What's new

Scribe scribe - syslog-ng and logrotate installer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

When more <ahem> brave souls decide to get our of the kiddie pool and into the deep end where monsters live, I'll use my learning bruises to help others. :D

I have these filters running to their own logs now, if you want one, let me know. Those marked with (cmk) are from cmkelley github that I posted the link above.
Code:
chkwan
crashes (cmk)
ethernet
openvpn
pixelserv
skynet (cmk)
syslogng (cmk)
vpnfailover
wlceventd (cmk)
Thanks to @elorimer for the help and encouragement to get me into the deep end too.
 
When more <ahem> brave souls decide to get our of the kiddie pool and into the deep end where monsters live, I'll use my learning bruises to help others. :D

I have these filters running to their own logs now, if you want one, let me know. Those marked with (cmk) are from cmkelley github that I posted the link above.
Code:
chkwan
crashes (cmk)
ethernet
openvpn
pixelserv
skynet (cmk)
syslogng (cmk)
vpnfailover
wlceventd (cmk)
Thanks to @elorimer for the help and encouragement to get me into the deep end too.
I see you added program("openvpn-routing") to your syslog-ng ... I wonder if there's a program associated with that that needs a HUP when the log rotates? Did you add one to your logrotate openvpn file?
 
I see you added program("openvpn-routing") to your syslog-ng ... I wonder if there's a program associated with that that needs a HUP when the log rotates? Did you add one to your logrotate openvpn file?
@Butterfly Bones, nevermind. I just realized most of the logrotate scripts are likely wrong. :-( Since syslog-ng is creating the logs, it's syslog-ng that needs to be HUP'd when the logs rotate. I've fixed them on the Git project, I think the next thing I need to do is add is a logging/rotating files updater.
 
You'd think the syntax checker would be better than that. It should find a reference to a non-existent filter or destination. Sounds like a separate script though; build an array of destination(d_dest) statements, and make sure there is a destination d_dest for every one. Same I suppose for filters and sources. Beyond my abilities, but given enough time I could figure it out. :)

Well actually.....

The syslog-ng syntax check performs an adequate job, however for run-time errors, you need to look at the verbose syslog-ng log, and the last line indicates where the problem statement begins (Location=file/row/column) and why the initialisation stalled.

e.g. Using @Butterfly Bones' typo example:
Code:
Error resolving reference; content='destination', name='d_ethernet', location='/opt/etc/syslog-ng.d/Martineau:49:5'

FYI, regarding the deprecated use of 'match()'.
This is what I get:
Code:
WARNING: the match() filter without the use of the value() option is deprecated and hinders performance, please use a more specific filter like message() and/or program() instead; location='/opt/etc/syslog-ng.d/Martineau:17:43'
So I believe 'match()' is still valid (and allows REGEX on both headers and body, wheres 'message()' is restricted to body only) but now requires an additional arg directive?

