.

But don't they each start with a time stamp? I mean, each one is a separate message, not one message with 18 new line characters? [Release] Asuswrt-Merlin 384.9 is now available

 

[Butterfly Bones]

Thank you @cmkelley and @elorimer for this. I'll have some time to try and set this up again in the next two days. Here is the full output of the dcd crash in syslog.

Feb  9 11:34:19 kernel: dcd[24458]: unhandled level 3 translation fault (11) at 0x00000000, esr 0x92000007
Feb  9 11:34:19 kernel: pgd = ffffffc012777000
Feb  9 11:34:19 kernel: [00000000] *pgd=000000000a3f5003, *pud=000000000a3f5003, *pmd=000000000b63e003, *pte=0000000000000000
Feb  9 11:34:19 kernel: CPU: 1 PID: 24458 Comm: dcd Tainted: P           O    4.1.27 #2
Feb  9 11:34:19 kernel: Hardware name: Broadcom-v8A (DT)
Feb  9 11:34:19 kernel: task: ffffffc01c085540 ti: ffffffc00b678000 task.ti: ffffffc00b678000
Feb  9 11:34:19 kernel: PC is at 0xf6e1bf44
Feb  9 11:34:19 kernel: LR is at 0x1dc74
Feb  9 11:34:19 kernel: pc : [<00000000f6e1bf44>] lr : [<000000000001dc74>] pstate: 600e0010
Feb  9 11:34:19 kernel: sp : 00000000ffa6a0b8
Feb  9 11:34:19 kernel: x12: 000000000009ff10 
Feb  9 11:34:19 kernel: x11: 00000000f60ff024 x10: 00000000000a02b4 
Feb  9 11:34:19 kernel: x9 : 00000000f60ff670 x8 : 00000000000a076c 
Feb  9 11:34:19 kernel: x7 : 00000000f60ff6a8 x6 : 00000000000a0766 
Feb  9 11:34:19 kernel: x5 : 0000000000000000 x4 : 00000000f60ff654 
Feb  9 11:34:19 kernel: x3 : 0000000000000000 x2 : 00000000ffa6a094

The script cmkelley posted works for me, but the destructive sed causes issues with following symlinks as we know, so using syslog-ng to filter it is the preferred option. As I have stated elsewhere, I am a complete dolt with scripting and regex, so it takes me many tries to sort things, and those with a good grasp of these techniques are a welcome god-send for me.

 

[cmkelley]

Awesome job!!

I particularly like your idea of pointing skynet at its own log file, after it has been sorted by syslog-ng. I have skynet pointed at my messages file, so I have in the webgui all the skynet blocks from the last hour. Your way is way better.

A couple of quibbles: I think your messages filter should also go in the included file, so the base file only has the defaults, and no filtering. That avoids having to move the "include" line.

I'm not sure what you mean by this? I've only moved the @include line up above the already existing log line in the base file. If you don't move the @include line, everything will go to the main messages log, because the file is read from the top down, so the logging to messages occurs before filtering out the stuff you don't want to be there. The flags(final) callout in the included file effectively discards messages matching the filter after writing them.

Also, I think your PRECMD script is more complicated than it needs to be, but I'll try it.

Probably. It's designed for edge cases that may actually never exist.

 

[cmkelley]

But don't they each start with a time stamp? I mean, each one is a separate message, not one message with 18 new line characters? [URL="https://www.snbforums.com/threads/r...384-9-is-now-available.54843/page-9#post-4639]

I don't think they're separate messages. I _think_ the kernel is spitting it out all at once as a single multi-line message, and syslog-ng (same as syslogd) is splitting the multi-line message into individual lines and giving them all the same timestamp. I could be wrong about this, but I don't know how to test it other than try to set up a mulit-line filter.

 

[elorimer]

I'm not sure what you mean by this? I've only moved the @include line up above the already existing log line in the base file. If you don't move the @include line, everything will go to the main messages log, because the file is read from the top down, so the logging to messages occurs before filtering out the stuff you don't want to be there.

