Scribe scribe 3.x_y - syslog-ng and logrotate installer

[elorimer]

A few random thoughts reading this, never having had the problem but admiring the tenacity with which it is being attacked.

1. There really isn't any reason why syslog-ng has to start first or early. I think it just seems to make sense that it should and that's why it is S01. But copying the messages up to the point that syslogd is killed into messages (and this goes back to the first method of running syslog-ng) and then starting syslog-ng keeps a continuous log.
2. There is a hiccup that can occur where messages loses some beginning logging. I haven't quite figured it out but I think it is a combo of the buffers and the lack of flow control. In my cases, there are about 1100 messages in the starting sequence before S01 kicks in. They aren't long messages though. But between killing syslogd/klogd, copying messages, starting syslog-ng, there is a gap. That's partly why I use a larger buffer, copy the startup sequence to a file (sudden thought--maybe i would be better just renaming it), start syslog-ng and then use flow control, in an effort to shrink that gap as much as possible. Too large a buffer also results in a loss of messages, and I haven't figured that out. But log_fifo_size of 256 is too small and log_msg_size of 16k is too big (also, you have to multiply those with the number of destinations to get total memory use). I use 2048 and 4096.
3. I absolutely hate this idea of putting the kill instructions in a 30 second loop. I can imagine how painful this is for @cmkelley. I don't know what might be happening at the sockets if syslogd and klogd keep restarting, but it seems likely that the messages at this part of the start cycle are being lost if the daemons are hitting the sockets before syslog-ng steps in to do that. I'd be less troubled if syslog-ng were S99. Are messages being lost with this new method? Perhaps you need to log how many kill cycles you are running to tell.
4. All in all, my suggestion would be to go back to what was working for most people, but perhaps put in a watchdog at the 30 second mark to see if syslog-ng is running, and if not, restart scribe.

Separately, syslog-ng will use the original time stamp of a message (except for network sources, where it seems to add its own as well), but you can also have it use the time stamp of when it is processed.

 

[cmkelley]

After (or before, it really doesn't matter) updating syslog-ng to 4.2 (e.g. today's Entware update) or higher, please run the following from your router's command line:

/bin/sed -i "s/stats_freq(21600)/stats(freq(21600))/g" /opt/etc/syslog-ng.conf

If you've changed the stats_freq value in your syslog-ng.conf, you'll have to either change the above to match, or just make this change by hand.
If you don't, you'll get an annoying message the next time you run "scribe status" but other than that, everything will still work.

 

[ColDen]

After (or before, it really doesn't matter) updating syslog-ng to 4.2 (e.g. today's Entware update) or higher, please run the following from your router's command line:

/bin/sed -i "s/stats_freq(21600)/stats(freq(21600))/g" /opt/etc/syslog-ng.conf

If you've changed the stats_freq value in your syslog-ng.conf, you'll have to either change the above to match, or just make this change by hand.
If you don't, you'll get an annoying message the next time you run "scribe status" but other than that, everything will still work.

Since I did update entware today and also have syslog-ng updated from 3.38 to 4.2, I have followed your advise and ran your provided script (just in case the 'annoying' message only showed one time since the updates...):

 

[cmkelley]

If you didn't fix it, "scribe reload" would bring it back up since that makes it read the configuration file from the disk.

 

[ColDen]

If you didn't fix it, "scribe reload" would bring it back up since that makes it read the configuration file from the disk.

And this is why I have followed your recommendation even if I was under the impression that I would not have seem that message again nevertheless.

Thank you for your dedicated times and hard works for providing/supporting Scribe (and uiScribe).

 

[maghuro]

Let me ask you something:

Is /opt/var/log sometimes trimmed? Or it'll keep filling until router runs out of space?

Thanks in advance

 

[thelonelycoder]

Let me ask you something:

Is /opt/var/log sometimes trimmed? Or it'll keep filling until router runs out of space?

Thanks in advance

Dnsmasq logs are taken care of in Diversion. Not sure about other files.

 

[elorimer]

logrotate

 

[maghuro]

logrotate

But what's the threshold?

 

[elorimer]

If you are using uiscribe, each log should be under (I think well under) 1mb. Beyond that it depends a little on how much you want ready at hand, so the question is what minimum and whether you want it daily or not. Set the basic in logrotate.conf, and then set individual overrides in logrotate.d

 

[cmkelley]

But what's the threshold?

It depends on the log. As installed by scribe, most are set to rotate by size, some just by time. The default number to keep is 4, messages keeps 9, many of the "nuisance" are set for 2, but it's not difficult to change the files in /opt/etc/logrotate.d/ to whatever you like. Some people have changed theirs to simply discard the nuisance messages.

 

[cmkelley]

scribe 3.2_0 is up

- scribe should now should automatically fix the stats_freq obsoleted message (by patching the syslog-ng.conf file)
- added filter / logrotate file for "bsd" messages, & annoyed Asus / Qualcomm / whoever picked "bsd" for the program name, BSD as far as I'm concerned is a Unix flavor from U.C. Berkeley. c.f FreeBSD, OpenBSD, NetBSD, etc (there's an '*BSD is dying' joke in there somewhere for us old-timers).