TL;DR
Code:
[2019-04-07T08:44:03.777188] nanosleep() is not accurate enough to introduce minor stalls on the reader side, multi-threaded performance may be affected;
[2019-04-07T08:44:03.778017] Processing @include statement; filename='/opt/etc/syslog-ng.d/', include-path='/opt/etc:/opt/share/syslog-ng/include'
[2019-04-07T08:44:03.778289] Adding include file; filename='Martineau', depth='1'
[2019-04-07T08:44:03.778381] Adding include file; filename='expandlog', depth='1'
[2019-04-07T08:44:03.778468] Adding include file; filename='syslogng', depth='1'
[2019-04-07T08:44:03.778554] Adding include file; filename='crashes', depth='1'
[2019-04-07T08:44:03.778635] Skipping include file, it cannot begin with .; filename='.keep'
[2019-04-07T08:44:03.778721] Adding include file; filename='skynet', depth='1'
[2019-04-07T08:44:03.778808] Adding include file; filename='Martineau_DB_info', depth='1'
[2019-04-07T08:44:03.778908] Adding include file; filename='wlceventd', depth='1'
[2019-04-07T08:44:03.779002] Adding include file; filename='Martineau_suffix', depth='1'
[2019-04-07T08:44:03.779145] Starting to read include file; filename='/opt/etc/syslog-ng.d/Martineau', depth='1'
[2019-04-07T08:44:03.779240] Reading path for candidate modules; path='/opt/lib/syslog-ng'
[2019-04-07T08:44:03.779336] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libxml.so', module='xml'
[2019-04-07T08:44:03.779859] Registering candidate plugin; module='xml', context='parser', name='xml'
[2019-04-07T08:44:03.779947] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libtfgetent.so', module='tfgetent'
[2019-04-07T08:44:03.780268] Registering candidate plugin; module='tfgetent', context='template-func', name='getent'
[2019-04-07T08:44:03.780342] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='liblinux-kmsg-format.so', module='linux-kmsg-format'
[2019-04-07T08:44:03.780737] Registering candidate plugin; module='linux-kmsg-format', context='format', name='linux-kmsg'
[2019-04-07T08:44:03.780835] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libtags-parser.so', module='tags-parser'
[2019-04-07T08:44:03.781147] Registering candidate plugin; module='tags-parser', context='parser', name='tags-parser'
[2019-04-07T08:44:03.781227] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libadd-contextual-data.so', module='add-contextual-data'
[2019-04-07T08:44:03.781765] Registering candidate plugin; module='add-contextual-data', context='parser', name='add_contextual_data'
[2019-04-07T08:44:03.781866] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libpseudofile.so', module='pseudofile'
[2019-04-07T08:44:03.782212] Registering candidate plugin; module='pseudofile', context='destination', name='pseudofile'
[2019-04-07T08:44:03.782310] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libstardate.so', module='stardate'
[2019-04-07T08:44:03.782737] Registering candidate plugin; module='stardate', context='template-func', name='stardate'
[2019-04-07T08:44:03.782873] Reading shared object for a candidate module; path='/opt/lib/syslog-ng', fname='libafsocket.so', module='afsocket'
[2019-04-07T08:44:03.783614] Registering candidate plugin; module='afsocket', context='source', name='unix-stream'
[2019-04-07T08:44:03.783698] Registering candidate plugin; module='afsocket', context='destination', name='unix-stream'
[2019-04-07T08:44:03.783814] Registering candidate plugin; module='afsocket', context='source', name='unix-dgram'
[2019-04-07T08:44:03.783893] Registering candidate plugin; module='afsocket', context='destination', name='unix-dgram'
[2019-04-07T08:44:03.783972] Registering candidate plugin; module='afsocket', context='source', name='tcp'
[2019-04-07T08:44:03.784052] Registering candidate plugin; module='afsocket', context='destination', name='tcp'
[2019-04-07T08:44:03.784133] Registering candidate plugin; module='afsocket', context='source', name='tcp6'
[2019-04-07T08:44:03.784190] Registering candidate plugin; module='afsocket', context='destination', name='tcp6'
[2019-04-07T08:44:03.784244] Registering candidate plugin; module='afsocket', context='source', name='udp'
[2019-04-07T08:44:03.784296] Registering candidate plugin; module='afsocket', context='destination', name='udp'
[2019-04-07T08:44:03.784348] Registering candidate plugin; module='afsocket', context='source', name='udp6'
[2019-04-07T08:44:03.784401] Registering candidate plugin; module='afsocket', context='destination', name='udp6'
[2019-04-07T08:44:03.784455] Registering candidate plugin; module='afsocket', context='source', name='syslog'
[2019-04-07T08:44:03.784547] Registering candidate plugin; module='afsocket', context='destination', name='syslog'
[2019-04-07T08:44:03.784601] Registering candidate plugin; module='afsocket', context='source', name='network'

