What's new

Scribe scribe - syslog-ng and logrotate installer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

I'm not sure I understand your meaning. All of the logs created by syslog-ng are put in the /opt/var/log directory. All of the information comes from the system logging utility, except for 2 files generated by logrotate that syslog-ng reads and puts together into one log file in /opt/var/log. None of the syslog-ng files should be triggering syslogd.

I've tried to get syslogd running and I couldn't. Everything I've tried to start syslogd outside of restarting the logger or time functions has failed to start it. When I use the logger or time functions they are properly captured by service-event and killed off.

Did you edit your service-event file with a windows editor? That would stop service-event from working.
so if scripts are using logger could that be causing the issue?

BTW --- this is all that is in service-event script
upload_2019-6-8_20-36-39.png

is what the ps | grep log shows
upload_2019-6-8_20-40-32.png


and this is also listed inside the debug file generated.
 
Last edited:
so if scripts are using logger could that be causing the issue?
No. I use the logger function quite a bit, I was referring to the logger service, which controls syslogd and klogd. The logger function sends messages to the system logging process, then either syslogd & klogd or syslog-ng writes it to files.
BTW --- this is all that is in service-event script
View attachment 18142
is what the ps | grep log shows
View attachment 18143
Hrm. So syslogd isn't running, so that didn't get started. I'm wondering about the charon "--use-syslog" flag though. A properly implemented program would send stuff to the system logging process, which should be independent of what logging daemon used.

It's possibly not related at all syslog-ng. It might be a collision in the system logging process rather than logging service (i.e. it would have occurred even if klogd/syslogd were in use and not syslog-ng).

Nothing unusual in the debug file. I'm leaning towards a process issue not related to syslog-ng, or else the charon program (part of strongswan apparently) isn't playing nice and is assuming syslogd.
 
No. I use the logger function quite a bit, I was referring to the logger service, which controls syslogd and klogd. The logger function sends messages to the system logging process, then either syslogd & klogd or syslog-ng writes it to files.

Hrm. So syslogd isn't running, so that didn't get started. I'm wondering about the charon "--use-syslog" flag though. A properly implemented program would send stuff to the system logging process, which should be independent of what logging daemon used.

It's possibly not related at all syslog-ng. It might be a collision in the system logging process rather than logging service (i.e. it would have occurred even if klogd/syslogd were in use and not syslog-ng).

Nothing unusual in the debug file. I'm leaning towards a process issue not related to syslog-ng, or else the charon program (part of strongswan apparently) isn't playing nice and is assuming syslogd.
That is the IPSEC VPN server. I just started mine and "ps | grep log" returns this.
Code:
 1651 [redacted]  9432 S    {syslog-ng} supervising syslog-ng
 1652 [redacted]  154m S    syslog-ng
32315 [redacted] 14560 S    /usr/lib/ipsec/charon --use-syslog
32488 nobody   43436 S    dnsmasq --log-async
32489 [redacted]  2520 S    dnsmasq --log-async
32617 [redacted]   928 D    grep log
I remember seeing that in htop when I first started a VPN server, now I use the OpenVPN server, but wanted to confirm.
Code:
Jun  8 19:51:55 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_start
Jun  8 19:51:55 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_start)
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32280]: Starting weakSwan 5.7.2 IPsec [starter]...
Jun  8 19:51:55 RT-AC86U-4608 kernel: Initializing XFRM netlink socket
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32314]: charon (32315) started after 100 ms
Jun  8 19:51:57 RT-AC86U-4608 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jun  8 19:51:57 RT-AC86U-4608 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jun  8 19:51:57 RT-AC86U-4608 Diversion: restarted Dnsmasq to apply settings, from /jffs/scripts/dnsmasq.postconf
Jun  8 19:51:57 RT-AC86U-4608 stubby[32484]: Read config from file /etc/stubby/stubby.yml
Jun  8 19:57:04 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_stop
Jun  8 19:57:04 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_stop)
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: charon stopped after 200 ms
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: ipsec starter stopped
 