@elorimer, I'm sympathetic to the issue of log files being wiped out, but I'm pretty jammed up just lately. It's on my list of things to investigate and fix if possible. There seems to be some difference in what happens when the router has the syslog file in /jffs vs. when it's in /tmp. On my (now dead) AC86U which used /tmp, I wasn't seeing the log file wiped out ... but with the same code on my AX86U which uses /jffs, it seems to be getting regularly wiped out. So I have no clue why that should be different, and I'm in the same position I was before, trying to fix it for two variations and only having one to test.

 

[ColDen]

scribe 3.2_0 is up

- scribe should now should automatically fix the stats_freq obsoleted message (by patching the syslog-ng.conf file)
- added filter / logrotate file for "bsd" messages, & annoyed Asus / Qualcomm / whoever picked "bsd" for the program name, BSD as far as I'm concerned is a Unix flavor from U.C. Berkeley. c.f FreeBSD, OpenBSD, NetBSD, etc (there's an '*BSD is dying' joke in there somewhere for us old-timers).

@elorimer, I'm sympathetic to the issue of log files being wiped out, but I'm pretty jammed up just lately. It's on my list of things to investigate and fix if possible. There seems to be some difference in what happens when the router has the syslog file in /jffs vs. when it's in /tmp. On my (now dead) AC86U which used /tmp, I wasn't seeing the log file wiped out ... but with the same code on my AX86U which uses /jffs, it seems to be getting regularly wiped out. So I have no clue why that should be different, and I'm in the same position I was before, trying to fix it for two variations and only having one to test.

Scribe updated without (so far) any observable issues.

Thanks cmkelley!

 

[CaptnDanLKW]

I've fought a number of issues with my simple setup which includes scribe, conmon and dn-vnstat. The only other entware program I installed is htop.

Back story...

Four times in the past 3 months my entware install has gone haywire. The FIRST time only was when I updated all the entware packages through amtm. Many binaries that scribe and dn-vmstat called would segfault. Came back to the updated libraries. I redid my entware and packages from the ground up. (I saved my vnstat.db and my scribe scripts)

Since then, the problem returned 2-3 more times, specifically NOT updating any entware packages based on past experience and messages read here.

A few times after reinstalling it seems like everything is good but one binary - logrotate would complain about invalid ELF header

Jun 18 00:05:00 RTAC86U kernel: logrotate[1759]: unhandled level 2 translation fault (11) at 0x00000008, esr 0x92000006
running logrotate manually i get this.

Jun 18 07:20:23 RTAC86U logrotate: /opt/sbin/logrotate: error while loading shared libraries: /opt/lib/libpopt.so.0: invalid ELF header

I did an opkg, forced a reinstall of libpopt and logrotate begain working again. I thought I was back to normal, so I came here to compose this message and in my efforts to find some entries (and dates) to paste here for reference, I found that the 'grep' command is also now corrupted.

xxx@RTAC86U:/tmp/mnt/8GBUSB/entware/bin# grep
grep: error while loading shared libraries: ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒RA▒▒▒: cannot open shared object file: Error 36

and
xxx@RTAC86U:/tmp/mnt/8GBUSB/entware/bin# htop
Segmentation fault

and
xxx@RTAC86U:/tmp/mnt/8GBUSB/entware/bin# vnstati
Inconsistency detected by ld.so: get-dynamic-info.h: 124: elf_get_dynamic_info: Assertion `info[DT_PLTREL]->d_un.d_val == DT_RELA' failed!

So, looks like I'll start my whole entware setup and configuration again.

I'll truncate this post here as I try to repair everything again, but the TL;DR of this message is that without updating entware, scribe (syslog-ng and / or logrotate) have abruptly started to fail for no reason with the same symptoms, as if entware was updated, from a couple months ago.

Entware still does NOT automatically upgrade packages, right? Looking for advice or if anyone else started having wonky issues lately.

 

[CaptnDanLKW]

So I've started from scratch, and here's a repeatable show stopper.

inflating: scribe-master/syslog-ng.share/syslogng
inflating: scribe-master/syslog-ng.share/wlceventd
Downloading https://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware

Installing syslog-ng (4.2.0-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/syslog-ng_4.2.0-1_aarch64-3.10.ipk
Configuring syslog-ng.
Segmentation fault

syslog-ng version 3.19 or higher required!
Please update your Entware packages and run scribe install again.

Removing package syslog-ng from root...

Steps
1-Fresh Entware
2-Swap
3-Install Scmerlin
4-install conmon <-- This also installs sqlite3 and dependencies.
5-reboot
6-Try to install scribe and I get the above error.

I'll try again without conmon, perhaps that's the catalyst, if so then might there be a major dependency issue that probably extends beyond my small issue? I don't see any big discussion threads about broken entware packages.