<snip>

[2019-04-07T08:44:03.803676] Module loaded and initialized successfully; module='affile'
[2019-04-07T08:44:03.806104] Finishing include; filename='/opt/etc/syslog-ng.d/Martineau', depth='1'
[2019-04-07T08:44:03.806224] Starting to read include file; filename='/opt/etc/syslog-ng.d/Martineau_DB_info', depth='1'
[2019-04-07T08:44:03.806946] Module loaded and initialized successfully; module='add-contextual-data'
[2019-04-07T08:44:03.807236] Finishing include; filename='/opt/etc/syslog-ng.d/Martineau_DB_info', depth='1'
[2019-04-07T08:44:03.807373] Starting to read include file; filename='/opt/etc/syslog-ng.d/Martineau_suffix', depth='1'
[2019-04-07T08:44:03.807830] Finishing include; filename='/opt/etc/syslog-ng.d/Martineau_suffix', depth='1'
[2019-04-07T08:44:03.807924] Starting to read include file; filename='/opt/etc/syslog-ng.d/crashes', depth='1'
[2019-04-07T08:44:03.808561] Finishing include; filename='/opt/etc/syslog-ng.d/crashes', depth='1'
[2019-04-07T08:44:03.808653] Starting to read include file; filename='/opt/etc/syslog-ng.d/expandlog', depth='1'
[2019-04-07T08:44:03.809191] Finishing include; filename='/opt/etc/syslog-ng.d/expandlog', depth='1'
[2019-04-07T08:44:03.809930] Starting to read include file; filename='/opt/etc/syslog-ng.d/skynet', depth='1'
[2019-04-07T08:44:03.810341] Finishing include; filename='/opt/etc/syslog-ng.d/skynet', depth='1'
[2019-04-07T08:44:03.810435] Starting to read include file; filename='/opt/etc/syslog-ng.d/syslogng', depth='1'
[2019-04-07T08:44:03.810782] Finishing include; filename='/opt/etc/syslog-ng.d/syslogng', depth='1'
[2019-04-07T08:44:03.810875] Starting to read include file; filename='/opt/etc/syslog-ng.d/wlceventd', depth='1'
[2019-04-07T08:44:03.811228] Finishing include; filename='/opt/etc/syslog-ng.d/wlceventd', depth='1'
[2019-04-07T08:44:03.812370] Module loaded and initialized successfully; module='afsocket'
[2019-04-07T08:44:03.813303] Error resolving reference; content='destination', name='d_ethernet', location='/opt/etc/syslog-ng.d/Martineau:49:5'
 
Last edited:
When more <ahem> brave souls decide to get our of the kiddie pool and into the deep end where monsters live, I'll use my learning bruises to help others. :D

I have these filters running to their own logs now, if you want one, let me know. Those marked with (cmk) are from cmkelley github that I posted the link above.
Code:
chkwan
crashes (cmk)
ethernet
openvpn
pixelserv
skynet (cmk)
syslogng (cmk)
vpnfailover
wlceventd (cmk)
Thanks to @elorimer for the help and encouragement to get me into the deep end too.
I will have them all Please:D
@cmkelley logging is running as it should after 4 reboots, thanks for the updates.
 
@Martineau: I looked at the syslog-ng 3.19 manual and I think you are right about match(). I think they are using "deprecated" in the checker when they mean "discouraged". The manual seems to see it as perfectly valid.

@cmkelley: Curious about a few things. In /syslog-ng.d you put an empty ".keep" file. As @Martineau's log shows, that is invalid and skipped. What are you intending this for?

Also, in /logrotate.d you have A00global, which I assume you mean to be read first in alphabetical order. But a00 and 0a0 would be read before that.

It didn't look like the openvpn example on github had changed yet.
 
Before I post the filter files, I have one more niggle to clean up after it ran overnight. Some of the WLCEVENTD events are being grabbed by the "ethernet" filter before the "wlceventd" filter, so they are missed.

Here is the filter -
Code:
# log ethernet change to /opt/var/log/ethernet.log only
destination d_ethernet {
    file("/opt/var/log/ethernet.log");
};
filter f_ethernet {
    message("eth1") or
    message("eth2") or
    message("eth3") or
    message("eth4") or
    message("eth5") or
    message("eth6") or
    message("eth7") or
    message("eth8") or
    message("br0:");
};
log {
    source(src);
    source(kernel);
    filter(f_ethernet);
    destination(d_ethernet);
    flags(final);
};
#eof

