Scribe scribe - syslog-ng and logrotate installer

[Jumpstarter]

I'm not sure I understand your meaning. All of the logs created by syslog-ng are put in the /opt/var/log directory. All of the information comes from the system logging utility, except for 2 files generated by logrotate that syslog-ng reads and puts together into one log file in /opt/var/log. None of the syslog-ng files should be triggering syslogd.

I've tried to get syslogd running and I couldn't. Everything I've tried to start syslogd outside of restarting the logger or time functions has failed to start it. When I use the logger or time functions they are properly captured by service-event and killed off.

Did you edit your service-event file with a windows editor? That would stop service-event from working.

so if scripts are using logger could that be causing the issue?

BTW --- this is all that is in service-event script

is what the ps | grep log shows

and this is also listed inside the debug file generated.

 

[cmkelley]

so if scripts are using logger could that be causing the issue?

No. I use the logger function quite a bit, I was referring to the logger service, which controls syslogd and klogd. The logger function sends messages to the system logging process, then either syslogd & klogd or syslog-ng writes it to files.

BTW --- this is all that is in service-event script
View attachment 18142
is what the ps | grep log shows
View attachment 18143

Hrm. So syslogd isn't running, so that didn't get started. I'm wondering about the charon "--use-syslog" flag though. A properly implemented program would send stuff to the system logging process, which should be independent of what logging daemon used.

It's possibly not related at all syslog-ng. It might be a collision in the system logging process rather than logging service (i.e. it would have occurred even if klogd/syslogd were in use and not syslog-ng).

Nothing unusual in the debug file. I'm leaning towards a process issue not related to syslog-ng, or else the charon program (part of strongswan apparently) isn't playing nice and is assuming syslogd.

 

[Butterfly Bones]

No. I use the logger function quite a bit, I was referring to the logger service, which controls syslogd and klogd. The logger function sends messages to the system logging process, then either syslogd & klogd or syslog-ng writes it to files.

Hrm. So syslogd isn't running, so that didn't get started. I'm wondering about the charon "--use-syslog" flag though. A properly implemented program would send stuff to the system logging process, which should be independent of what logging daemon used.

It's possibly not related at all syslog-ng. It might be a collision in the system logging process rather than logging service (i.e. it would have occurred even if klogd/syslogd were in use and not syslog-ng).

Nothing unusual in the debug file. I'm leaning towards a process issue not related to syslog-ng, or else the charon program (part of strongswan apparently) isn't playing nice and is assuming syslogd.

That is the IPSEC VPN server. I just started mine and "ps | grep log" returns this.

 1651 [redacted]  9432 S    {syslog-ng} supervising syslog-ng
 1652 [redacted]  154m S    syslog-ng
32315 [redacted] 14560 S    /usr/lib/ipsec/charon --use-syslog
32488 nobody   43436 S    dnsmasq --log-async
32489 [redacted]  2520 S    dnsmasq --log-async
32617 [redacted]   928 D    grep log

I remember seeing that in htop when I first started a VPN server, now I use the OpenVPN server, but wanted to confirm.

Jun  8 19:51:55 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_start
Jun  8 19:51:55 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_start)
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32280]: Starting weakSwan 5.7.2 IPsec [starter]...
Jun  8 19:51:55 RT-AC86U-4608 kernel: Initializing XFRM netlink socket
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32314]: charon (32315) started after 100 ms
Jun  8 19:51:57 RT-AC86U-4608 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jun  8 19:51:57 RT-AC86U-4608 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jun  8 19:51:57 RT-AC86U-4608 Diversion: restarted Dnsmasq to apply settings, from /jffs/scripts/dnsmasq.postconf
Jun  8 19:51:57 RT-AC86U-4608 stubby[32484]: Read config from file /etc/stubby/stubby.yml
Jun  8 19:57:04 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_stop
Jun  8 19:57:04 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_stop)
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: charon stopped after 200 ms
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: ipsec starter stopped

 

[Jumpstarter]

That is the IPSEC VPN server. I just started mine and "ps | grep log" returns this.

 1651 [redacted]  9432 S    {syslog-ng} supervising syslog-ng
 1652 [redacted]  154m S    syslog-ng
32315 [redacted] 14560 S    /usr/lib/ipsec/charon --use-syslog
32488 nobody   43436 S    dnsmasq --log-async
32489 [redacted]  2520 S    dnsmasq --log-async
32617 [redacted]   928 D    grep log

I remember seeing that in htop when I first started a VPN server, now I use the OpenVPN server, but wanted to confirm.

