What's new

Scribe scribe - syslog-ng and logrotate installer

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Loggly is working for me. I don't send the skynet or pixelserv messages.

A small mystery I havent' gotten around to is that I'm getting a lot of closed /reopen connections to loggly because of an EOF message. I haven't figured that out, but my sense it is another one of those things that started when syslog-ng changed versions.
 
Loggly is working for me. I don't send the skynet or pixelserv messages.

A small mystery I havent' gotten around to is that I'm getting a lot of closed /reopen connections to loggly because of an EOF message. I haven't figured that out, but my sense it is another one of those things that started when syslog-ng changed versions.
Thank you elorimer, that got me digging deeper, it seems recent changes in either Skynet or how Scribe handles Skynet log filter is my issue. Here is what I can see, note lines 3 and 6 of the output when I run.
Code:
usrname@RT-AC86U-4608:/tmp/home/root# syslog-ng -Fevd

Results then the output stops, again note lines 3 and 6
Code:
[2019-12-12T08:16:42.817820] Syslog connection established; fd='14', server='AF_INET(52.33.155.26:514)', local='AF_INET(0.0.0.0:0)'
[2019-12-12T08:17:07.533911] Incoming log entry; line='<4>[BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx SRC=61.24.105.22 DST=xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28737 PROTO=TCP SPT=26946 DPT=23 SEQ=1197290803 ACK=0 WINDOW=10434 RES=0x00 SYN URGP=0 MARK=0x8000000 '
[2019-12-12T08:17:07.534516] Initializing destination file writer; template='/opt/var/log/skynet-0.log', filename='/opt/var/log/skynet-0.log'
[2019-12-12T08:17:07.534805] Outgoing message; message='Dec 12 08:17:07 RT-AC86U-4608 kernel: [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx SRC=61.24.105.22 DST=xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28737 PROTO=TCP SPT=26946 DPT=23 SEQ=1197290803 ACK=0 WINDOW=10434 RES=0x00 SYN URGP=0 MARK=0x8000000 \x0a'
[2019-12-12T08:17:07.534887] Outgoing message; message='<4>1 2019-12-12T08:17:07-08:00 RT-AC86U-4608 kernel   [[redacted] tag="BB-AC86u" ] [BLOCKED - INBOUND] IN=eth0 OUT= MAC=xx:xx:xx SRC=61.24.105.22 DST=xx:xx:xx LEN=40 TOS=0x00 PREC=0x00 TTL=48 ID=28737 PROTO=TCP SPT=26946 DPT=23 SEQ=1197290803 ACK=0 WINDOW=10434 RES=0x00 SYN URGP=0 MARK=0x8000000 \x0a'
[2019-12-12T08:17:09.543791] Destination timed out, reaping; template='/opt/var/log/skynet-0.log', filename='/opt/var/log/skynet-0.log'
 
Last edited:
I don't see anything of note in lines 3 and 6. Running syslog-ng with those switches means you are getting verbose debug messages about how syslog-ng is processing messages, in the foreground. So in line 2 you see syslog-ng getting a message it recognizes as going to skylog-0.log; in line 3 you see syslog-ng opening the destination file to write that message; in line 4 it writes the message; in line 5 it sends it to loggly, and in line six, two seconds after it opened the destination file, it hits the time-reap(2) mark and closes the file.
 
I don't see anything of note in lines 3 and 6. Running syslog-ng with those switches means you are getting verbose debug messages about how syslog-ng is processing messages, in the foreground. So in line 2 you see syslog-ng getting a message it recognizes as going to skylog-0.log; in line 3 you see syslog-ng opening the destination file to write that message; in line 4 it writes the message; in line 5 it sends it to loggly, and in line six, two seconds after it opened the destination file, it hits the time-reap(2) mark and closes the file.
Ok, but at that point nothing gets sent to Loggly after that. The verbose logging that the syslog-ng switches shows just hangs at the end of line 6. I've left it in the terminal for over 30 minutes with no more output. In the past that would keep showing each line sent, like using "tail -F /opt/var/log/skynet-0.log" in a terminal.
 
Ok, but at that point nothing gets sent to Loggly after that. The verbose logging that the syslog-ng switches shows just hangs at the end of line 6. I've left it in the terminal for over 30 minutes with no more output. In the past that would keep showing each line sent, like using "tail -F /opt/var/log/skynet-0.log" in a terminal.
Ah, I see you question. Forgive me for not tumbling to it sooner and why my post triggered it. I'm not in a position to repeat your steps for a week or two to see what my -Fevd might kick off. The only thing I can suggest at the moment is for you to go over your loggly configuration against this: https://www.loggly.com/docs/syslog-ng-manual-configuration/ My loggly configuration for my 87U and 56U is based exactly on this.

But perhaps something in your loggly config is hanging syslog-ng, while something in my config is erroring out and going on its merry own way. My loggly configuration file is titled 0loggly, so it is the first to act on a message, and doesn't have the final() flag.

