Menu
What's new
By:
Filters Better Search

Scribe scribe - syslog-ng and logrotate installer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I tried doing this, but zip, zero, zich, nada.
note - this "<<== added for hourly" is only for clarification here, it is not in script

Code: 
# this MUST BE the file configured in Skynet as the syslog.log location
# DO NOT use /tmp/syslog.log or /opt/var/log/messages here!
destination d_skynet { 
    file("/opt/var/log/skynet-0.log");
};
# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
    program("Skynet") or
    message("BLOCKED -") or
    message("DROP IN=") or
    message("[Skynet:") or    <<== added for hourly
    message("[#]"):                <<== added for hourly
;
};
# final flag stops processing of messages matching the f_skynet filter
log {
    source(src);
    source(kernel);
    filter(f_skynet);
    destination(d_skynet);
    flags(final);
};
#eof
 
skeal said:
Is this brace required? message("[#]"): or should it be message("[#"):
Click to expand...
You are asking the worst script deficient person on the planet? :rolleyes: :D

Maybe, maybe not. I think there need to be two filters and two output logs to separate the lines so that the hourly lines are not missed in, but are in another log, like "/opt/var/log/skynet-h.log".

The trick is to just process each one without stopping, so one needs to not have the final flag to the other one works. Bumbling along trying to figure out how to do that so it actually works.... :confused: o_O
 
Butterfly Bones said:
You are asking the worst script deficient person on the planet? :rolleyes: :D

Maybe, maybe not. I think there need to be two filters and two output logs to separate the lines so that the hourly lines are not missed in, but are in another log, like "/opt/var/log/skynet-h.log".

The trick is to just process each one without stopping, so one needs to not have the final flag to the other one works. Bumbling along trying to figure out how to do that so it actually works.... :confused: o_O
Click to expand...
I'm trying this but don't know how much longer I can stay awake:
Code: 
# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
    program("Skynet") or
    message("BLOCKED -") or
    message("DROP IN=") or
    message("[#]");
};
 
skeal said:
I'm trying this but don't know how much longer I can stay awake:
Code: 
# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
    program("Skynet") or
    message("BLOCKED -") or
    message("DROP IN=") or
    message("[#]");
};
Click to expand...
That works, I tired it, but it dumps everything into one log. I guess that works if you want to run a grep for the (#] to see the hourly reports. I think having a separate hourly log would be better from a useability standpoint. The hour hits in 8 minutes, see how it works. :)
 
Butterfly Bones said:
That works, I tired it, but it dumps everything into one log. I guess that works if you want to run a grep for the (#] to see the hourly reports. I think having a separate hourly log would be better from a useability standpoint. The hour hits in 8 minutes, see how it works. :)
Click to expand...
Top of the hour. It worked like the log does. The drops were scrubbed and the hourly popped up....this is good and out of the way. Using the grep [#] works nice when the log is congested. ;):)
 
Butterfly Bones said:
That much simpler filter works very well, but does not change what loggly displays.
Click to expand...
The filter is picking out which message to work on. The loggly template is taking the message apart and putting it back together in a the format loggly wants. If you want to change the name of the program, you have to rewrite the message first using a rewrite command. So,
Code: 
rewrite r_CkWAN{
   set("CkWAN", value("PROGRAM"));
};
# put ChkWAN messages into /opt/var/log/chkwan.log
destination d_chkwan {
   file("/opt/var/log/chkwan.log");
};
filter f_chkwan {
   program("ChkWAN") and
   message("transfer took:");
};
log {
   source(src);
   source(kernel);
   filter(f_chkwan);
   rewrite(r_CkWAN);
   destination(d_chkwan);
   flags(final);
};
That should should take every message that meets the filter, rewrite it to change the program to CkWAN, and send it to the log file. The order is important though: you don't want to take every message, rewrite it to change the name, and then take every message that meets the filter and send it to the log, because every message will meet the filter!
 