That is the IPSEC VPN server. I just started mine and "ps | grep log" returns this.
Code:
 1651 [redacted]  9432 S    {syslog-ng} supervising syslog-ng
 1652 [redacted]  154m S    syslog-ng
32315 [redacted] 14560 S    /usr/lib/ipsec/charon --use-syslog
32488 nobody   43436 S    dnsmasq --log-async
32489 [redacted]  2520 S    dnsmasq --log-async
32617 [redacted]   928 D    grep log
I remember seeing that in htop when I first started a VPN server, now I use the OpenVPN server, but wanted to confirm.
Code:
Jun  8 19:51:55 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_start
Jun  8 19:51:55 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_start)
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32280]: Starting weakSwan 5.7.2 IPsec [starter]...
Jun  8 19:51:55 RT-AC86U-4608 kernel: Initializing XFRM netlink socket
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32314]: charon (32315) started after 100 ms
Jun  8 19:51:57 RT-AC86U-4608 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jun  8 19:51:57 RT-AC86U-4608 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jun  8 19:51:57 RT-AC86U-4608 Diversion: restarted Dnsmasq to apply settings, from /jffs/scripts/dnsmasq.postconf
Jun  8 19:51:57 RT-AC86U-4608 stubby[32484]: Read config from file /etc/stubby/stubby.yml
Jun  8 19:57:04 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_stop
Jun  8 19:57:04 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_stop)
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: charon stopped after 200 ms
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: ipsec starter stopped
yea I have no clue why it is over runned by them, I uninstalled scribe and rebooted and disabled the ipsec, rebooted( Power off-unplug method) and issue still persist even without scribe, so something is going on with it on the firmware level. I feel comfortable enough to say that because it hasn't been too long since i did a complete factory reset(applying settings manually) and what not.
 
Would you mind using the scribe 'lr' function to run logrotate and see if it happens again. And if it does, would you see if just running 's' status or 'rs' restart syslog-ng brings it back? scribe itself shouldn't run when logrotate happens at midnight, only logrotate and syslog-ng (via the HUP signal) should run. The scribe update to v2.0_1 only added a check for firewall-start existing before grepping it for Skynet, and checks service-event to see if it's already been fixed before running a sed replacement against it, so that should have nothing to do with the overnight logrotate run.

Did you upgrade your firmware between scribe v2.0_0 and v2.0_1? @joe scian is having essentially the same problem with his AC5300 on 384.12 alpha2. As far as I know the only for sure "known to work" on 384.12 alpha is the AC86U and AC3100, although the latter required a power removal (not just reboot) to work completely. Not that other models don't work, I've just not seen anyone say it's working.

I have verified that Log Rotate does not contibute to removing /tmp/syslog.log. The only thing that causes this is pressing Clear on the General Log page. Once this happens /tmp/syslog.log never gets created again - even though /opt/var/log/messages still functions correctly at that point. The only way of getting /tmp/syslog.log back again AND of course WEBGUI messages subsequently is by restarting syslog-ng by pressing rs. Or one needs to recreate the symbolic link to /tmp/syslog.
 
I have verified that Log Rotate does not contibute to removing /tmp/syslog.log. The only thing that causes this is pressing Clear on the General Log page. Once this happens /tmp/syslog.log never gets created again - even though /opt/var/log/messages still functions correctly at that point. The only way of getting /tmp/syslog.log back again AND of course WEBGUI messages subsequently is by restarting syslog-ng by pressing rs. Or one needs to recreate the symbolic link to /tmp/syslog.
Yeah, I played with that a bit on my test router. Not a huge surprise I guess that it clears it by simply deleting syslog.log and syslog.log-1. Unfortunately, it doesn't seem to do it in any easily catchable way.

The best advice I can offer is, don't press the clear button on the webgui. :D

In v2.1, 'scribe status' or the s option on the menu will re-create the links if they are missing. Not a huge help because it won't catch them being deleted in the first place.
 
Last edited:
create a file named /opt/etc/syslog-ng.d/ascd
Code:
# log all ascd logs to /opt/var/log/ascd.log and stop processing ascd logs

destination d_ascd {
   file("/opt/var/log/ascd.log");
};

filter f_ascd {
   program("ascd");
};

log {
   source(src);
   filter(f_ascd);
   destination(d_ascd);
   flags(final);
};

#eof
create another file named /opt/etc/logrotate.d/ascd
Code:
/opt/var/log/ascd.log {
   rotate 2
   postrotate
       /usr/bin/killall -HUP syslog-ng
   endscript
}
You can change the number after rotate to however many you want to keep.


