Scribe scribe - syslog-ng and logrotate installer

[Jack Yaz]

Can i please get assistance on how I can add the following log to be seen with uiscribe. It is already seperated from syslog. "/opt/var/log/monit.log" I have not changed anything from source, but I am having a hard time understanding what changes I need to make to see monit.log show up in uiscribe

loading uiscribe should be enough, or use option r

 

[akb]

loading uiscribe should be enough, or use option r

I think maybe the confusion is made my own log file /opt/var/logs/monit.log which is not part of syslog. Will this only work if i merge monit logs into the syslog and create a rule to separate monit entries from syslog, then uiscribe would work? I wanted to just make a shortcut where uiscribe can parse a log folder I specify. Option r does not allow it to show up.

 

[Jack Yaz]

it has to go through scribe/syslog-ng to appear

 

[Swistheater]

I think maybe the confusion is made my own log file /opt/var/logs/monit.log which is not part of syslog. Will this only work if i merge monit logs into the syslog and create a rule to separate monit entries from syslog, then uiscribe would work? I wanted to just make a shortcut where uiscribe can parse a log folder I specify. Option r does not allow it to show up.

correct

 

[akb]

Alright got it working, i copied syslog-ng and modified all the names to monit and all is working now. Thanks everyone!!

 

[akb]

I have a question again! Sorry for being such a bug, so i am able to filter logs by programs, but one program, has this one line repeat itself multiple times. Is there any way to filter out "Connection reset by peer" so i never see it? Thank!

 

[elorimer]

Yes. Normally, you define a source, a filter, and a destination, and then you have a log instruction that looks at the source, and if a message meets the filter, sends it to the destination. In the scribe structure, the log instruction also has a final flag to stop further processing of that message.

To drop a message entirely, you define a filter, but no destination, and have a log instruction that looks at the source, and if a message meets the filter has only the final flag. Because the message isn't sent anywhere, it just gets dropped.

If you already have something in syslog-ng.d that filters out the program that is sending this message, then you can include the necessary log instruction in the same file, but right before your log statement that sends messages from that program to its own destination.

Something like this:

filter f_dropreset {
    message("Connection reset by peer") ;
};

log {
    source(src);
    filter(f_dropreset);
    flags(final);
};

 

[elorimer]

@cmkelley:

I was fixing something in the wake of a power failure that made me want to stop syslog-ng, which I did through scribe. In the course of this I realized that the script not only copies messages back to /tmp/syslog.log, but also reverses the symlink, so that messages points there. This was unexpected, as I thought messages would just sit there. Curious why you do that? Is it just so you can leave the UIscribe page intact?

 

[cmkelley]

@cmkelley:

I was fixing something in the wake of a power failure that made me want to stop syslog-ng, which I did through scribe. In the course of this I realized that the script not only copies messages back to /tmp/syslog.log, but also reverses the symlink, so that messages points there. This was unexpected, as I thought messages would just sit there. Curious why you do that? Is it just so you can leave the UIscribe page intact?

So that messages aren't lost. In addition to stopping syslog-ng, it restarts syslogd and klogd. When syslog-ng is restarted, it kills syslogd and klogd and copies the syslog.log back over to messages and re-creates the links.

I don't want to ever intentionally leave a system without a running syslog, be it syslog-ng or syslogd/klogd.

 

[kernol]

So that messages aren't lost. In addition to stopping syslog-ng, it restarts syslogd and klogd. When syslog-ng is restarted, it kills syslogd and klogd and copies the syslog.log back over to messages and re-creates the links.

I don't want to ever intentionally leave a system without a running syslog, be it syslog-ng or syslogd/klogd.

Excellent work on the above cut-over between logging systems ... just a small non-consequential issue which may well be impossible to fix due to timing issues !?
There is a small loss of log data in the cut-over when first ejecting USB drive before rebooting or powering off the router.
The same is probably true for a straight Webgui Reboot of the router.
Essentially you never get to see the confirmation line that the USB has been successfully dismounted.

