ColinTaylor
Part of the Furniture
I'd also suggest you try this to try and clean things up.
Code:
opkg update
opkg remove --force-remove syslog-ng
opkg update
opkg remove --force-remove syslog-ng
Manually delete all this junk?I'd also suggest you try this to try and clean things up.
Code:opkg update opkg remove --force-remove syslog-ng
d# opkg update
Downloading https://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d# opkg remove --force-remove syslog-ng
Removing package syslog-ng from root...
Not deleting modified conffile /opt/etc/syslog-ng.conf.
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d# cat /opt/etc/syslog-ng.
syslog-ng.conf syslog-ng.conf-2022-02-25T15:01:31 syslog-ng.conf-opkg syslog-ng.d/
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d# cat /opt/etc/syslog-ng.conf
#############################################################################
# syslog-ng.conf customized for scribe on Asuswrt-Merlin firmware
# compare to /opt/share/syslog-ng/examples/syslog-ng.conf-opkg for differences from Entware distribution
#
# syslog-ng documentation: https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.35/administration-guide
#
# Release notes: https://github.com/syslog-ng/syslog-ng/releases
@version: 3.35
#@include "scl.conf" # uncomment this line to for additional functionality, see syslog-ng documentation
@include "/opt/etc/syslog-ng.d/" # Put any customization files in this directory
options {
chain_hostnames(no); # Enable or disable the chained hostname format.
create_dirs(yes);
keep_hostname(yes); # Enable or disable hostname rewriting.
log_fifo_size(256); # The number of messages that the output queue can store.
log_msg_size(16384); # Maximum length of a message in bytes.
stats_freq(21600); # The period between two STATS messages sent by syslog-ng, containing statistics about dropped logs in seconds; 0 disables. (21,600 seconds = 6 hours)
flush_lines(0); # How many lines are flushed to a destination at a time.
use_fqdn(no); # Add Fully Qualified Domain Name instead of short hostname.
};
# syslog-ng gets messages from the system, kernel, and syslog-ng (internal)
# DO NOT use system() source; causes issues on HND routers
# so_rcvbuf = maximum number of messages per second * 1024
source src {
unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
file("/proc/kmsg" program_override("kernel") flags(kernel));
internal();
# udp(ip(192.168.x.y) port(514)); # uncomment this line to pass all network messages through syslog-ng filters
};
# if you only want to pass network messages through some syslog-ng filters, uncomment the source line below
# then add "soource(net);" to the log statement in any filter you want to pass network messages through
#source net { udp(ip(192.168.x.y) port(514)); };
# set the filename for the default log file - anything not filtered out will end up here
destination messages { file("/opt/var/log/messages"); };
# to send log messages to the local network, uncomment the destination line below
# then add "destination(log_server);" to the log statement in any filter you want to pass network messages through
#destination log_server { udp("192.168.x.y" port(514)); };
log {
source(src);
# source(net); # uncomment this and "source net" function above to get udp log messages from local network
destination(messages);
# destination(log_server); # uncomment this and "destination log_server" function above to send udp log messages to local network
};
jorg@RT-AX88U-F610:/tmp/mnt/sda5/entware/etc/init.d#
rm /opt/etc/syslog-ng.conf*
rm -fr /opt/etc/syslog-ng.d
Where is the regular built in syslog configured? I'm not gonna mess any of that up?Yes, delete all that stuff.
Code:rm /opt/etc/syslog-ng.conf* rm -fr /opt/etc/syslog-ng.d
There are no config files for the built in syslog.Where is the regular built in syslog configured? I'm not gonna mess any of that up?
Would the steps we went through have broken the Skynet Stats in the GUI? It's not generating stats anymore and I tried the "Update Stats" button, but it didn't generate anything. I was able to generates some via the firewall menu via SSH.There are no config files for the built in syslog.
run these commands and see if it changes anything. Do you see any blocks in the system log?Would the steps we went through have broken the Skynet Stats in the GUI? It's not generating stats anymore and I tried the "Update Stats" button, but it didn't generate anything. I was able to generates some via the firewall menu via SSH.
firewall settings syslog default
firewall settings syslog1 default
Ok, just ran those commands. Yes, I see lots of outbound blocks occurring and I'm trying to hunt to find out what processes are reaching out to them, and if they are truly malicious IPs which could indicate a potential compromise.run these commands and see if it changes anything. Do you see any blocks in the system log?
