How to have syslogd print the hostname?

[diwa]

Hi,

I want to export my asuswrt merlin router's syslog to an OSSEC server.
As there is no Ossec client compatible with the router, I use Ossec's syslog support.

So far router's syslog is successfully exported to my Ossec server, though the last bit that prevents it to work is the log that is not compliant with the HEADER format:

TIMESTAMP HOSTNAME

The hostname (or its IP) is missing and thus Ossec can't parse/use it:

Feb  1 10:01:36 syslogd exiting
Feb  1 10:01:49 syslogd started: BusyBox v1.20.2

Busybox's syslogd doesn't seem to have such config to disable hostname print so it might come from elsewhere.
I tried to remove the -S option but with no impact.

Any idea on how I could fix this?

Thanks for your help

 

[longstaff]

As an exercise in using git, compiling and generally tinkering with the firmware I took a look into the missing hostname in syslog. I hoped to find an explanation but I've found a bug.

I've tracked it down to a bug in busybox version used in the firmware which means that small log format is always used regardless of -S option. Small log format omits hostname.

The culprit is that option_mask32 is always set to use option small in sysklogd/syslogd.c

	//if (opts & OPT_small) // -S
	option_mask32 |= OPT_small;     // make syslog smaller.

I've tested it by commenting out the option_mask32 line and then killing and starting syslog without the -S option set. Of course this is only possible by compiling and flashing custom firmware yourself.

I've looked at the git of Busybox 1_23_stable and the option_mask32 line is missing. At least I think it is as busybox git hosting is a bit different to GitHub.

Hopefully RMerlin will be able to verify and fix in the next beta, maybe even with a new nvram parameter to start syslogd with or without the -S option

 

[diwa]

Hi Longstaff,

Thanks a lot for finding out this issue. At least I now know where my missing hostname lies and will wait for a fix in one of RMerlin's next deliveries.

I hope your exercise was also good on git! ;-)

 

[RMerlin]

As an exercise in using git, compiling and generally tinkering with the firmware I took a look into the missing hostname in syslog. I hoped to find an explanation but I've found a bug.

I've tracked it down to a bug in busybox version used in the firmware which means that small log format is always used regardless of -S option. Small log format omits hostname.

The culprit is that option_mask32 is always set to use option small in sysklogd/syslogd.c

	//if (opts & OPT_small) // -S
	option_mask32 |= OPT_small;     // make syslog smaller.

I've tested it by commenting out the option_mask32 line and then killing and starting syslog without the -S option set. Of course this is only possible by compiling and flashing custom firmware yourself.

I've looked at the git of Busybox 1_23_stable and the option_mask32 line is missing. At least I think it is as busybox git hosting is a bit different to GitHub.

Hopefully RMerlin will be able to verify and fix in the next beta, maybe even with a new nvram parameter to start syslogd with or without the -S option

That was changed by Asus in 3.0.0.4.354 (commit 3cf5a2cb03146e2728f778a143bc1fa51ca90557 from my Github repo), not sure why however since Asuswrt does specify -S at launch time anyway. I'll experiment with changing this so to only enable it if -S is specified. Note that you will still be responsible for stopping and restarting syslogd without -S if you really need the "full" version. I don't plan on making it configurable as this is too niche of a feature. It should be trivial to change this through a services-start script in theory.

 

[john9527]

I've been playing with this on my fork, and have the option coded in services.c

Only problem I'm having is that it isn't picking up the hostname....it's listed as (none). Will be interested if you get the same results (maybe that's why they disabled it?).

EDIT: It's a timing problem....if I kill and restart syslogd the hostname shows up fine.

EDIT2: It looks like by default the hostname is only read when syslogd starts. I added some code to check and update the hostname if it's undefined, and it looks like it takes about 2 sec after syslogd starts at boot for the hostname to become available.

 

[diwa]

Note that you will still be responsible for stopping and restarting syslogd without -S if you really need the "full" version. I don't plan on making it configurable as this is too niche of a feature. It should be trivial to change this through a services-start script in theory.

This issue gave me the opportunity to read on the forum things on these scripts launched at startup with multiple examples to tweak syslog. So this is more than OK for me!

Thanks a lot for your work.