Here are the results I see using "tail -F /opt/var/log/ethernet.log
Code:
Apr  6 21:11:00 RT-AC86U-4608 Diversion: created br0:pixelserv-tls 192.168.1.2, from /opt/etc/init.d/S80pixelserv-tls
Apr  7 00:48:06 RT-AC86U-4608 WLCEVENTD: eth5: Assoc 74:C2:46:81:2C:76
Apr  7 00:50:14 RT-AC86U-4608 WLCEVENTD: eth5: Disassoc 74:C2:46:81:2C:76
Apr  7 02:31:39 RT-AC86U-4608 WLCEVENTD: eth6: Disassoc E4:F0:42:38:84:D4
Apr  7 02:32:00 RT-AC86U-4608 WLCEVENTD: eth6: Assoc E4:F0:42:38:84:D4
Apr  7 02:37:35 RT-AC86U-4608 kernel: eth2 (Ext switch port: 1) (Logical Port: 9) Link DOWN.
Apr  7 02:37:35 RT-AC86U-4608 kernel: br0: port 2(eth2) entered disabled state
Apr  7 02:37:50 RT-AC86U-4608 kernel: eth2 (Ext switch port: 1) (Logical Port: 9) Link UP 100 mbps full duplex
Apr  7 02:37:50 RT-AC86U-4608 kernel: br0: port 2(eth2) entered listening state
Apr  7 02:37:50 RT-AC86U-4608 kernel: br0: port 2(eth2) entered listening state
Apr  7 02:37:52 RT-AC86U-4608 kernel: br0: port 2(eth2) entered learning state
Apr  7 02:37:53 RT-AC86U-4608 kernel: eth2 (Ext switch port: 1) (Logical Port: 9) Link DOWN.
Apr  7 02:37:53 RT-AC86U-4608 kernel: br0: port 2(eth2) entered disabled state
Apr  7 02:37:55 RT-AC86U-4608 kernel: eth2 (Ext switch port: 1) (Logical Port: 9) Link UP 100 mbps full duplex
Apr  7 02:37:55 RT-AC86U-4608 kernel: br0: port 2(eth2) entered listening state
Apr  7 02:37:55 RT-AC86U-4608 kernel: br0: port 2(eth2) entered listening state
Apr  7 02:37:57 RT-AC86U-4608 kernel: br0: port 2(eth2) entered learning state
Apr  7 02:37:59 RT-AC86U-4608 kernel: br0: topology change detected, propagating
Apr  7 02:37:59 RT-AC86U-4608 kernel: br0: port 2(eth2) entered forwarding state
Apr  7 02:43:52 RT-AC86U-4608 WLCEVENTD: eth6: Disassoc E4:F0:42:5D:0A:11
Apr  7 02:44:12 RT-AC86U-4608 WLCEVENTD: eth6: Assoc E4:F0:42:5D:0A:11
Apr  7 03:08:55 RT-AC86U-4608 WLCEVENTD: eth6: Disassoc 20:DF:B9:9D:C4:AF
Apr  7 03:09:15 RT-AC86U-4608 WLCEVENTD: eth6: Assoc 20:DF:B9:9D:C4:AF
I need to filter more explicitly for the "eth1-8" or the "br0:" so as not to catch those in the logged lines of the WLCEVENTD lines and this will keep the "Diversion created br0: pixelserv-tls" line out as well.

Can I use the longer term in the message(_____) in this section since the WLCEVENTD does not include the "kernel: " part?
Code:
kernel: eth2 
kernel: br0:
instead just the short "eth1-8" / "br0:" in place of these lines in the
Code:
filter f_ethernet {
    message("kernel: eth1") or
    message("kernel: eth2") or
    message("kernel: eth3") or
    message("kernel: eth4") or
    message("kernel: eth5") or
    message("kernel: eth6") or
    message("kernel: eth7") or
    message("kernel: eth8") or
    message("kernel: br0:");

Because my ethernet filter with the misspelling was crashing syslog-ng, I don't want to experiment *until* some eyeballs with more scripting experience and understanding see this.

Thank you!
 
You can do two things here.

The first, assuming your ethernet triplet is in a separate file, name that file zethernet. syslog-ng reads those files in alphabetic order, so it will come after your wlcevent triplet. The way @cmkelley has organized this, with the flags(final), the message will be processed by wlcevent and wont reach your eithernet triplet. I think that would work, but how ugly is that?

The other way is to recognize the difference in the program and add that to the ethernet filter: program("kernel") and the rest. I'm getting a little lost on how the ands and the ors will work though. What isn't sifted into d_ethernet will go on to your wlceventd filter.

Thinking about it, I think you might add two filters here:

filter f_kernel { program("kernel") ; };
filter f_eithernet {whatyouhavenow};

log {source; filter (f_kernel); filter(f_ethernet); destination;}; }

Using two filters joins them with an AND.
 
Last edited:
I stand at the pools edge looking in. Getting ready to stick my toe in....lol ;):)
 
You can do two things here.

The first, assuming your ethernet triplet is in a separate file, name that file zethernet. syslog-ng reads those files in alphabetic order, so it will come after your wlcevent triplet. The way @cmkelley has organized this, with the flags(final), the message will be processed by wlcevent and wont reach your eithernet triplet. I think that would work, but how ugly is that?