What I mean is the messages logging should be in the subdirectory too, so all of the logging is in that file. I have had an update to syslog-ng overwrite the syslog-ng.conf file.

 

[cmkelley]

What I mean is the messages logging should be in the subdirectory too, so all of the logging is in that file. I have had an update to syslog-ng overwrite the syslog-ng.conf file.

You'd still have to edit the syslog-ng.conf file every time you updated syslog-ng. Here is Entware's default syslog-ng.conf file:

@version: 3.17

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(1024);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
};

source src {
        internal();
        unix-dgram("/dev/log");
};

source net {
        udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
        file("/opt/var/log/messages");
};

log {
        source(src);
        source(net);
        source(kernel);
        destination(messages);
};

# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"

Without editing this file you can't prevent every log entry from going into messages. The included files are processed AFTER the log command, so nothing is filtered out. So you'd have to basically ignore the messages file and rely on the files generated by the various included files only. Which could be done, no doubt. But it just seems simpler to move the include line above the log line to let only what survives the filters be logged to messages.

I don't know where Entware gets their default syslog-ng.conf from. Judging from the multiple syslog-ng.conf files on github, I'd guess they roll their own. I think I'll open opened a request to move the include line in future versions of Entware's syslog-ng.

 

[elorimer]

@cmkelley, I see your point. I have left only the options and the sources in my syslog-ng.conf file, so it doesn't matter where the @include is, and then my destinations, filters and logs in the subdirectory.

I only use three options

chain_hostnames(no);
    flush_lines(0);
    stats_freq(43200);

There is a @define directive that replaces an object with a later object, changing the default behavior, but I don't think that would help with the log {} instructions.

 

[HardCat]

I've had a go at creating a HOWTO for setting up syslog-ng. It's written around moving the iptables logs off into their own log, and includes solutions for keeping the symlinks working. I'd like to have someone who doesn't have syslog-ng set up on their router (or someone with a spare router they can set up to avoid familial discord) give it a go.

*** HOWTO: Use syslog-ng to relocate iptables logs generated by Skynet ***

Purpose: use syslog-ng to replace syslogd, and relocate skynet logs.

It’s assumed the following are installed (otherwise you wouldn’t need this in the first place!):

1. Asuswrt-Merlin
2. jffs scripts enabled in firmware
3. Entware (preferably installed using amtm, see SNB forums)
4. Skynet 6.7.0 or higher (preferably installed using amtm, see SNB forums)

It’s also assumed that you are fairly comfortable with the command line, and that you know how to edit text files on the router. The editors ‘nano’ and ‘vi’ are part of the base firmware, a full ‘vim’ and I’m sure other editors are available in Entware.

First, install syslog-ng and logrotate* from Entware:

# opkg install syslog-ng logrotate

* = logrotate is technically not required, but a very good idea. There are reports that if the system log gets too big, the webGUI will have issues trying to read it if you click on the System Log tab.

Personally, I take the unix “do one thing only, and do it well” to the extreme. Although I think most people just have one huge syslog-ng.conf file with everything in it, I like the idea of separate files for seapare log actions. In order for this all this to work properly using this approach, the /opt/etc/syslog-ng.conf file needs a minor tweak to move the @include line to before the log line (make sure to move it, not just copy it, there should be only 1 @include line):

# put any customization files in this directory
@include "/opt/etc/syslog-ng.d/"

log {
        source(src);
        source(net);
        source(kernel);
        destination(messages);
};

The reason for this is that if the @include line is after the log line, everything will still be logged in messages, and the whole point of this is to keep excessive messages out of the system log!