Last edited:
@cmkelley - your readme file on Github ... quote "There is a non-zero chance this software will not fucntion as intended" o_O

Freudian slip ??? ;)
 
elorimer said:
The filter is picking out which message to work on. The loggly template is taking the message apart and putting it back together in a the format loggly wants. If you want to change the name of the program, you have to rewrite the message first using a rewrite command. So,
Code: 
rewrite r_CkWAN{
   set("CkWAN", value("PROGRAM"));
};
# put ChkWAN messages into /opt/var/log/chkwan.log
destination d_chkwan {
   file("/opt/var/log/chkwan.log");
};
filter f_chkwan {
   program("ChkWAN") and
   message("transfer took:");
};
log {
   source(src);
   source(kernel);
   filter(f_chkwan);
   rewrite(r_ChkWAN);
   destination(d_chkwan);
   flags(final);
};
That should should take every message that meets the filter, rewrite it to change the program to CkWAN, and send it to the log file. The order is important though: you don't want to take every message, rewrite it to change the name, and then take every message that meets the filter and send it to the log, because every message will meet the filter!
Click to expand...
Thank you, I will try that later, as I learn about scripting (very slowly) I think I understand why this should work and the first method I tried did not. If it does I can also use this as a template to rewrite my VPN_failover.sh filter to do the same thing for Loggly.

Many thanks for the continued tutorials on all things scripts. :)
 
On another topic, I am running this with a single src statement using system(). I've deleted out all references to the kernel source. It seems to be getting all the same messages, except now kernel messages have a PID attached. All behavior seems to be the same.
 
elorimer said:
On another topic, I am running this with a single src statement using system(). I've deleted out all references to the kernel source. It seems to be getting all the same messages, except now kernel messages have a PID attached. All behavior seems to be the same.
Click to expand...
They're coming from klogd now ? ....
 
Ok, I have been trying to filter and keep the Skynet hourly reports into a separate log. At this point I am so close, a major accomplishment for me.

Question is can I use two filters to read one log and then have the results written to two different logs? This is crude and I have no doubt that someone who understands scripts could write this is one file and not two. Hey, baby steps into my seventh decade! :)

Here is the existing skynet filter that cmkelley includes in share/examples.
Code: 
# this MUST BE the file configured in Skynet as the syslog.log location
# DO NOT use /tmp/syslog.log or /opt/var/log/messages here!
destination d_skynet {
    file("/opt/var/log/skynet-0.log");
};
# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
    program("Skynet") or
    message("BLOCKED -") or
    message("[#]");
};
# final flag stops processing of messages matching the f_skynet filter
log {
    source(src);
    source(kernel);
    filter(f_skynet);
    destination(d_skynet);
    flags(final);
};
#eof
Here is the one I want to use as the second to save hourly reports and write them to skynet_h.log. I have highlighted with arrows the two areas I am not sure which will write the new skynet_h.log.
Code: 
destination d_skynet-h {
    file("/opt/var/log/skynet-0.log"); <<== this I know writes to the existing log (not what I want)
    file("/opt/var/log/skynet_h.log"); <<== or this (NOT both! I know)
};
# logs everything from Skynet to /opt/var/log/skynet-h.log
filter f_skynet-h {
    program("Skynet") or
    message("[#]");
};
# final flag stops processing of messages matching the f_skynet filter
log {
    source(src);
    source(kernel);
    filter(f_skynet-h);
    destination(d_skynet-h.log); <<== will work and do it?
    flags(final);
};
#eof
I tested it and it almost works using the "file ("/opt/var/log/skynet-0.log");" , but I did not get the skynet_h.log I want, picked up old ones (some skipped, and some junk like startup and shutdown that is not wanted) not sure why but this is what I hope to save constant hourly reports.
Code: 
Apr 11 04:58:40 RT-AC86U-4608 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=195.231.8.114 DST=71.93.53.239 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=54321 PROTO=TCP SPT=41246 DPT=81 SEQ=1661009245 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
tail: /opt/var/log/skynet-0.log has been replaced; following end of new file
Apr 10 18:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 196 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 10 19:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 286 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 10 20:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 390 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 10 21:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 505 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 11 02:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 1048 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 11 03:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 1173 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Apr 11 05:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 1381 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 11 05:01:03 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=207.244.86.222 DST=71.93.53.239 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=45265 PROTO=TCP SPT=55216 DPT=1933 SEQ=2240316083 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 11 05:01:03 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=185.176.27.98 DST=71.93.53.239 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=26379 PROTO=TCP SPT=43296 DPT=34498 SEQ=2723861542 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000 [/code/
 
