Menu
What's new
By:
Filters Better Search

Scribe scribe - syslog-ng and logrotate installer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Loggly is working for me. I don't send the skynet or pixelserv messages.

A small mystery I havent' gotten around to is that I'm getting a lot of closed /reopen connections to loggly because of an EOF message. I haven't figured that out, but my sense it is another one of those things that started when syslog-ng changed versions.
 
elorimer said:
Loggly is working for me. I don't send the skynet or pixelserv messages.

A small mystery I havent' gotten around to is that I'm getting a lot of closed /reopen connections to loggly because of an EOF message. I haven't figured that out, but my sense it is another one of those things that started when syslog-ng changed versions.
Click to expand...
Thank you elorimer, that got me digging deeper, it seems recent changes in either Skynet or how Scribe handles Skynet log filter is my issue. Here is what I can see, note lines 3 and 6 of the output when I run.
Code: 
usrname@RT-AC86U-4608:/tmp/home/root# syslog-ng -Fevd

Results then the output stops, again note lines 3 and 6
Code: 
[2019-12-12T08:16:42.817820] Syslog connection established; fd='14', server='AF_INET(52.33.155.26:514)', local='AF_INET(0.0.0.0:0)'
[2019-12-12T08:17:07.533911] Incoming log entry; line='<4>[BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx SRC=61.24.105.22 DST=xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28737 PROTO=TCP SPT=26946 DPT=23 SEQ=1197290803 ACK=0 WINDOW=10434 RES=0x00 SYN URGP=0 MARK=0x8000000 '
[2019-12-12T08:17:07.534516] Initializing destination file writer; template='/opt/var/log/skynet-0.log', filename='/opt/var/log/skynet-0.log'
[2019-12-12T08:17:07.534805] Outgoing message; message='Dec 12 08:17:07 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx SRC=61.24.105.22 DST=xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28737 PROTO=TCP SPT=26946 DPT=23 SEQ=1197290803 ACK=0 WINDOW=10434 RES=0x00 SYN URGP=0 MARK=0x8000000 \x0a'
[2019-12-12T08:17:07.534887] Outgoing message; message='<4>1 2019-12-12T08:17:07-08:00 RT-AC86U-4608 kernel   [[redacted] tag="BB-AC86u" ] [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx SRC=61.24.105.22 DST=xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28737 PROTO=TCP SPT=26946 DPT=23 SEQ=1197290803 ACK=0 WINDOW=10434 RES=0x00 SYN URGP=0 MARK=0x8000000 \x0a'
[2019-12-12T08:17:09.543791] Destination timed out, reaping; template='/opt/var/log/skynet-0.log', filename='/opt/var/log/skynet-0.log'
 
Last edited:
I don't see anything of note in lines 3 and 6. Running syslog-ng with those switches means you are getting verbose debug messages about how syslog-ng is processing messages, in the foreground. So in line 2 you see syslog-ng getting a message it recognizes as going to skylog-0.log; in line 3 you see syslog-ng opening the destination file to write that message; in line 4 it writes the message; in line 5 it sends it to loggly, and in line six, two seconds after it opened the destination file, it hits the time-reap(2) mark and closes the file.
 
elorimer said:
I don't see anything of note in lines 3 and 6. Running syslog-ng with those switches means you are getting verbose debug messages about how syslog-ng is processing messages, in the foreground. So in line 2 you see syslog-ng getting a message it recognizes as going to skylog-0.log; in line 3 you see syslog-ng opening the destination file to write that message; in line 4 it writes the message; in line 5 it sends it to loggly, and in line six, two seconds after it opened the destination file, it hits the time-reap(2) mark and closes the file.
Click to expand...
Ok, but at that point nothing gets sent to Loggly after that. The verbose logging that the syslog-ng switches shows just hangs at the end of line 6. I've left it in the terminal for over 30 minutes with no more output. In the past that would keep showing each line sent, like using "tail -F /opt/var/log/skynet-0.log" in a terminal.
 
Butterfly Bones said:
Ok, but at that point nothing gets sent to Loggly after that. The verbose logging that the syslog-ng switches shows just hangs at the end of line 6. I've left it in the terminal for over 30 minutes with no more output. In the past that would keep showing each line sent, like using "tail -F /opt/var/log/skynet-0.log" in a terminal.
Click to expand...
Ah, I see you question. Forgive me for not tumbling to it sooner and why my post triggered it. I'm not in a position to repeat your steps for a week or two to see what my -Fevd might kick off. The only thing I can suggest at the moment is for you to go over your loggly configuration against this: https://www.loggly.com/docs/syslog-ng-manual-configuration/ My loggly configuration for my 87U and 56U is based exactly on this.