Next, create a file in /opt/etc/syslog-ng.d/ for the filter. I called it “skynet” but you can call it whatever you want, the name doesn't matter. Note that it shouldn’t be executable. Fire up your favorite editor and paste the below in:

# Skynet creates a lot of log messages, put them elsewhere
# Skynet setup now allows scraping a specified file

# this is the file to have Skynet scrape
destination d_skynet {
        file("/opt/var/log/skynet-0.log");
};

filter f_blocked {
        match("BLOCKED -" value("MESSAGE"));
};

# value("PROGRAM") matches to logger -t PROGRAM
filter f_skynet {
        match("Skynet: " value("MSGHDR"));
};

# this logs f_blocked to d_skynet and nowhere else
log {
        source(src);
        source(kernel);
        filter(f_blocked);
        destination(d_skynet);
        flags(final);
};

# this logs f_skynet to d_skynet but allows it to pass to messages
log {
        source(src);
        source(kernel);
        filter(f_skynet);
        destination(d_skynet);
};

#eof

The above strips all the BLOCKED messages from iptables, putting them in a file where Skynet can use them for statistics, but still allows the normal skynet messages to go into the system logs (normally /opt/var/log/messages with syslog-ng). All of this could just as easily be copied into the /opt/etc/syslog-ng, just make sure it’s copied immediately before the log line. To ensure the configuration is correct, use:

# syslog-ng -s

If that runs without errors, then syslog-ng believes all the scripts are correct. Now, fire up the Skynet configuration script:

# /jffs/scripts/firewall

From the menu, select option 11 (Settings), then option 10 (Syslog Location) from the sub-menu, then option 1 (syslog.log) to change the location of syslog. Enter:

/opt/var/log/skynet-0.log

It is vital that this file match the file in the “destination” section of the skynet configuration file. Otherwise Skynet won’t be able to gather statistics. No need to change the syslog-1 file location, it won’t exist with syslog-ng running and syslogd stopped.

Now we need to make sure syslogd is stopped at every boot, and syslog-ng is started. In the /opt/etc/init.d directory there should be a file called S01syslog-ng. It’s probably easiest to replace the entire thing with the following:

#!/bin/sh

# separate killing syslogd and linking syslog.log;
# symlink might get broken even if syslogd not running

kill_syslogd (){
    # kill any/all running syslogd
    if [ ! "X$(pidof syslogd)" = "X" ]; then
        killall syslogd
    fi

    # webGUI System Log = /tmp/syslog.log
    if [ ! -L "/tmp/syslog.log" ]; then
        cat /tmp/syslog.log >> /opt/var/log/messages
        rm /tmp/syslog.log /tmp/syslog.log-1
        ln -s /opt/var/log/messages /tmp/syslog.log
    fi

    # make /jffs/syslog.log and log-1 directories if not already
    # prevents system log rotater from writing to jffs
    if [ ! -d "/jffs/syslog.log" ]; then
        rm /jffs/syslog.log
        mkdir /jffs/syslog.log
    fi

    if [ ! -d "/jffs/syslog.log-1" ]; then
        rm /jffs/syslog.log-1
        mkdir /jffs/syslog.log-1
    fi
}

ENABLED=yes
PROCS=syslog-ng
ARGS=""
PREARGS=""
PRECMD="kill_syslogd"
DESC=$PROCS
PATH=/opt/sbin:/opt/bin:/opt/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

. /opt/etc/init.d/rc.func

Almost there! All that remains is to set up logrotate. I suggest adding the following 2 lines to your /opt/etc/logrotate.conf file:

missingok
notifempty

logroate also supports externally-sourced configuration files. The below could just as easily be pasted at the end of /opt/etc/logrotate.conf, but I choose to put it in /opt/etc/logrotate.d/syslog-ng

/opt/var/log/messages {
    minsize 1024k
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

The logrotate configuration options aren’t complex and you can change settings to your liking. If you choose to enable compression of rotated logs, you need to add “delaycompress” to your logrotate.conf as well so the first rotated log won’t be compressed. This is not for readability, this prevents problems due to the way that some programs access their logs.

Lastly the following line to the end of the post-mount script:

cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf #rotate logs daily @ 00:05#"

Now, if you're feeling lucky, you should be able to just reboot the router and all will be working. If you want to get it going without a reboot, enter the following at the command prompt:

# /opt/etc/init.d/S01syslog-ng start
# cru a logrotate "5 0 * * * /opt/sbin/logrotate /opt/etc/logrotate.conf #rotate logs daily @ 00:05#"

I also have another syslog-ng file to move the WLCEVENTD messages off to their own file. The big challenge will be moving the dcd crashes to their own file (or dumping them completely). It's a multi-line message so I think it's not as simple as looking for the dcd line.