tomsk said:
They're coming from klogd now ? ....
Click to expand...
No, but still not clear to me from the admin guide:
Code: 
Linux
unix-dgram("/dev/log");
file("/proc/kmsg" program-override("kernel") flags(kernel));

Note that on Linux, the so-rcvbuf() option of the system() source is automatically set to 8192.

If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.

If the kernel of the host is version 3.5 or newer, and /dev/kmsg is seekable, syslog-ng OSE will use that instead of /proc/kmsg, using the multi-line-mode(indented), keep-timestamp(no), and the format(linux-kmsg) options.

If syslog-ng OSE is running in a jail or a Linux Container (LXC), it will not read from the /dev/kmsg or /proc/kmsg files.
 
elorimer said:
No, but still not clear to me from the admin guide:
Code: 
Linux
unix-dgram("/dev/log");
file("/proc/kmsg" program-override("kernel") flags(kernel));

Note that on Linux, the so-rcvbuf() option of the system() source is automatically set to 8192.

If the host is running under systemd, syslog-ng OSE reads directly from the systemd journal file using the systemd-journal() source.

If the kernel of the host is version 3.5 or newer, and /dev/kmsg is seekable, syslog-ng OSE will use that instead of /proc/kmsg, using the multi-line-mode(indented), keep-timestamp(no), and the format(linux-kmsg) options.

If syslog-ng OSE is running in a jail or a Linux Container (LXC), it will not read from the /dev/kmsg or /proc/kmsg files.
Click to expand...
Thats interesting ... what process has that PID? ... should be able to see the PID in htop
 
Butterfly Bones said:
Ok, I have been trying to filter and keep the Skynet hourly reports into a separate log. At this point I am so close, a major accomplishment for me.

Question is can I use two filters to read one log and then have the results written to two different logs? This is crude and I have no doubt that someone who understands scripts could write this is one file and not two. Hey, baby steps into my seventh decade! :)

Here is the existing skynet filter that cmkelley includes in share/examples.
Code: 
# this MUST BE the file configured in Skynet as the syslog.log location
# DO NOT use /tmp/syslog.log or /opt/var/log/messages here!
destination d_skynet {
    file("/opt/var/log/skynet-0.log");
};
# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
    program("Skynet") or
    message("BLOCKED -") or
    message("[#]");
};
# final flag stops processing of messages matching the f_skynet filter
log {
    source(src);
    source(kernel);
    filter(f_skynet);
    destination(d_skynet);
    flags(final);
};
#eof
Here is the one I want to use as the second to save hourly reports and write them to skynet_h.log. I have highlighted with arrows the two areas I am not sure which will write the new skynet_h.log.
Code: 
destination d_skynet-h {
    file("/opt/var/log/skynet-0.log"); <<== this I know writes to the existing log (not what I want)
    file("/opt/var/log/skynet_h.log"); <<== or this (NOT both! I know)
};
# logs everything from Skynet to /opt/var/log/skynet-h.log
filter f_skynet-h {
    program("Skynet") or
    message("[#]");
};
# final flag stops processing of messages matching the f_skynet filter
log {
    source(src);
    source(kernel);
    filter(f_skynet-h);
    destination(d_skynet-h.log); <<== will work and do it?
    flags(final);
};
#eof
I tested it and it almost works using the "file ("/opt/var/log/skynet-0.log");" , but I did not get the skynet_h.log I want, picked up old ones (some skipped, and some junk like startup and shutdown that is not wanted) not sure why but this is what I hope to save constant hourly reports.
Code: 
Apr 11 04:58:40 RT-AC86U-4608 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=195.231.8.114 DST=71.93.53.239 LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=54321 PROTO=TCP SPT=41246 DPT=81 SEQ=1661009245 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 MARK=0x8000000
tail: /opt/var/log/skynet-0.log has been replaced; following end of new file
Apr 10 18:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 196 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 10 19:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 286 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 10 20:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 390 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 10 21:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 505 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 11 02:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 1048 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 11 03:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 1173 Inbound -- 0 Outbound Connections Blocked! [save] [2s]
Apr 11 05:00:03 RT-AC86U-4608 Skynet: [#] 154538 IPs (+0) -- 1634 Ranges Banned (+0) || 1381 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr 11 05:01:03 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=207.244.86.222 DST=71.93.53.239 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=45265 PROTO=TCP SPT=55216 DPT=1933 SEQ=2240316083 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Apr 11 05:01:03 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=185.176.27.98 DST=71.93.53.239 LEN=40 TOS=0x00 PREC=0x00 TTL=238 ID=26379 PROTO=TCP SPT=43296 DPT=34498 SEQ=2723861542 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000 [/code/
Click to expand...
You should make a fresh log statement for your skynet-h