Code:firewall settings syslog default firewall settings syslog1 default
Try to run:Ok, just ran those commands. Yes, I see lots of outbound blocks occurring and I'm trying to hunt to find out what processes are reaching out to them, and if they are truly malicious IPs which could indicate a potential compromise.
firewall debug genstats
Still blank :/Try to run:
to force stats creation and then check the GUI.Code:firewall debug genstats
Please share the output of:Still blank :/
ls -laR /tmp/mnt/*/skynet/
Please share the output of:
Code:ls -laR /tmp/mnt/*/skynet/
# ls -laR /tmp/mnt/*/skynet/
/tmp/mnt/sda5/skynet/:
drwxrwxrwx 4 jorg root 4096 Jun 18 18:26 .
drwxrwxrwx 6 jorg root 4096 May 10 12:21 ..
-rw-rw-rw- 1 jorg root 14033 Jun 19 15:37 events.log
drwxrwxrwx 2 jorg root 4096 Jun 18 18:26 lists
-rw-rw-rw- 1 jorg root 946 Jun 19 15:38 skynet.cfg
-rw-rw-rw- 1 jorg root 28416166 Jun 19 15:00 skynet.ipset
-rw-rw-rw- 1 jorg root 10141858 Jun 19 15:37 skynet.log
drwxrwxrwx 2 jorg root 4096 Jun 19 15:38 webui
/tmp/mnt/sda5/skynet/lists:
drwxrwxrwx 2 jorg root 4096 Jun 18 18:26 .
drwxrwxrwx 4 jorg root 4096 Jun 18 18:26 ..
-rw-rw-rw- 1 jorg root 3440424 Jun 18 18:26 1.txt
-rw-rw-rw- 1 jorg root 8963 Jun 18 18:26 IPlist.list
-rw-rw-rw- 1 jorg root 9495 Jun 18 18:26 alienvault_reputation.ipset
-rw-rw-rw- 1 jorg root 52523 Jun 18 18:26 bds_atif.ipset
-rw-rw-rw- 1 jorg root 17331 Jun 18 18:26 bi_any_2_30d.ipset
-rw-rw-rw- 1 jorg root 1118160 Jun 18 18:26 blocklist_net_ua.ipset
-rw-rw-rw- 1 jorg root 217763 Jun 18 18:26 ciarmy.ipset
-rw-rw-rw- 1 jorg root 10459 Jun 18 18:26 coinbl_hosts_browser.ipset
-rw-rw-rw- 1 jorg root 18928 Jun 18 18:26 cybercrime.ipset
-rw-rw-rw- 1 jorg root 1083 Jun 18 18:26 dshield.netset
-rw-rw-rw- 1 jorg root 1122 Jun 18 18:26 dshield_1d.netset
-rw-rw-rw- 1 jorg root 1975 Jun 18 18:26 dyndns_ponmocup.ipset
-rw-rw-rw- 1 jorg root 28201 Jun 18 18:26 emerging-Block-IPs.txt
-rw-rw-rw- 1 jorg root 26785 Jun 18 18:26 et_block.netset
-rw-rw-rw- 1 jorg root 6793 Jun 18 18:26 et_compromised.ipset
-rw-rw-rw- 1 jorg root 16069 Jun 18 18:26 et_spamhaus.netset
-rw-rw-rw- 1 jorg root 246933 Jun 18 18:26 export-ips_all.txt
-rw-rw-rw- 1 jorg root 33175 Jun 18 18:26 firehol_level1.netset
-rw-rw-rw- 1 jorg root 180652 Jun 18 18:26 firehol_level2.netset
-rw-rw-rw- 1 jorg root 254466 Jun 18 18:26 firehol_level3.netset
-rw-rw-rw- 1 jorg root 90427 Jun 18 18:26 greensnow.ipset
-rw-rw-rw- 1 jorg root 105791 Jun 18 18:26 greensnow.txt
-rw-rw-rw- 1 jorg root 194230 Jun 18 18:26 iblocklist_ciarmy_malicious.netset
-rw-rw-rw- 1 jorg root 427502 Jun 18 18:26 iblocklist_pedophiles.netset
-rw-rw-rw- 1 jorg root 14895 Jun 18 18:26 iblocklist_spamhaus_drop.netset
-rw-rw-rw- 1 jorg root 32763 Jun 18 18:26 ip-blacklist
-rw-rw-rw- 1 jorg root 10682 Jun 18 18:26 ipblocklist.txt
-rw-rw-rw- 1 jorg root 246297 Jun 18 18:26 iprbl.txt
-rw-rw-rw- 1 jorg root 43106 Jun 18 18:26 latest_blacklist.txt
-rw-rw-rw- 1 jorg root 1035 Jun 18 18:26 malc0de.ipset
-rw-rw-rw- 1 jorg root 9116 Jun 18 18:26 myip.ipset
-rw-rw-rw- 1 jorg root 8627 Jun 18 18:26 normshield_high_attack.ipset
-rw-rw-rw- 1 jorg root 3619 Jun 18 18:26 normshield_high_bruteforce.ipset
-rw-rw-rw- 1 jorg root 309 Jun 18 18:26 raw.php
-rw-rw-rw- 1 jorg root 16095 Jun 18 18:26 spamhaus_drop.netset