I have been keeping my eye on this thread for a while waiting for someone to put it all together. It looks like the time has finally come for me to try my hand at syslog-ng! Thanks @cmkelley ! I will be giving this a go tomorrow and let you know how I make out. Off to a "Blue Rodeo" concert this evening...Cheers!

 

[cmkelley]

But don't they each start with a time stamp? I mean, each one is a separate message, not one message with 18 new line characters? [Release] Asuswrt-Merlin 384.9 is now available

I don't think they're separate messages. I _think_ the kernel is spitting it out all at once as a single multi-line message, and syslog-ng (same as syslogd) is splitting the multi-line message into individual lines and giving them all the same timestamp. I could be wrong about this, but I don't know how to test it other than try to set up a mulit-line filter.

And I'm coming to the conclusion I'm wrong. :-( I now think it is spitting it out one line at time, which means AFAICT, there's no "easy" way to filter them. I tried using the indent-multi-line function but either I'm using it wrong (possible, but it passes the syntax check) or they're individual lines. Back to the drawing board.

 

[cmkelley]

I've had a go at creating a HOWTO for setting up syslog-ng. It's written around moving the iptables logs off into their own log, and includes solutions for keeping the symlinks working. I'd like to have someone who doesn't have syslog-ng set up on their router (or someone with a spare router they can set up to avoid familial discord) give it a go.

*** HOWTO: Use syslog-ng to relocate iptables logs generated by Skynet ***

Purpose: use syslog-ng to replace syslogd, and relocate skynet logs.

UPDATE:
The filter f_skynet isn't working right. It seems to catch only some of the Skynet messages. I'm starting to think syslog-ng is a great idea with a marginal implementation. The documentation is severely lacking. I hope the people that pay for their support get better documentation ... Yes, I'm slightly frustrated with discovering syslog-ng's idiosyncrasies rather than having usable documentation. Wanna search for a "["? Gotta escape it TWICE "\\[". There's a couple hours of my life gone.

Anyways, the f_skynet filter should be:

filter f_skynet {
        match("Ranges Banned" value("MESSAGE"));
};

It's bedtime. I'll battle syslog-ng another day. Something weird is happening. I can't consistently filter the hourly summary statistics.

On the good news front, I appear to have syslog-ng files for both the dcd crash and the Assoc/Disassoc/ReAssoc log messages to push them off into separate files. I'm thinking of setting up a github project for those.

 

[thelonelycoder]

Under no circumstances should you try to have a configuration for /opt/var/log/*.log, because that would stomp all over Diversion's own logrotation.

That would indeed. Diversions Dnsmasq logs have these file names: dnsmasq.log to dnsmasq.log2, or up to dnsmasq.log4 if alternate blocking list is enabled.

 

[elorimer]

I tried using the indent-multi-line function but either I'm using it wrong (possible, but it passes the syntax check) or they're individual lines.

All the indent-multiline does is add a tab character to the new line character, I think. Of course it will pass the syntax check, as that won't tell you why nothing matches it.

On a slightly different note, I think it would be helpful to leave all the syslog-ng stuff in this thread, even all the grousing. No offense, but having a discussion about openvpn logging in the stubby thread makes it harder to help others.

I will post later my openvpn1 &2 server filters.

 

[elorimer]

Heres what I use for logs for my openvpn servers:

destination openvpn1 { file("/opt/var/log/openvpn1"); };
destination openvpn2 { file("/opt/var/log/openvpn2"); };
filter f_openvpn1 { facility(daemon) and program("ovpn-server1"); };
filter f_openvpn2 { facility(daemon) and program("ovpn-server2"); };
log { source(src); filter(f_openvpn1); destination(openvpn1); };
log { source(src); filter(f_openvpn2); destination(openvpn2); };