 

[cmkelley]

So I've started from scratch, and here's a repeatable show stopper.

inflating: scribe-master/syslog-ng.share/syslogng
inflating: scribe-master/syslog-ng.share/wlceventd
Downloading https://bin.entware.net/aarch64-k3.10/Packages.gz
Updated list of available packages in /opt/var/opkg-lists/entware

Installing syslog-ng (4.2.0-1) to root...
Downloading https://bin.entware.net/aarch64-k3.10/syslog-ng_4.2.0-1_aarch64-3.10.ipk
Configuring syslog-ng.
Segmentation fault

syslog-ng version 3.19 or higher required!
Please update your Entware packages and run scribe install again.

Removing package syslog-ng from root...

Steps
1-Fresh Entware
2-Swap
3-Install Scmerlin
4-install conmon <-- This also installs sqlite3 and dependencies.
5-reboot
6-Try to install scribe and I get the above error.

I'll try again without conmon, perhaps that's the catalyst, if so then might there be a major dependency issue that probably extends beyond my small issue? I don't see any big discussion threads about broken entware packages.

That's wild. Interestingly enough, I started having random reboots and lockups with my AC86U a couple months ago and I finally "solved" it by buying a new router(!) I went through similar as you with my AC86U first, factory reset, install everything from scratch, etc., and everything was good for a few days and then it started randomly rebooting again. I was at a loss and honestly was not even sure a new router would fix it. But having the internet go out randomly was pretty major in my house, and thankfully the new router isn't having problems. I never saw segfaults, but that doesn't mean they didn't occur. In my case I never had issues installing anything. FWIW, I never reinstalled conmon after the initial factory reset on my old router either, but I still eventually had random reboots and lockups. I did not try regressing to earlier firmware versions though. If you have a lot of free time on your hands (I didn't / still don't) and your household can tolerate it, you could try going back to say 386.9 and see if it repeats.

grep and htop segfaulting seems a "very bad sign" to me. In addition to a software problem it could be indicative of a failing router or storage as well. What are you using for storage? If it's a flash drive, did you try switching to a new one, or better yet, switching to an external SSD? Flash drives really aren't made for the kind of write cycles that syslog-ng puts on them (per RMerlin the jffs "drive" in the routers is higher-spec than a typical flash drive and can take the write cycles). I didn't even reformat my SSD when I changed routers, just renamed the entware directory, deleted the swap file, and started over.

 

[CaptnDanLKW]

Ok, 12-hour update. Things are back to normal since I made 2 changes.

1) Changed to lonelycoder's alternate entware source.
2) Used different USB drive

When I attempted a full entware setup again, the process timed out and said the main entware repository was unavailable. I suspect the root cause of at least one yesterday's re-do failures was (probably) a silent failed download (without returning an error) of a core entware library, followed by installs of conmon and/or scribe and which and their libraries.

It doesn't explain my original post of wondering 'why' scribe (syslog-ng / logrotate) and other entware binaries (/opt/bin/find, /opt/bin/grep) started to segfault over the past couple months.

I don't think it's was/is the USB but time will tell.

Fairly sure my 2 AC86Us are still healthy. Modded with copper heatsinks a while back, CPU 20 degrees cooler than stock on the CPU and about 5 on the radios.

Thanks

 

[Digimite]

I recently noticed in my logfiles that messages were being duplicated in both the system log messages and the customized log messages configured through the /opt/etc/syslog-ng.d directory. I finally tracked it down to where the @include “/opt/etc/syslog-ng.d/“ Line occurs in the syslog-ng.conf file. i think the location In the default config file is at the end of the file which means messages will be duplicated. Moving it to the top of the file will avoid the duplication (if using the flags(final) command).

 

[cmkelley]

I recently noticed in my logfiles that messages were being duplicated in both the system log messages and the customized log messages configured through the /opt/etc/syslog-ng.d directory. I finally tracked it down to where the @include “/opt/etc/syslog-ng.d/“ Line occurs in the syslog-ng.conf file. i think the location In the default config file is at the end of the file which means messages will be duplicated. Moving it to the top of the file will avoid the duplication (if using the flags(final) command).

The syslog-ng.conf file that scribe installs does have the @include “/opt/etc/syslog-ng.d/“ line near the top.

#############################################################################
# syslog-ng.conf customized for scribe on Asuswrt-Merlin firmware
# compare to /opt/share/syslog-ng/examples/syslog-ng.conf-opkg for differences from Entware distribution
#
# syslog-ng documentation: https://www.syslog-ng.com/technical-documents/list/syslog-ng-open-source-edition
#
# Release notes: https://github.com/syslog-ng/syslog-ng/releases

@version: 4.2
#@include "scl.conf" # uncomment this line to for additional functionality, see syslog-ng documentation
@include "/opt/etc/syslog-ng.d/" # Put any customization files in this directory

That said, yes, it would make sense that using a config file with the @include at the bottom would result in duplicated messages.

 

[elorimer]

Yes, log statements are processed in the order they appear in the .conf file. Log statements in files in an included directory appear in alphabetic order by file name.