-rw-rw-rw- 1 jorg root 4681 Jun 18 18:26 spamhaus_edrop.netset
-rw-rw-rw- 1 jorg root 6359 Jun 18 18:26 strongips.txt
-rw-rw-rw- 1 jorg root 52741 Jun 18 18:26 tor-exit-nodes.lst
-rw-rw-rw- 1 jorg root 1163283 Jun 18 18:26 update
-rw-rw-rw- 1 jorg root 3363 Jun 18 18:26 urlvir.ipset
/tmp/mnt/sda5/skynet/webui:
drwxrwxrwx 2 jorg root 4096 Jun 19 15:38 .
drwxrwxrwx 4 jorg root 4096 Jun 18 18:26 ..
-rw-rw-rw- 1 jorg root 173077 May 9 21:51 chart.js
-rw-rw-rw- 1 jorg root 9752 May 9 21:51 chartjs-plugin-zoom.js
-rw-rw-rw- 1 jorg root 20765 May 9 21:51 hammerjs.js
-rw-rw-rw- 1 jorg root 40277 May 9 21:51 skynet.asp
-rw-rw-rw- 1 jorg root 8969 Jun 19 15:38 stats.js
jorg@RT-AX88U-F610:/tmp/home/root#
Looks like there's an issue with the second command:Is the “Display WebUI“ option showing enabled in the Skynet settings menu?
Or maybe easier to share:
Code:cat /tmp/mnt/sda5/skynet/skynet.cfg tail -10 /tmp/mnt/sda5/Skynet/skynet.log grep skynetloc /jffs/scripts/firewall
# cat /tmp/mnt/sda5/skynet/skynet.cfg
################################################
## Generated By Skynet - Do Not Manually Edit ##
## Jun 19 16:00:05 ##
## Installer ##
model="RT-AX88U"
localver="v7.4.4"
autoupdate="enabled"
banmalwareupdate="daily"
forcebanmalwareupdate=""
logmode="enabled"
filtertraffic="all"
swaplocation="/tmp/mnt/sda5/myswap.swp"
## Counters / Lists ##
blacklist1count="395293"
blacklist2count="17977"
customlisturl="https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list"
customlist2url=""
countrylist=""
excludelists=""
## Settings ##
unbanprivateip="enabled"
loginvalid="disabled"
banaiprotect="enabled"
securemode="enabled"
extendedstats="enabled"
fastswitch="disabled"
syslogloc="/tmp/syslog.log"
syslog1loc="/tmp/syslog.log-1"
iotblocked="disabled"
iotports=""
iotproto="udp"
lookupcountry="enabled"
cdnwhitelist="enabled"
displaywebui="enabled"
################################################
jorg@RT-AX88U-F610:/tmp/home/root# tail -10 /tmp/mnt/sda5/Skynet/skynet.log
tail: can't open '/tmp/mnt/sda5/Skynet/skynet.log': No such file or directory
tail: no files
Sorry, 2 errors on my side:Looks like there's an issue with the second command:
Code:# cat /tmp/mnt/sda5/skynet/skynet.cfg ################################################ ## Generated By Skynet - Do Not Manually Edit ## ## Jun 19 16:00:05 ## ## Installer ## model="RT-AX88U" localver="v7.4.4" autoupdate="enabled" banmalwareupdate="daily" forcebanmalwareupdate="" logmode="enabled" filtertraffic="all" swaplocation="/tmp/mnt/sda5/myswap.swp" ## Counters / Lists ## blacklist1count="395293" blacklist2count="17977" customlisturl="https://raw.githubusercontent.com/jumpsmm7/GeneratedAdblock/master/filter.list" customlist2url="" countrylist="" excludelists="" ## Settings ## unbanprivateip="enabled" loginvalid="disabled" banaiprotect="enabled" securemode="enabled" extendedstats="enabled" fastswitch="disabled" syslogloc="/tmp/syslog.log" syslog1loc="/tmp/syslog.log-1" iotblocked="disabled" iotports="" iotproto="udp" lookupcountry="enabled" cdnwhitelist="enabled" displaywebui="enabled" ################################################ jorg@RT-AX88U-F610:/tmp/home/root# tail -10 /tmp/mnt/sda5/Skynet/skynet.log tail: can't open '/tmp/mnt/sda5/Skynet/skynet.log': No such file or directory tail: no files
Last command was too big to post. Attached as .txt file.