Code: 
destination d_skynet-h {
    file("/opt/var/log/skynet_h.log");
};
# logs everything from Skynet to /opt/var/log/skynet-h.log
filter f_skynet-h {
    program("Skynet") or
    message("[#]");
};
# final flag stops processing of messages matching the f_skynet-h filter
log {
    source(src);
    source(kernel);
    filter(f_skynet-h);
    destination(d_skynet-h.log);
    flags(final);
};
#eof
 
Butterfly Bones said:
Ok, I have been trying to filter and keep the Skynet hourly reports into a separate log.
Click to expand...
Um, maybe a different better way? I found the hourly reports are all hiding in /opt/var/log/messages. I never looked far enough back until I did a grep for "Skynet". I did not think to look there since they do not show in the webGUI syslog window. Scan to the far right to see why Skynet wrote these, and why the lines have variations.

I *think* we only want [save].
Code: 
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:29:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [debug] [29s]
Apr  6 16:29:57 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:30:32 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 907 Inbound -- 0 Outbound Connections Blocked! [debug] [3s]
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:41:35 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [24s]
Apr  6 17:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 27 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 18:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 141 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 232 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:34:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 306 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:29:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [debug] [29s]
Apr  6 16:29:57 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:30:32 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 907 Inbound -- 0 Outbound Connections Blocked! [debug] [3s]
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:41:35 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [24s]
Apr  6 17:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 27 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 18:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 141 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 232 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:34:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 306 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Can I modify my skynet_h filter above to collect these?
Code: 
destination d_skynet_h {
   file("/opt/var/log/messages");
};
# logs everything from Skynet to /opt/var/log/skynet_h.log
filter f_skynet_h {
   program("Skynet") or
   message("[save]");
};
# final flag stops processing of messages matching the f_skynet_h filter
log {
   source(src);
   source(kernel);
   filter(f_skynet_h);
   destination(d_skynet_h); <<== will work and do it?  OR destination(d_skynet_h.log);
   flags(final);
};
#eof
 
Last edited:
Butterfly Bones said:
Um, maybe a different better way? I found the hourly reports are all hiding in /opt/var/log/messages. I never looked far enough back until I did a grep for "Skynet". I did not think to look there since they do not show in the webGUI syslog window. Scan to the far right to see why Skynet wrote these, and why the lines have variations.