The other way is to recognize the difference in the program and add that to the ethernet filter: program(kernel) and the rest. I'm getting a little lost on how the ands and the ors will work though. What isn't sifted into d_ethernet will go on to your wlceventd filter.
I am not worried about ugly. There are plenty of things in my household that have ugly kludges, but they work, and for the most part are hidden.

I just made the change, really easy to just rename it with FileZilla and restart scribe. Checking scribe status both syslog-ng and logrotate are alive, so far so good.

So easy, I usually struggle starting with the hardest way possible and then work my way to easy. Been that way my entire life. (sigh) :D :rolleyes:

EDIT - That works! Thank you.

I turned wifi off and back on on an iOS and Android devices, then soft power cycled my smart TV and all the events end up in the correct logs with nothing that should not be there. Such a simple, great solution!
 
Last edited:
@Martineau: I looked at the syslog-ng 3.19 manual and I think you are right about match(). I think they are using "deprecated" in the checker when they mean "discouraged". The manual seems to see it as perfectly valid.
The way I read it, you should only use match() with a value() macro, although the documentation leaves much to be desired on this point. I took "depreciated" to mean sometime in the future, using match() without value() will throw an error. As I've said before, I hope people that actually pay for the commercial version of syslog-ng get better documentation than that. Or maybe their business model is selling integration support so the manual is intentionally crap. :D
@cmkelley: Curious about a few things. In /syslog-ng.d you put an empty ".keep" file. As @Martineau's log shows, that is invalid and skipped. What are you intending this for?
As my mom used to say, 'twern't me McGee". They're not in the zipfile. I see them, and I get them when I install on my test router, but I have no clue what's creating them. I'm pretty sure they're Git - related. But I'm lost on the mechanism that's creating them Now I think they're opkg related, I think from installing and uninstalling syslog-ng. But I'm not completely sure.
Also, in /logrotate.d you have A00global, which I assume you mean to be read first in alphabetical order. But a00 and 0a0 would be read before that.
Capitals are read before lowercase, so A00 would be read before a00. Numbers before that though, so anything starting with a number would be read before that, but I'm going to follow the init.d convention here.
It didn't look like the openvpn example on github had changed yet.
Geh. That's what late night programming does. Checked them in, forgot to push them to GitHub. They are there now.
 
Last edited:
You can do two things here.

The first, assuming your ethernet triplet is in a separate file, name that file zethernet. syslog-ng reads those files in alphabetic order, so it will come after your wlcevent triplet. The way @cmkelley has organized this, with the flags(final), the message will be processed by wlcevent and wont reach your eithernet triplet. I think that would work, but how ugly is that?

The other way is to recognize the difference in the program and add that to the ethernet filter: program("kernel") and the rest. I'm getting a little lost on how the ands and the ors will work though. What isn't sifted into d_ethernet will go on to your wlceventd filter.

Thinking about it, I think you might add two filters here:

filter f_kernel { program("kernel") ; };
filter f_eithernet {whatyouhavenow};

log {source; filter (f_kernel); filter(f_ethernet); destination;}; }

Using two filters joins them with an AND.
Use the "expandlog" filter in /opt/share/syslog-ng/examples to blow up your logs (warning, this gets huge fast). Grep to find them both and see if you can figure out a way to discriminate between them.
I need more coffee. Yes, filters are ANDed, sources are ORed. This is a more elegant solution than renaming, but hey, renaming worked for @Butterfly Bones.
 
Last edited:
Use the "expandlog" filter in /opt/share/syslog-ng/examples to blow up your logs (warning, this gets huge fast). Grep to find them both and see if you can figure out a way to discriminate between them.
I need more coffee. Yes, filters are ANDed, sources are ORed. This is a more elegant solution than renaming, but hey, renaming worked for @Butterfly Bones.
Yes, I renamed ethernet filter to z_ethernet to place it below wcleventd filter in scan order. I am fine with that method for now. I add letters or numbers with underscores all the time to duplicate temporary files I am working to refine. If someone posts a proper fix it I'll change the names, to keep things clean for future understanding,

And I still have x_ and y_ to change order if I add more filters near the end of the alphabet. o_O
 
Here are the filters I am using. Since I am a geek (my friends say "technoweenie"), I have more than I need and have a terminal with too many tabs watching all of them for now. Later they will just run and only 2 - 3 are worth watching.

Copy them from between the dash line (do not included dashes) and paste each into a separate filter based on the name in the first commented line, i.e. # put ChkWAN messages into /opt/var/log/chkwan.log goes into the chkwan filter file (no file extension). You will find some of these in the entware/share/syslog-ng directory after install, and also on cmkelley github.