tail -10 /tmp/mnt/sda5/skynet/skynet.log
grep skynetloc /jffs/scripts/firewall-start
ls -l /opt/bin/scribe
ls -l /opt/etc/syslog-ng.d/skynet
rm /opt/bin/scribe /opt/etc/syslog-ng.d/skynet
ls -laR /www/user/skynet
cat /www/user/skynet/stats.js
Stats are working! I just removed "/opt/bin/scribe" - not sure if that is what fixed it as I hadn't refreshed the stats page today before I did that. Thank you!Oh, could be more scribe leftovers. Please check:
Code:ls -l /opt/bin/scribe ls -l /opt/etc/syslog-ng.d/skynet
If either are found, remove them:
Also check the directory:Code:rm /opt/bin/scribe /opt/etc/syslog-ng.d/skynet
And also open your browser console with F12 and reload the Skynet GUI and look for errors.Code:ls -laR /www/user/skynet cat /www/user/skynet/stats.js
# ls -l /opt/bin/scribe
lrwxrwxrwx 1 jorg root 20 Feb 25 2022 /opt/bin/scribe -> /jffs/scripts/scribe
jorg@RT-AX88U-F610:/tmp/home/root# ls -l /opt/etc/syslog-ng.d/skynet
ls: /opt/etc/syslog-ng.d/skynet: No such file or directory
jorg@RT-AX88U-F610:/tmp/home/root# ls -l /jffs/scripts/ | grep -i scribe
jorg@RT-AX88U-F610:/tmp/home/root# rm /opt/bin/scribe
jorg@RT-AX88U-F610:/tmp/home/root# ls -laR /www/user/skynet
/www/user/skynet:
drwxrwxrwx 2 jorg root 120 Jun 19 03:36 .
drwxr-xr-x 6 jorg root 260 Jun 19 03:36 ..
lrwxrwxrwx 1 jorg root 35 Jun 19 03:36 chart.js -> /tmp/mnt/sda5/skynet/webui/chart.js
lrwxrwxrwx 1 jorg root 49 Jun 19 03:36 chartjs-plugin-zoom.js -> /tmp/mnt/sda5/skynet/webui/chartjs-plugin-zoom.js
lrwxrwxrwx 1 jorg root 38 Jun 19 03:36 hammerjs.js -> /tmp/mnt/sda5/skynet/webui/hammerjs.js
lrwxrwxrwx 1 jorg root 35 Jun 19 03:36 stats.js -> /tmp/mnt/sda5/skynet/webui/stats.js
jorg@RT-AX88U-F610:/tmp/home/root# cat /www/user/skynet/stats.js
function SetBLCount1() {
document.getElementById("blcount1").innerHTML = "395293"
}
function SetBLCount2() {
document.getElementById("blcount2").innerHTML = "17977"
}
function SetHits1() {
document.getElementById("hits1").innerHTML = "3113"
}
function SetHits2() {
document.getElementById("hits2").innerHTML = "355"
}
function SetStatsDate() {
document.getElementById("statsdate").innerHTML = "Monitoring From Jun 19 17:00:01 To Jun 20 00:43:57"
}
function SetStatsSize() {
document.getElementById("statssize").innerHTML = "Log Size - (956.0KB)"
}
var DataInPortHits;
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!