I *think* we only want [save].
Code: 
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:29:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [debug] [29s]
Apr  6 16:29:57 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:30:32 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 907 Inbound -- 0 Outbound Connections Blocked! [debug] [3s]
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:41:35 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [24s]
Apr  6 17:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 27 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 18:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 141 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 232 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:34:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 306 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:29:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [debug] [29s]
Apr  6 16:29:57 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 905 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:30:32 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 907 Inbound -- 0 Outbound Connections Blocked! [debug] [3s]
Apr  6 11:23:01 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 313 Inbound -- 0 Outbound Connections Blocked! [stats] [8s]
Apr  6 11:24:00 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 315 Inbound -- 0 Outbound Connections Blocked! [debug] [22s]
Apr  6 12:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 388 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 13:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 509 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 14:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 622 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 15:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 725 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 851 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 16:24:56 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 896 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Apr  6 16:41:35 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 0 Inbound -- 0 Outbound Connections Blocked! [start] [24s]
Apr  6 17:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 27 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 18:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 141 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:00:03 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 232 Inbound -- 0 Outbound Connections Blocked! [save] [3s]
Apr  6 19:34:28 RT-AC86U-4608 Skynet: [#] 156033 IPs (+0) -- 1539 Ranges Banned (+0) || 306 Inbound -- 0 Outbound Connections Blocked! [settings] [1s]
Can I modify my skynet_h filter above to collect these?
Code: 
destination d_skynet_h {
   file("/opt/var/log/messages");
};
# logs everything from Skynet to /opt/var/log/skynet_h.log
filter f_skynet_h {
   program("Skynet") or
   message("[save]");
};
# final flag stops processing of messages matching the f_skynet_h filter
log {
   source(src);
   source(kernel);
   filter(f_skynet_h);
   destination(d_skynet_h); <<== will work and do it?  OR destination(d_skynet_h.log);
   flags(final);
};
#eof
Click to expand...
Is it just a problem with your [#] filter?..... its looking for a regular expression.. see if this works?

Code: 
filter f_skynet-h {
 program("Skynet") or
 (message("[#]") type(glob));
};
 
tomsk said:
Is it just a problem with your [#] filter?..... its looking for a regular expression.. see if this works?

Code: 
filter f_skynet-h {
 program("Skynet") or
 (message("[#]") type(glob));
};
Click to expand...
Things have changed, see my post above about find what I found in /opt/var/log/messages. There are a few lines, but the only ones I want are the [save] ones, do I need to use this?
Code: 
filter f_skynet-h {
 program("Skynet") or
 (message("[save]") type(glob));
};
 
You must log in or register to reply here.

Similar threads

Tarek Yag
Scribe [SOLVED] syslog-ng intermittent failure to shutdown which messes all logging
Replies
15
Views
630
Tarek Yag
Tarek Yag
SomeWhereOverTheRainBow
Scribe Issues with scribe.... Errors all over the place after restarting scribe!
Replies
8
Views
2K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
S
Scribe Strange Issue with Scribe / Syslog-NG after Reboot
Replies
7
Views
991
Ripshod
Ripshod
cmkelley
Scribe scribe 3.x_y - syslog-ng and logrotate installer
10 11 12
Replies
234
Views
21K
matthew_eli
matthew_eli
Davidncali001
Skynet Message on SKYNET I havent seen before
Replies
1
Views
297
Davidncali001
Davidncali001
Similar threads
Thread starter Title Forum Replies Date
S Scribe Strange Issue with Scribe / Syslog-NG after Reboot Asuswrt-Merlin AddOns 7
V Scribe Scribe nvram log_path - what should it be? Asuswrt-Merlin AddOns 4
SomeWhereOverTheRainBow Scribe Issues with scribe.... Errors all over the place after restarting scribe! Asuswrt-Merlin AddOns 8
Tarek Yag Scribe [SOLVED] syslog-ng intermittent failure to shutdown which messes all logging Asuswrt-Merlin AddOns 15
J AdGuardHome There are tons of dnsproxy error messages occuring on syslog. Asuswrt-Merlin AddOns 2
T Updated scMerlin to 2.5.5 - syslog stops at 'syslogd exiting' Asuswrt-Merlin AddOns 9

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Members online

Total: 717 (members: 23, guests: 694)
Top