Jun  8 19:51:55 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_start
Jun  8 19:51:55 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_start)
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32280]: Starting weakSwan 5.7.2 IPsec [starter]...
Jun  8 19:51:55 RT-AC86U-4608 kernel: Initializing XFRM netlink socket
Jun  8 19:51:55 RT-AC86U-4608 ipsec_starter[32314]: charon (32315) started after 100 ms
Jun  8 19:51:57 RT-AC86U-4608 custom_config: Appending content of /jffs/configs/dnsmasq.conf.add.
Jun  8 19:51:57 RT-AC86U-4608 custom_script: Running /jffs/scripts/dnsmasq.postconf (args: /etc/dnsmasq.conf)
Jun  8 19:51:57 RT-AC86U-4608 Diversion: restarted Dnsmasq to apply settings, from /jffs/scripts/dnsmasq.postconf
Jun  8 19:51:57 RT-AC86U-4608 stubby[32484]: Read config from file /etc/stubby/stubby.yml
Jun  8 19:57:04 RT-AC86U-4608 rc_service: httpds 794:notify_rc ipsec_stop
Jun  8 19:57:04 RT-AC86U-4608 custom_script: Running /jffs/scripts/service-event (args:  ipsec_stop)
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: charon stopped after 200 ms
Jun  8 19:57:04 RT-AC86U-4608 ipsec_starter[32314]: ipsec starter stopped

yea I have no clue why it is over runned by them, I uninstalled scribe and rebooted and disabled the ipsec, rebooted( Power off-unplug method) and issue still persist even without scribe, so something is going on with it on the firmware level. I feel comfortable enough to say that because it hasn't been too long since i did a complete factory reset(applying settings manually) and what not.

 

[Jumpstarter]

With as many listings I have for ipsec you would think I am running 17 instances of it.

 

[joe scian]

Would you mind using the scribe 'lr' function to run logrotate and see if it happens again. And if it does, would you see if just running 's' status or 'rs' restart syslog-ng brings it back? scribe itself shouldn't run when logrotate happens at midnight, only logrotate and syslog-ng (via the HUP signal) should run. The scribe update to v2.0_1 only added a check for firewall-start existing before grepping it for Skynet, and checks service-event to see if it's already been fixed before running a sed replacement against it, so that should have nothing to do with the overnight logrotate run.

Did you upgrade your firmware between scribe v2.0_0 and v2.0_1? @joe scian is having essentially the same problem with his AC5300 on 384.12 alpha2. As far as I know the only for sure "known to work" on 384.12 alpha is the AC86U and AC3100, although the latter required a power removal (not just reboot) to work completely. Not that other models don't work, I've just not seen anyone say it's working.

I have verified that Log Rotate does not contibute to removing /tmp/syslog.log. The only thing that causes this is pressing Clear on the General Log page. Once this happens /tmp/syslog.log never gets created again - even though /opt/var/log/messages still functions correctly at that point. The only way of getting /tmp/syslog.log back again AND of course WEBGUI messages subsequently is by restarting syslog-ng by pressing rs. Or one needs to recreate the symbolic link to /tmp/syslog.

 

[cmkelley]

I have verified that Log Rotate does not contibute to removing /tmp/syslog.log. The only thing that causes this is pressing Clear on the General Log page. Once this happens /tmp/syslog.log never gets created again - even though /opt/var/log/messages still functions correctly at that point. The only way of getting /tmp/syslog.log back again AND of course WEBGUI messages subsequently is by restarting syslog-ng by pressing rs. Or one needs to recreate the symbolic link to /tmp/syslog.

Yeah, I played with that a bit on my test router. Not a huge surprise I guess that it clears it by simply deleting syslog.log and syslog.log-1. Unfortunately, it doesn't seem to do it in any easily catchable way.

The best advice I can offer is, don't press the clear button on the webgui.

In v2.1, 'scribe status' or the s option on the menu will re-create the links if they are missing. Not a huge help because it won't catch them being deleted in the first place.

 

[Jack Yaz]

Smoothly installed here on 384.11_2 on my RT-AC86U. Added the filters for diversion and openvpn and made a new one for netdata

Nice work @cmkelley !

 

[Jumpstarter]

create a file named /opt/etc/syslog-ng.d/ascd

# log all ascd logs to /opt/var/log/ascd.log and stop processing ascd logs

destination d_ascd {
   file("/opt/var/log/ascd.log");
};

filter f_ascd {
   program("ascd");
};

log {
   source(src);
   filter(f_ascd);
   destination(d_ascd);
   flags(final);
};

#eof

create another file named /opt/etc/logrotate.d/ascd

/opt/var/log/ascd.log {
   rotate 2
   postrotate
       /usr/bin/killall -HUP syslog-ng
   endscript
}

You can change the number after rotate to however many you want to keep.