No big deal - as the drop in RAM consumption is evidence of a successful unmount of the USB and graceful closure of the apps running from it [Diversion etc].

FULLY enjoy Scribe together with the @Jack Yaz uiScribe add-on {Thumbs-Up} .

 

[cmkelley]

Excellent work on the above cut-over between logging systems ... just a small non-consequential issue which may well be impossible to fix due to timing issues !?
There is a small loss of log data in the cut-over when first ejecting USB drive before rebooting or powering off the router.
The same is probably true for a straight Webgui Reboot of the router.
Essentially you never get to see the confirmation line that the USB has been successfully dismounted.

Yeah, nothing can be done about that. The /jffs/scripts/unmount script is blocking, which means it has to complete before unmounting the USB drive. That means that syslog-ng has stopped completely and syslogd/klogd are running before the USB is unmounted. So any lack of logging of unmounting the USB is on the system, not on syslog-ng.

No big deal - as the drop in RAM consumption is evidence of a successful unmount of the USB and graceful closure of the apps running from it [Diversion etc].

FULLY enjoy Scribe together with the @Jack Yaz uiScribe add-on {Thumbs-Up} .

Yeah, uiScribe really makes syslog-ng usable for a lot more people. I happen to prefer viewing logs using 'most' from the command line but I know I'm in the minority there ...

 

[Starrbuck]

Seems like before stopping the services and ejecting the USB drive the log should contain a note like "Ejecting USB....."

 

[cmkelley]

Seems like before stopping the services and ejecting the USB drive the log should contain a note like "Ejecting USB....."

You could add a logger statement to the top of the unmount script to do just that.

 

[andresmorago]

hello
im having some issues with skynet and logs

Time zone and time is correctly set on router but skynet log shows time is ahead several hours.

how can I fix this?


EDIT:
reinstalling scribe and logrotate fixed this

 

[Butterfly Bones]

@cmkelley I'm sure you saw the comments about lag with uiScribe, and Jack Yaz reply on log sizes.
https://www.snbforums.com/threads/u...age-for-scribed-logs.57040/page-9#post-521565

Checking I see there is not logrotate.d filter for skynet, is there a reason for that due to the nature of that log? It is well over the 1-2 MB size.

Next question, will this work ok, or is there something in there that will cause issues with the Skynet log? This is copied from the syslog-ng filter in /tmp/mnt/SNB/entware/etc/logrotate.d

/opt/var/log/skynet-0.log {
    size 1M
    daily
    rotate 9
    postrotate
        /usr/bin/killall -HUP syslog-ng
    endscript
}

I've been out of the network loop at this level now for a few months, too many demands from RealLife (tm).

 

[elorimer]

If I recall, the skynet log gets destructively sed every hour, with everything reduced to one line. Not sure it is necessary to rotate it. Not really necessary to show it in uiScribe either, but user choice.

So what you are proposing is to rotate the log daily, if and only if it exceeds 1 meg in size, keeping 9 prior backups. I think that might cover a year's worth. I don't think it would harm anything, but you should investigate why your log is so large.

 

[Butterfly Bones]

If I recall, the skynet log gets destructively sed every hour, with everything reduced to one line. Not sure it is necessary to rotate it. Not really necessary to show it in uiScribe either, but user choice.

So what you are proposing is to rotate the log daily, if and only if it exceeds 1 meg in size, keeping 9 prior backups. I think that might cover a year's worth. I don't think it would harm anything, but you should investigate why your log is so large.

I thought the Skynet log was replaced often as well. It is humongous here, to compare with some others.