If some of the names aren't familiar, look at my new revised signature and search those script names on SNB. Have fun! :D

EDIT - corrected ethernet file to work correctly, no need to add z_ at front of file name

Code:
---------------------------------------------------
# put ChkWAN messages into /opt/var/log/chkwan.log
destination d_chkwan {
    file("/opt/var/log/chkwan.log");
};
filter f_chkwan {
    program("ChkWAN.sh") and
    message("transfer took:");
};
log {
    source(src);
    filter(f_chkwan);
    destination(d_chkwan);
    flags(final);
};
#eof
-------------------------------------------------------
# put VPN_Failover VPN Client Monitor: messages into /opt/var/log/vpnfailover.log
destination d_vpnfailover {
    file("/opt/var/log/vpnfailover.log");
};
filter f_vpn_failover {
    program("VPN_Failover.sh") and
    message("Client Monitor:");
};
log {
    source(src);
    filter(f_vpn_failover);
    destination(d_vpnfailover);
    flags(final);
};
#eof
---------------------------------------------------
# log ethernet change to /opt/var/log/ethernet.log only
destination d_ethernet {
    file("/opt/var/log/ethernet.log");
};
filter f_ethernet {
    message("eth1") or
    message("eth2") or
    message("eth3") or
    message("eth4") or
    message("eth5") or
    message("eth6") or
    message("eth7") or
    message("eth8") or
    message("br0:");
};
filter f_kernel  { program("kernel") ; };
log {
    source(src);
    filter(f_ethernet);
    filter(f_kernel);
    destination(d_ethernet);
    flags(final);
};
#eof

---------------------------------------------------
--   (the following are from cmkelley github)    --
---------------------------------------------------
# log dcd crash dump to /opt/var/log/crash.log only
destination d_crash {
    file("/opt/var/log/crash.log");
};
filter f_crash {
    message("dcd") or
    message("v8A") or
    message("pgd = ") or
    message("\\[00000000\\]") or
    message("task: ") or
    message("PC is at") or
    message("LR is at") or
    message("pc :") or
    message("sp :") or
    message("x12:") or
    message("x11:") or
    message("x9 :") or
    message("x7 :") or
    message("x5 :") or
    message("x3 :") or
    message("x1 :");
};
log {
    source(src);
    filter(f_crash);
    destination(d_crash);
    flags(final);
};
#eof
------------------------------------------------------
# log all openvpn server and client logs into one file - /opt/var/log/openvpn.log and stop processing openvpn logs
destination d_openvpn {
    file("/opt/var/log/openvpn.log");
};
filter f_openvpn {
    program("ovpn-server1") or
    program("ovpn-server2") or
    program("ovpn-client1") or
    program("ovpn-client2") or
    program("ovpn-client3") or
    program("ovpn-client4") or
    program("ovpn-client5") or
    program("openvpn-routing");
};
log {
    source(src);
    filter(f_openvpn);
    destination(d_openvpn);
    flags(final);
};
#eof
-----------------------------------------------------
# log all pixelserv-tls logs to /opt/var/log/pixelserv.log and stop processing pixelserv-tls logs
destination d_pixelserv {
    file("/opt/var/log/pixelserv.log");
};
filter f_pixelserv {
    program("pixelserv-tls");
};
log {
    source(src);
    filter(f_pixelserv);
    destination(d_pixelserv);
    flags(final);
};
#eof
-----------------------------------------------------
# this MUST BE the file configured in Skynet as the syslog.log location
# DO NOT use /tmp/syslog.log or /opt/var/log/messages here!
destination d_skynet {
   file("/opt/var/log/skynet-0.log");
};
# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
   program("Skynet"); or
   message("BLOCKED -") or
   message("DROP IN=");
};
# final flag stops processing of messages matching the f_skynet filter
log {
   source(src);
   filter(f_skynet);
   destination(d_skynet);
   flags(final);
};
#eof
-----------------------------------------------------
# put syslog-ng's logging stats into /opt/var/log/syslog-ng.log
destination d_syslogng {
    file("/opt/var/log/syslog-ng.log");
};
filter f_syslogng {
    program("syslog-ng") and
    message("Log statistics;");
};
log {
    source(src);
    filter(f_syslogng);
    destination(d_syslogng);
    flags(final);
};
#eof
-------------------------------------------------------
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log
destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};
filter f_wlceventd {
    program("WLCEVENTD")
and
    message("ssoc");
};
log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};
#eof
-------------------------------------------------------