Okay so I have fresh installed things and now everything appears to be working well... I followed the directions for setting this up , but I get errors like this

error: Ignoring ascd because it is writable by group or others.

what did i do wrong?

 

[Butterfly Bones]

Okay so I have fresh installed things and now everything appears to be working well... I followed the directions for setting this up , but I get errors like this

error: Ignoring ascd because it is writable by group or others.

what did i do wrong?

Wrong permissions.

chmod 600 ascd

ls -al in the "/tmp/mnt/<USB>/entware/etc/syslog-ng.d" directory should look like this for file permissions of all filter files

-rw-------

 

[Jumpstarter]

Wrong permissions.

chmod 600 ascd

ls -al in the "/tmp/mnt/<USB>/entware/etc/syslog-ng.d" directory should look like this for file permissions of all filter files

-rw-------

apparently it is the same for the log-rotate directory too

 

[Jumpstarter]

Wrong permissions.

chmod 600 ascd

ls -al in the "/tmp/mnt/<USB>/entware/etc/syslog-ng.d" directory should look like this for file permissions of all filter files

-rw-------

new issues now that i have fixed permissions

==> /opt/tmp/logrotate.daily <==
error: ascd:1 bad rotation count '2 postrotate /usr/bin/killall -HUP'
error: found error in /opt/var/log/ascd.log , skipping
error: found error in file ascd, skipping

 

[Butterfly Bones]

apparently it is the same for the log-rotate directory too

Yes, that is correct. Sorry to miss that, but I'm on my second cuppa, so I will be alive and aware soon.

new issues now that i have fixed permissions

==> /opt/tmp/logrotate.daily <==
error: ascd:1 bad rotation count '2 postrotate /usr/bin/killall -HUP'
error: found error in /opt/var/log/ascd.log , skipping
error: found error in file ascd, skipping

No idea on this one, someone will know when they check in.

 

[cmkelley]

new issues now that i have fixed permissions

==> /opt/tmp/logrotate.daily <==
error: ascd:1 bad rotation count '2 postrotate /usr/bin/killall -HUP'
error: found error in /opt/var/log/ascd.log , skipping
error: found error in file ascd, skipping

Did you create it on the router with vi or nano, or in windows & copy it to the router? It looks like it's seeing the 'rotate 2' and 'postrotate ...' lines as one line.

Try 'dos2unix /opt/etc/logrotate.d/ascd'

Sorry about forgetting about the permissions.

 

[Jumpstarter]

Did you create it on the router with vi or nano, or in windows & copy it to the router? It looks like it's seeing the 'rotate 2' and 'postrotate ...' lines as one line.

Try 'dos2unix /opt/etc/logrotate.d/ascd'

Sorry about forgetting about the permissions.

created in nano "copy and paste into nano"

 

[Jumpstarter]

okay so after re-creating files in Nano copy and paste and
then running dos2unix
then running chmod 600 on each one
and running RS
and option LR it is all working as should
with no errors.

 

[elorimer]

Maybe someone with ipsec can post their strongswan.conf file. The manual is really confusing but it looks like it is doing its own logging thing.

 

[Butterfly Bones]

Maybe someone with ipsec can post their strongswan.conf file. The manual is really confusing but it looks like it is doing its own logging thing.

Here is mine, I don't run it, but still configured.

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files
charon {
  user = [redacted]
  threads = 8
  send_vendor_id = yes
  interfaces_ignore = br0
  starter { load_warning = no }
  load_modular = yes
  i_dont_care_about_security_and_use_aggressive_mode_psk = yes
  plugins {
    include strongswan.d/charon/*.conf
  }
  filelog {
      charon {
        path = /var/log/strongswan.charon.log
        time_format = %b %e %T
        default = 0
        append = no
        flush_line = yes
     }
  }
}#the end of the Charon {

I never looked at this before, but I need to investigate this line.

  i_dont_care_about_security_and_use_aggressive_mode_psk = yes

 

[Jumpstarter]

Maybe someone with ipsec can post their strongswan.conf file. The manual is really confusing but it looks like it is doing its own logging thing.

my ipsec is just the basic setup with the gui. i haven't quite yet branched out to script customizations on that yet. I want to get my basic setup stable first.

 

[Jumpstarter]

I know this is a completely unrelated question but it is semi related to entware and how it is running packages, does any one know how to see how entware is reading the date and time vs the routers date and time?