-rw-------    1 user_name root         93442 Oct 19 00:05 logrotate.log
-rw-------    1 user_name root        132484 Oct 19 12:00 messages
-rw-------    1 user_name root         69698 Oct 18 18:16 pixelserv.log
-rw-------    1 user_name root      10470470 Oct 19 12:28 skynet-0.log
-rw-------    1 user_name root         36123 Oct 19 11:19 syslog-ng.log

As I said, I have been out of the network think mode for a few months, and now a couple things have me wading in again. Skynet log is one of the three logs I want to keep tabs on. I did try to exclude it in uiScribe, but still the lag. I guess I need to bite the bullet, shut everything down, remove the log and start over. Not sure why the Skynet-0 log is so large.

I also have the issue with /opt/var/log/messages not showing in the webgui syslog screen without uiScribe. ...shrug... Time to stop wading and jump in deeper.

 

[elorimer]

What is in the skynet log? You should only really have stuff like this:

Oct 18 11:00:12 RT-AC87R Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Cruzer/skynet )
Oct 18 12:00:14 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 181 Inbound -- 6 Outbound Connections Blocked! [save] [14s]
Oct 18 21:00:11 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 2059 Inbound -- 65 Outbound Connections Blocked! [save] [10s]
Oct 18 22:00:15 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 2273 Inbound -- 71 Outbound Connections Blocked! [save] [14s]
Oct 18 23:00:21 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 2469 Inbound -- 77 Outbound Connections Blocked! [save] [20s]
Oct 19 03:00:10 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 3276 Inbound -- 101 Outbound Connections Blocked! [save] [10s]
Oct 19 04:26:30 RT-AC87R Skynet: [#] 137831 IPs (+422) -- 1664 Ranges Banned (+16) || 3561 Inbound -- 107 Outbound Connections Blocked! [banmalware] [90s]
Oct 19 06:00:11 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 3887 Inbound -- 119 Outbound Connections Blocked! [save] [10s]
Oct 19 08:00:15 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 4325 Inbound -- 131 Outbound Connections Blocked! [save] [15s]
Oct 19 09:00:16 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 4502 Inbound -- 137 Outbound Connections Blocked! [save] [15s]
Oct 19 11:00:11 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 4903 Inbound -- 149 Outbound Connections Blocked! [save] [11s]
Oct 19 14:00:13 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 5648 Inbound -- 167 Outbound Connections Blocked! [save] [12s]
Oct 19 15:00:15 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 6061 Inbound -- 173 Outbound Connections Blocked! [save] [15s]
Oct 19 16:00:10 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 6434 Inbound -- 179 Outbound Connections Blocked! [save] [10s]
Oct 19 16:00:13 RT-AC87R kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=81.22.45.76 DST=24.46.139.177 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=43460 PROTO=TCP SPT=58838 DPT=34420 SEQ=2567676929 ACK=0 WINDOW=2484 RES=0x00 SYN URGP=0 MARK=0x84c400c1
Oct 19 16:00:14 RT-AC87R kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=82.77.91.36 DST=24.46.139

With the last lines being wiped out on the hour or so.

Messages not showing sounds to me like a problem with the symlink. Remember, when skynet is pointed to the syslog instead of skynet-0, skynet's destructive sed is destroying the symlink.

Putting those together, I think syslog-ng is properly sifting the skynet messages out into the log file, buy skynet itself is not pointed to the log file and remains pointed to syslog, so the symlink is being destroyed and skynet is never rolling up the hourly messages. That's why the log is growing, methinks.

 

[Butterfly Bones]

What is in the skynet log? You should only really have stuff like this:

Oct 18 11:00:12 RT-AC87R Skynet: [%] Startup Initiated... ( skynetloc=/tmp/mnt/Cruzer/skynet )
Oct 18 12:00:14 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 181 Inbound -- 6 Outbound Connections Blocked! [save] [14s]
Oct 18 21:00:11 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 2059 Inbound -- 65 Outbound Connections Blocked! [save] [10s]
Oct 18 22:00:15 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 2273 Inbound -- 71 Outbound Connections Blocked! [save] [14s]
Oct 18 23:00:21 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 2469 Inbound -- 77 Outbound Connections Blocked! [save] [20s]
Oct 19 03:00:10 RT-AC87R Skynet: [#] 137409 IPs (+0) -- 1648 Ranges Banned (+0) || 3276 Inbound -- 101 Outbound Connections Blocked! [save] [10s]
Oct 19 04:26:30 RT-AC87R Skynet: [#] 137831 IPs (+422) -- 1664 Ranges Banned (+16) || 3561 Inbound -- 107 Outbound Connections Blocked! [banmalware] [90s]
Oct 19 06:00:11 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 3887 Inbound -- 119 Outbound Connections Blocked! [save] [10s]
Oct 19 08:00:15 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 4325 Inbound -- 131 Outbound Connections Blocked! [save] [15s]
Oct 19 09:00:16 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 4502 Inbound -- 137 Outbound Connections Blocked! [save] [15s]
Oct 19 11:00:11 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 4903 Inbound -- 149 Outbound Connections Blocked! [save] [11s]
Oct 19 14:00:13 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 5648 Inbound -- 167 Outbound Connections Blocked! [save] [12s]
Oct 19 15:00:15 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 6061 Inbound -- 173 Outbound Connections Blocked! [save] [15s]
Oct 19 16:00:10 RT-AC87R Skynet: [#] 137831 IPs (+0) -- 1664 Ranges Banned (+0) || 6434 Inbound -- 179 Outbound Connections Blocked! [save] [10s]
Oct 19 16:00:13 RT-AC87R kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=81.22.45.76 DST=24.46.139.177 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=43460 PROTO=TCP SPT=58838 DPT=34420 SEQ=2567676929 ACK=0 WINDOW=2484 RES=0x00 SYN URGP=0 MARK=0x84c400c1
Oct 19 16:00:14 RT-AC87R kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=ac:9e:17:97:2b:30:00:76:86:45:44:19:08:00 SRC=82.77.91.36 DST=24.46.139

With the last lines being wiped out on the hour or so.

Messages not showing sounds to me like a problem with the symlink. Remember, when skynet is pointed to the syslog instead of skynet-0, skynet's destructive sed is destroying the symlink.

Putting those together, I think syslog-ng is properly sifting the skynet messages out into the log file, buy skynet itself is not pointed to the log file and remains pointed to syslog, so the symlink is being destroyed and skynet is never rolling up the hourly messages. That's why the log is growing, methinks.

I just stopped Skynet and Scribe, deleted the /opt/var/log/skynet-0.log and restart both. Now it works fine, I see the messages and skynet-0.log showing in uiScribe with no lag at all. I tested with all logs showing, just for fun, and no lag. Then I disabled most logs for uiScribe.

Your theory sounds likely, with my limited knowledge of how this all works. I'll keep an eye on this along with the other niggles that have me digging into my home network again. So far skynet log shows what I expect.