But perhaps something in your loggly config is hanging syslog-ng, while something in my config is erroring out and going on its merry own way. My loggly configuration file is titled 0loggly, so it is the first to act on a message, and doesn't have the final() flag.

Oh, and this: diversion standard+ seems to block the loggly destination, so I have to whitelist it.
 
elorimer said:
Ah, I see you question. Forgive me for not tumbling to it sooner and why my post triggered it. I'm not in a position to repeat your steps for a week or two to see what my -Fevd might kick off. The only thing I can suggest at the moment is for you to go over your loggly configuration against this: https://www.loggly.com/docs/syslog-ng-manual-configuration/ My loggly configuration for my 87U and 56U is based exactly on this.

But perhaps something in your loggly config is hanging syslog-ng, while something in my config is erroring out and going on its merry own way. My loggly configuration file is titled 0loggly, so it is the first to act on a message, and doesn't have the final() flag.

Oh, and this: diversion standard+ seems to block the loggly destination, so I have to whitelist it.
Click to expand...
This section does not exist in my 0loggly file, directly below the comment line.
### Syslog-ng Logging Directives for Loggly.com ###
Code: 
source s_loggly {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

And there is a difference here, that I thought I remember needing when first set up.
Loggly template form your link

Code: 
log {
    source(s_loggly);
    destination(d_loggly);
What I have
Code: 
log {
    source(src);
    destination(d_loggly);

I double checked and the loggly domain is whitelisted in Diversion.

Still stumped...
 
So, I did manage to winkle in to one of my routers, and -Fevd produced the same as you. My messages still seem to end up in loggly.

The changes in your config above I think are exactly consistent with scribe.

So, yes, both of us be stumped. Only for the moment, of course.
 
elorimer said:
So, I did manage to winkle in to one of my routers, and -Fevd produced the same as you. My messages still seem to end up in loggly.

The changes in your config above I think are exactly consistent with scribe.

So, yes, both of us be stumped. Only for the moment, of course.
Click to expand...
It looks like it might be Loogly with the incidents on Dec. 11 & 12 (shrug).
https://status.loggly.com/
 
Question: for those who have removed time_reap(2), have you had any issues with removing it?
 
cmkelley said:
Question: for those who have removed time_reap(2), have you had any issues with removing it?
Click to expand...
Not that I have seen. I have gone back and forth with and without half dozen times, all work.
 
cmkelley said:
Question: for those who have removed time_reap(2), have you had any issues with removing it?
Click to expand...
No, not with the updated skynet script.
 
issue with WLCEVENTD filter
they are getting placed in regular system messages instead of getting logged by the filter option provided through scribe.

Code: 
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
 
SomeWhereOverTheRainBow said:
issue with WLCEVENTD filter
they are getting placed in regular system messages instead of getting logged by the filter option provided through scribe.

Code: 
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
Click to expand...
My guess is that you have not update the filter files. I know that cmkelley updated it based on feedback with the Merlin beta 384.14 working with him and kernol to test. Use the "uf" menu option in Scribe to see what is new, very nice ability to see what is new and accept or reject the updates!
 
Butterfly Bones said:
My guess is that you have not update the filter files. I know that cmkelley updated it based on feedback with the Merlin beta 384.14 working with him and kernol to test. Use the "uf" menu option in Scribe to see what is new, very nice ability to see what is new and accept or reject the updates!
Click to expand...
I did option uf today before i started seeing the logs appearing in syslog instead of the appropriate filter. they didnt start appearing until after.

here is what the updated filter says
Code: 
 put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") );
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
 
SomeWhereOverTheRainBow said:
I did option uf today before i started seeing the logs appearing in syslog instead of the appropriate filter. they didnt start appearing until after.

here is what the updated filter says
Code: 
 put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") );
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
Click to expand...
Hmmm, odd, that matches mine exactly. Paste a few lines from the ones going to messages and lets see if we can see why.
 
SomeWhereOverTheRainBow said:
I did option uf today before i started seeing the logs appearing in syslog instead of the appropriate filter. they didnt start appearing until after.

here is what the updated filter says
Code: 
 put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") );
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
Click to expand...
Before the update, the wlceventd filter used to be:
Code: 
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    program("WLCEVENTD") and
    message("ssoc");
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
So, the log you found ...
Code: 
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
... wouldn't have been caught by either the previous or the current filter. I searched my logs for the past 2 months and I don't have any entries like they one you posted in either messages or wlceventd.log.