Okay so I have fresh installed things and now everything appears to be working well... I followed the directions for setting this up , but I get errors like this
Code:
error: Ignoring ascd because it is writable by group or others.

what did i do wrong?
 
Okay so I have fresh installed things and now everything appears to be working well... I followed the directions for setting this up , but I get errors like this
Code:
error: Ignoring ascd because it is writable by group or others.

what did i do wrong?
Wrong permissions.
Code:
chmod 600 ascd
ls -al in the "/tmp/mnt/<USB>/entware/etc/syslog-ng.d" directory should look like this for file permissions of all filter files
Code:
-rw-------
 
Wrong permissions.
Code:
chmod 600 ascd
ls -al in the "/tmp/mnt/<USB>/entware/etc/syslog-ng.d" directory should look like this for file permissions of all filter files
Code:
-rw-------
new issues now that i have fixed permissions
Code:
==> /opt/tmp/logrotate.daily <==
error: ascd:1 bad rotation count '2 postrotate /usr/bin/killall -HUP'
error: found error in /opt/var/log/ascd.log , skipping
error: found error in file ascd, skipping
 
apparently it is the same for the log-rotate directory too
Yes, that is correct. Sorry to miss that, but I'm on my second cuppa, so I will be alive and aware soon. ;)

new issues now that i have fixed permissions
Code:
==> /opt/tmp/logrotate.daily <==
error: ascd:1 bad rotation count '2 postrotate /usr/bin/killall -HUP'
error: found error in /opt/var/log/ascd.log , skipping
error: found error in file ascd, skipping
No idea on this one, someone will know when they check in.
 
new issues now that i have fixed permissions
Code:
==> /opt/tmp/logrotate.daily <==
error: ascd:1 bad rotation count '2 postrotate /usr/bin/killall -HUP'
error: found error in /opt/var/log/ascd.log , skipping
error: found error in file ascd, skipping
Did you create it on the router with vi or nano, or in windows & copy it to the router? It looks like it's seeing the 'rotate 2' and 'postrotate ...' lines as one line.

Try 'dos2unix /opt/etc/logrotate.d/ascd'

Sorry about forgetting about the permissions.
 
Did you create it on the router with vi or nano, or in windows & copy it to the router? It looks like it's seeing the 'rotate 2' and 'postrotate ...' lines as one line.

Try 'dos2unix /opt/etc/logrotate.d/ascd'

Sorry about forgetting about the permissions.
created in nano "copy and paste into nano"
 
Maybe someone with ipsec can post their strongswan.conf file. The manual is really confusing but it looks like it is doing its own logging thing.
 
Maybe someone with ipsec can post their strongswan.conf file. The manual is really confusing but it looks like it is doing its own logging thing.
Here is mine, I don't run it, but still configured.
Code:
# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
  user = [redacted]
  threads = 8
  send_vendor_id = yes
  interfaces_ignore = br0
  starter { load_warning = no }
  load_modular = yes
  i_dont_care_about_security_and_use_aggressive_mode_psk = yes
  plugins {
    include strongswan.d/charon/*.conf
  }
  filelog {
      charon {
        path = /var/log/strongswan.charon.log
        time_format = %b %e %T
        default = 0
        append = no
        flush_line = yes
     }
  }
}#the end of the Charon {
I never looked at this before, but I need to investigate this line. :eek:
Code:
  i_dont_care_about_security_and_use_aggressive_mode_psk = yes
 
Maybe someone with ipsec can post their strongswan.conf file. The manual is really confusing but it looks like it is doing its own logging thing.
my ipsec is just the basic setup with the gui. i haven't quite yet branched out to script customizations on that yet. I want to get my basic setup stable first.
 
I know this is a completely unrelated question but it is semi related to entware and how it is running packages, does any one know how to see how entware is reading the date and time vs the routers date and time?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top