Scribe scribe - syslog-ng and logrotate installer

[elorimer]

has anyone reported this effecting the network map?

No. If you have an 87U and tried 12A2, that does affect the network map and you need to go back to A1.

 

[elorimer]

Why do I ask? - because, aside from testing issues, that same routine would be usefully auto-invoked when the USB is ejected. Right now when the USB is ejected ... "### Top of Log File ###" gets written to System Log [Webgui] and nothing appears after it - no matter how long you wait.

I think this is because syslog-ng can't run when the USB is ejected, and nothing has restarted syslogd. So no logging is going on.

I wonder whether ejecting the USB is better left to amtm, which might call a stop sequence in scribe--I forget how that discussion went. But you are suggesting that the scribe stop would restart syslogd, which would destroy the symlink and start up a new /tmp/syslog.log; then on scribe restart it would see the file, copy it to messages, reform the symlink, kill syslogd and start syslog-ng. I guess that could work ok.

 

[cmkelley]

cmkelly

OK - I restarted QOS by going to QOS page and hitting apply which calls firewall-start and nat-start and I lost /tmp/syslog.log. After doing a ps | grep log this is what i got

joescian@RT-AC5300:/jffs/scripts# ps | grep log
 3107 nobody   42320 D    dnsmasq --log-async
 3108 joescian  1332 S    dnsmasq --log-async
 8383 joescian  8452 S    {syslog-ng} supervising syslog-ng
 8384 joescian 15324 S    syslog-ng

So much for that idea. I thought maybe it was re-starting syslogd or klogd somehow.

Next thing to do is see if it's even sylsog related. Can you create a dummy file called '/opt/var/log/dummy', and then create a symlink 'ln -s /opt/var/log/dummy /tmp/dummy-link', and then do whatever it is that kills the symlink between /opt/var/log/messages and /tmp/syslog.log? If it kills the link between dummy and dummy-link. then it's a separate issue form syslog/syslog-ng.

 

[kernol]

I think this is because syslog-ng can't run when the USB is ejected, and nothing has restarted syslogd. So no logging is going on.

I wonder whether ejecting the USB is better left to amtm, which might call a stop sequence in scribe--I forget how that discussion went. But you are suggesting that the scribe stop would restart syslogd, which would destroy the symlink and start up a new /tmp/syslog.log; then on scribe restart it would see the file, copy it to messages, reform the symlink, kill syslogd and start syslog-ng. I guess that could work ok.

My VERY basic understanding is that Syslog-ng cats syslog to "messages" on startup - so presumably it can push the content of that back to syslog.log when temporarily disabled? When you restart syslog-ng it can push back the syslog.log content to "messages"? To avoid duplication of log entries - perhaps it should overright the content both ways?

Like I said at the top of my post - not a coder [anymore anyway] ... but have a naive belief that one can achieve pretty much anything you want programmatically - just depends on the volume of code and practicality of the concept.

 

[kernol]

Good idea. Hopefully can implement no later than this coming weekend, my weeknights are looking iffy for the rest of the week.

No rush - FULLY enjoying what you have done so far - in a mind boggling field, where you have done a massive amount to simplify an impossible task for us non-coders {Thumbs-Up}

 

[thelonelycoder]

Like this?

I did not catch the name of the software that you use to display the logs. Would you repeat that for me?

 

[elorimer]

Its a loggly screen.

 

[Butterfly Bones]

I did not catch the name of the software that you use to display the logs. Would you repeat that for me?

Yes, an online service. I use the free version since my total data is way below their threshold.
https://www.loggly.com/

 

[thelonelycoder]

Yes, an online service. I use the free version since my total data is way below their threshold.
https://www.loggly.com/

Its a loggly screen.

Thanks to both of you. That is a no-no for me sending the logs to a remote server.
I was hoping this is a free and open source software that I could install on my local CentOS server.

 

[Butterfly Bones]

Thanks to both of you. That is a no-no for me sending the logs to a remote server.
I was hoping this is a free and open source software that I could install on my local CentOS server.

In this post @cmkelley y mentions that syslog-ng now supports collectd, though I have not looked at it. I think @elorimer has and can offer more info.
https://www.snbforums.com/threads/scribe-syslog-ng-and-logrotate-installer.55853/page-30#post-494188

 

[elorimer]

I have looked at collectd, and I have it running (at this point in my travels, pointlessly). I can report that if y'all thought syslog-ng had a steep learning curve, watch out below!