Actually, that's not a syslog-ng format log now that I look at it, syslog-ng puts the pid in square brackets '[420]' not '(420)', and precedes it with the date, time, and hostname. What log file is that message in and can you paste the entire line (X out your hostname for security) if that isn't the entire line?
 
cmkelley said:
Before the update, the wlceventd filter used to be:
Code: 
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    program("WLCEVENTD") and
    message("ssoc");
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
So, the log you found ...
Code: 
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
... wouldn't have been caught by either the previous or the current filter. I searched my logs for the past 2 months and I don't have any entries like they one you posted in either messages or wlceventd.log.

Actually, that's not a syslog-ng format log now that I look at it, syslog-ng puts the pid in square brackets '[420]' not '(420)', and precedes it with the date, time, and hostname. What log file is that message in and can you paste the entire line (X out your hostname for security) if that isn't the entire line?
Click to expand...
Here is a decent sample of some of the messages I have in my logs....

I have stumbled on same problem.
I just don't feel like redacting the sum of it so i gave you a decent size sample.
Code: 
Dec 14 02:54:45  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 02:54:45 syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:02 syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)


Edit:: here is some more
Code: 
Dec 14 02:55:02  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(401): eth2: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
 
Last edited:
Swistheater said:
Here is a decent sample of some of the messages I have in my logs....

I have stumbled on same problem.
I just don't feel like redacting the sum of it so i gave you a decent size sample.
Code: 
Dec 14 02:54:45  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 02:54:45 syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:02 syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)


Edit:: here is some more
Code: 
Dec 14 02:55:02  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(401): eth2: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Click to expand...
Quick hack - try modifying the filter:
Code: 
filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") ) or
    message("wlceventd");
};
 
Swistheater said:
Here is a decent sample of some of the messages I have in my logs....

I have stumbled on same problem.
I just don't feel like redacting the sum of it so i gave you a decent size sample.
Code: 
Dec 14 02:54:45  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 02:54:45 syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:02 syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Click to expand...
Quite interesting. Something is getting between the logging facility and syslog-ng as near as I can tell. It appears to be saying the program is "syslog" and everything after "syslog:" is the message. I see you're running Aimesh ... can you tell if those messages coming from one of your mesh nodes and being pushed to the main router?

Just to verify, did you redact your router hostname from between the date and "syslog:" or was it not there?

Would you (both you and @SomeWhereOverTheRainBow ) either post or PM me the output of:
Code: 
ps | grep log
Or, PM me the debug file from the scribe menu su, then d.
 
You must log in or register to reply here.

Similar threads

Tarek Yag
Scribe [SOLVED] syslog-ng intermittent failure to shutdown which messes all logging
Replies
15
Views
630
Tarek Yag
Tarek Yag
SomeWhereOverTheRainBow
Scribe Issues with scribe.... Errors all over the place after restarting scribe!
Replies
8
Views
2K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
S
Scribe Strange Issue with Scribe / Syslog-NG after Reboot
Replies
7
Views
991
Ripshod
Ripshod
cmkelley
Scribe scribe 3.x_y - syslog-ng and logrotate installer
10 11 12
Replies
234
Views
21K
matthew_eli
matthew_eli
Davidncali001
Skynet Message on SKYNET I havent seen before
Replies
1
Views
296
Davidncali001
Davidncali001
Similar threads
Thread starter Title Forum Replies Date
S Scribe Strange Issue with Scribe / Syslog-NG after Reboot Asuswrt-Merlin AddOns 7
V Scribe Scribe nvram log_path - what should it be? Asuswrt-Merlin AddOns 4
SomeWhereOverTheRainBow Scribe Issues with scribe.... Errors all over the place after restarting scribe! Asuswrt-Merlin AddOns 8
Tarek Yag Scribe [SOLVED] syslog-ng intermittent failure to shutdown which messes all logging Asuswrt-Merlin AddOns 15
J AdGuardHome There are tons of dnsproxy error messages occuring on syslog. Asuswrt-Merlin AddOns 2
T Updated scMerlin to 2.5.5 - syslog stops at 'syslogd exiting' Asuswrt-Merlin AddOns 9

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 661 (members: 19, guests: 642)
Top