EDIT - corrected ethernet file to work correctly, no need to add z_ at front of file name
 
Last edited:
If someone posts a proper fix it I'll change the names, to keep things clean for future understanding,
So yes. In your ethernet log, add
Code:
filter f_kernel  { program("kernel") ; };
after your existing filter definition. Then change the filter line in your log messages to:
Code:
  filter(f_ethernet); filter(f_kernel);
 
.keep: Googled it and I follow now. Need it to install an empty directory.
 
Here are the filters I am using. Since I am a geek (my friends say "technoweenie"), I have more than I need and have a terminal with too many tabs watching all of them for now. Later they will just run and only 2 - 3 are worth watching.

Copy them from between the dash line (do not included dashes) and paste each into a separate filter based on the name in the first commented line, i.e. # put ChkWAN messages into /opt/var/log/chkwan.log goes into the chkwan filter file (no file extension). You will find some of these in the entware/share/syslog-ng directory after install, and also on cmkelley github.

If some of the names aren't familiar, look at my new revised signature and search those script names on SNB. Have fun! :D

Code:
-------------------------------------------------------
# log all openvpn server and client logs into one file - /opt/var/log/openvpn.log and stop processing openvpn logs
destination d_openvpn {
    file("/opt/var/log/openvpn.log");
};
filter f_openvpn {
    program("ovpn-server1") or
    program("ovpn-server2") or
    program("ovpn-client1") or
    program("ovpn-client2") or
    program("ovpn-client3") or
    program("ovpn-client4") or
    program("ovpn-client5") or
    program("openvpn-routing");
};
log {
    source(src);
    source(kernel);
    filter(f_openvpn);
    destination(d_openvpn);
    flags(final);
};
#eof
---------------------------------------------------
--   (the following are from cmkelley github)    --
---------------------------------------------------
# log all openvpn server and client logs into one file - /opt/var/log/openvpn.log and stop processing openvpn logs
destination d_openvpn {
    file("/opt/var/log/openvpn.log");
};
filter f_openvpn {
    program("ovpn-server1") or
    program("ovpn-server2") or
    program("ovpn-client1") or
    program("ovpn-client2") or
    program("ovpn-client3") or
    program("ovpn-client4") or
    program("ovpn-client5") or
    program("openvpn-routing");
};
log {
    source(src);
    source(kernel);
    filter(f_openvpn);
    destination(d_openvpn);
    flags(final);
};
#eof
-----------------------------------------------------
You have 2 instances of vpn logging there, yours and mine, which are identical (now). :)
 
So yes. In your ethernet log, add
Code:
filter f_kernel  { program("kernel") ; };
after your existing filter definition. Then change the filter line in your log messages to:
Code:
  filter(f_ethernet); filter(f_kernel);
Like this?
Code:
# log ethernet change to /opt/var/log/ethernet.log only

destination d_ethernet { 
    file("/opt/var/log/ethernet.log");
};
filter f_ethernet {
    message("eth1") or
    message("eth2") or
    message("eth3") or
    message("eth4") or
    message("eth5") or
    message("eth6") or
    message("eth7") or
    message("eth8") or
    message("br0:");
filter f_kernel  { program("kernel") ; };
};
log {
    source(src);
    source(kernel);
    filter(f_ethernet); filter(f_kernel);
    destination(d_ethernet);
    flags(final);
};
#eof
 
Like this?
err, not quite, you missed a "};" (extra LFs added for clarity)
Code:
# log ethernet change to /opt/var/log/ethernet.log only

destination d_ethernet {
    file("/opt/var/log/ethernet.log");
};

filter f_ethernet {
    message("eth1") or
    message("eth2") or
    message("eth3") or
    message("eth4") or
    message("eth5") or
    message("eth6") or
    message("eth7") or
    message("eth8") or
    message("br0:");
};

filter f_kernel  { program("kernel") ;
};

log {
    source(src);
    source(kernel);
    filter(f_ethernet);
    filter(f_kernel);
    destination(d_ethernet);
    flags(final);
};
#eof
Putting the filter statements on separate lines is entirely stylistic. :)

EDIT: Changed the above to correct the other error that I missed. one out of two ain't bad I suppose ...
 
Last edited:

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top