If I am following, collectd is a way of collecting data about the router, like CPU usage, at intervals and sending it someplace. From that something else can present that data. To be more specific, it can send it to an /rrd directory on the USB drive in rrd format (round robin data). Then luci can use that to present a graph of CPU usage over a defined period (or memory usage, etc.) The syslog-ng implementation is basically a source definition that reads the collectd source, and a collectd destination. I haven't quite figured out the utility of that.

I haven't figured out the utility of collectd yet either, as there is no luci entware pkg, so I'm not sure what can make sense of the /rrd info.

 

[elorimer]

I was hoping this is a free and open source software that I could install on my local CentOS server.

Run syslog-ng on the CentOS server and send the router logs there.

Also: lnav.org

 

[gattaca]

I've read most of this thread's pages. I am struggling to figure out what value I can get for using syslog-ng to me personally. What's motivating you guys to deploy and use this? Laymen's terms would be super! TY

 

[Butterfly Bones]

I've read most of this thread's pages. I am struggling to figure out what value I can get for using syslog-ng to me personally. What's motivating you guys to deploy and use this? Laymen's terms would be super! TY

For me it simplifies log viewing to monitor events. Because each service is sorted to a separate log, it makes trouble shooting much, much easier.

For example, I was having VPN disconnections, so making changes in the VPN client configuration, restart VPN, check log, stop VPN client, make changes, restart VPN, check log, ad nauseum. Having just one log with openvpn events logged is so much easier.

I only see about 10 events each day in the webgui syslog, things like dropbear, LEDS off and on with timed scripts, and so on.

Trouble shooting pixelserv-tls with logging at level higher than 2 generates hundreds of lines each hour! Having those separate and not scrolling the webgui up and down, back and forth, up and down is better for me.

Since you don't see the value now, maybe there is no good reason to use it. It is a geek convenience / analysis tool more than a safety / security feature, or nice graphical displays.

 

[cmkelley]

I've read most of this thread's pages. I am struggling to figure out what value I can get for using syslog-ng to me personally. What's motivating you guys to deploy and use this? Laymen's terms would be super! TY

Everyone has different reasons. For me personally it's to de-clutter the dcd crash, wlceventd, and iptables entries from the main log. Others might be using their routers in an office environment and need to monitor the logs for security, and it helps to break them out.

BB is right though, usually, people come looking for a way to install syslog-ng to solve a particular problem, rather than installing syslog-ng and trying to figure out what use it is. And as you use more features of your router (e.g. VPN) having the various logs separated makes it easier to troubleshoot.

 

[cmkelley]

Minor bug-squashing update v2.0_1 posted

• firewall-start might not be present, particularly if Skynet is not running. Check for firewall-start existing before searching it to see if Skynet is installed. Thanks TLC for catching that one.

 

[joe scian]

So much for that idea. I thought maybe it was re-starting syslogd or klogd somehow.

Next thing to do is see if it's even sylsog related. Can you create a dummy file called '/opt/var/log/dummy', and then create a symlink 'ln -s /opt/var/log/dummy /tmp/dummy-link', and then do whatever it is that kills the symlink between /opt/var/log/messages and /tmp/syslog.log? If it kills the link between dummy and dummy-link. then it's a separate issue form syslog/syslog-ng.

OK - I think I am much closer to the problem root cause. I performed the above experiment and the symbolic link to dummy-link sticks - its always there but /tmp/syslog.log disappears. AND I can make it dissapear at will whenever I press <CLEAR> on General Log page of the GUI. Does that give you a clue?

 

[gattaca]

...For me personally it's to de-clutter the dcd crash, wlceventd, and iptables entries from the main log. Others might be using their routers in an office environment and need to monitor the logs for security, and it helps to break them out.

Ah, OK! It's de-cluttering and organizing the router's logs.

Funny, I never got why the linux default practice of dumping all messages and events into a single main system log other than "well that's best practice..." when then the first thing developers do is sort/search/organize it using tools like this! LOL.

BLUF: This package is helping teams develop and debug the router. It is sorting messages, which are generated and dumped into the main system logs (/var/log or where ever it really lives) by different services running on the router, into distinct files based on that service. In one case, BB is streaming these to loggly to advance that one step further into a nice GUI sorted by tabs!.. I'm not a developer or running a business today to need to do that. Got it. Thank You. Have a good one!

 

[thelonelycoder]

Funny, I never got why the linux default practice of dumping all messages and events into a single main system log other than "well that's best practice..." when then the first thing developers do is sort/search/organize it using tools like this! LOL.

When did you last look at /var/log on your *NIX box? I'm sure you'll find more than one log file there.

 

[Jumpstarter]

Man scribe is using that cpu and hard drive pretty hard