Oct 19 13:58:45 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=122.228.19.80 DST=xxx.xx.xxx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=108 ID=59456 PROTO=TCP SPT=28692 DPT=25 SEQ=1020681632 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Oct 19 13:58:49 RT-AC86U-4608 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=151.101.190.109 DST=xxx.xx.xxx.xx LEN=110 TOS=0x00 PREC=0x00 TTL=52 ID=58288 DF PROTO=TCP SPT=443 DPT=49753 SEQ=2540395894 ACK=3885080924 WINDOW=59 RES=0x00 ACK PSH URGP=0 OPT (0101080A0999F80003AAEC43) MARK=0x8000000
Oct 19 13:59:01 RT-AC86U-4608 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=151.101.189.63 DST=xxx.xx.xxx.xx LEN=110 TOS=0x00 PREC=0x00 TTL=53 ID=31860 DF PROTO=TCP SPT=443 DPT=49755 SEQ=98331035 ACK=697402345 WINDOW=59 RES=0x00 ACK PSH URGP=0 OPT (0101080A09ADDA0003AB3BBA) MARK=0x8000000
Oct 19 13:59:02 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=89.248.174.215 DST=xxx.xx.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=2739 PROTO=TCP SPT=58332 DPT=8089 SEQ=3435995161 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 19 13:59:03 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=198.108.67.131 DST=xxx.xx.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=35 ID=44787 PROTO=TCP SPT=25280 DPT=11211 SEQ=2046049426 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 19 14:00:03 RT-AC86U-4608 Skynet: [#] 138147 IPs (+0) -- 27181 Ranges Banned (+0) || 46 Inbound -- 6 Outbound Connections Blocked! [save] [3s]
Oct 19 14:00:09 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=198.108.67.133 DST=xxx.xx.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=36 ID=4533 PROTO=TCP SPT=62862 DPT=22 SEQ=4040590674 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 19 14:00:12 RT-AC86U-4608 kernel: [BLOCKED - INVALID] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=71.93.224.158 DST=xxx.xx.xxx.xx LEN=44 TOS=0x00 PREC=0x00 TTL=250 ID=12926 DF PROTO=TCP SPT=8972 DPT=23 SEQ=4255833234 ACK=0 WINDOW=14600 RES=0x00 SYN URGP=0 OPT (020405B4) MARK=0x8000000
Oct 19 14:00:14 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=92.118.37.86 DST=xxx.xx.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=236 ID=4906 PROTO=TCP SPT=55357 DPT=355 SEQ=3185518458 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000
Oct 19 14:00:17 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=88:d7:f6:1d:46:08:00:01:5c:6d:22:46:08:00 SRC=185.175.93.101 DST=xxx.xx.xxx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=32551 PROTO=TCP SPT=40653 DPT=5942 SEQ=355425570 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 MARK=0x8000000

The above is from the uiScribe log, I do not see the hourly reports when I cat the /opt/var/log/skynet-0.log, but that is what I like in Loggly, is I see only hourly results with the filter I use there. Another view that I like.

2019-10-19 08:00:03.000 [#] 138147 IPs (+0) -- 27181 Ranges Banned (+0) || 7643 Inbound -- 69 Outbound Connections Blocked! [save] [3s]
2019-10-19 07:00:03.000 [#] 138147 IPs (+0) -- 27181 Ranges Banned (+0) || 7479 Inbound -- 69 Outbound Connections Blocked! [save] [3s]
2019-10-19 06:00:03.000 [#] 138147 IPs (+0) -- 27181 Ranges Banned (+0) || 7302 Inbound -- 69 Outbound Connections Blocked! [save] [3s]
2019-10-19 05:25:40.000 [#] 138147 IPs (+668) -- 27181 Ranges Banned (-4) || 7225 Inbound -- 69 Outbound Connections Blocked! [banmalware] [40s]
2019-10-19 05:00:03.000 [#] 137479 IPs (+0) -- 27185 Ranges Banned (+0) || 7155 Inbound -- 69 Outbound Connections Blocked! [save] [3s]
2019-10-19 04:00:03.000 [#] 137479 IPs (+0) -- 27185 Ranges Banned (+0) || 7007 Inbound -- 69 Outbound Connections Blocked! [save] [3s]
2019-10-19 03:00:03.000 [#] 137479 IPs (+0) -- 27185 Ranges Banned (+0) || 6860 Inbound -- 69 Outbound Connections Blocked! [save] [3s]

 

[cmkelley]

If I recall, the skynet log gets destructively sed every hour, with everything reduced to one line. Not sure it is necessary to rotate it. Not really necessary to show it in uiScribe either, but user choice.

So what you are proposing is to rotate the log daily, if and only if it exceeds 1 meg in size, keeping 9 prior backups. I think that might cover a year's worth. I don't think it would harm anything, but you should investigate why your log is so large.

The reason I do nothing with skynet-0.log is because it is indeed cleaned out every hour. It definitely shouldn't be 10GB.