Oh, and this: diversion standard+ seems to block the loggly destination, so I have to whitelist it.
 
Ah, I see you question. Forgive me for not tumbling to it sooner and why my post triggered it. I'm not in a position to repeat your steps for a week or two to see what my -Fevd might kick off. The only thing I can suggest at the moment is for you to go over your loggly configuration against this: https://www.loggly.com/docs/syslog-ng-manual-configuration/ My loggly configuration for my 87U and 56U is based exactly on this.

But perhaps something in your loggly config is hanging syslog-ng, while something in my config is erroring out and going on its merry own way. My loggly configuration file is titled 0loggly, so it is the first to act on a message, and doesn't have the final() flag.

Oh, and this: diversion standard+ seems to block the loggly destination, so I have to whitelist it.
This section does not exist in my 0loggly file, directly below the comment line.
### Syslog-ng Logging Directives for Loggly.com ###
Code:
source s_loggly {
    system();    # Check which OS & collect system logs
    internal();    # Collect syslog-ng logs
};

And there is a difference here, that I thought I remember needing when first set up.
Loggly template form your link

Code:
log {
    source(s_loggly);
    destination(d_loggly);
What I have
Code:
log {
    source(src);
    destination(d_loggly);

I double checked and the loggly domain is whitelisted in Diversion.

Still stumped...
 
So, I did manage to winkle in to one of my routers, and -Fevd produced the same as you. My messages still seem to end up in loggly.

The changes in your config above I think are exactly consistent with scribe.

So, yes, both of us be stumped. Only for the moment, of course.
 
So, I did manage to winkle in to one of my routers, and -Fevd produced the same as you. My messages still seem to end up in loggly.

The changes in your config above I think are exactly consistent with scribe.

So, yes, both of us be stumped. Only for the moment, of course.
It looks like it might be Loogly with the incidents on Dec. 11 & 12 (shrug).
https://status.loggly.com/
 
Question: for those who have removed time_reap(2), have you had any issues with removing it?
 
Question: for those who have removed time_reap(2), have you had any issues with removing it?
Not that I have seen. I have gone back and forth with and without half dozen times, all work.
 
Question: for those who have removed time_reap(2), have you had any issues with removing it?
No, not with the updated skynet script.
 
issue with WLCEVENTD filter
they are getting placed in regular system messages instead of getting logged by the filter option provided through scribe.

Code:
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
 
issue with WLCEVENTD filter
they are getting placed in regular system messages instead of getting logged by the filter option provided through scribe.

Code:
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
My guess is that you have not update the filter files. I know that cmkelley updated it based on feedback with the Merlin beta 384.14 working with him and kernol to test. Use the "uf" menu option in Scribe to see what is new, very nice ability to see what is new and accept or reject the updates!
 
My guess is that you have not update the filter files. I know that cmkelley updated it based on feedback with the Merlin beta 384.14 working with him and kernol to test. Use the "uf" menu option in Scribe to see what is new, very nice ability to see what is new and accept or reject the updates!
I did option uf today before i started seeing the logs appearing in syslog instead of the appropriate filter. they didnt start appearing until after.

here is what the updated filter says
Code:
 put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") );
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
 
I did option uf today before i started seeing the logs appearing in syslog instead of the appropriate filter. they didnt start appearing until after.

here is what the updated filter says
Code:
 put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") );
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
Hmmm, odd, that matches mine exactly. Paste a few lines from the ones going to messages and lets see if we can see why.
 
I did option uf today before i started seeing the logs appearing in syslog instead of the appropriate filter. they didnt start appearing until after.

here is what the updated filter says
Code:
 put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") );
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
Before the update, the wlceventd filter used to be:
Code:
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    program("WLCEVENTD") and
    message("ssoc");
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
So, the log you found ...
Code:
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
... wouldn't have been caught by either the previous or the current filter. I searched my logs for the past 2 months and I don't have any entries like they one you posted in either messages or wlceventd.log.

Actually, that's not a syslog-ng format log now that I look at it, syslog-ng puts the pid in square brackets '[420]' not '(420)', and precedes it with the date, time, and hostname. What log file is that message in and can you paste the entire line (X out your hostname for security) if that isn't the entire line?
 
Before the update, the wlceventd filter used to be:
Code:
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
    file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
    program("WLCEVENTD") and
    message("ssoc");
};

log {
    source(src);
    filter(f_wlceventd);
    destination(d_wlceventd);
    flags(final);
};

#eof
So, the log you found ...
Code:
syslog: WLCEVENTD wlceventd_proc_event(420): eth1:
... wouldn't have been caught by either the previous or the current filter. I searched my logs for the past 2 months and I don't have any entries like they one you posted in either messages or wlceventd.log.

Actually, that's not a syslog-ng format log now that I look at it, syslog-ng puts the pid in square brackets '[420]' not '(420)', and precedes it with the date, time, and hostname. What log file is that message in and can you paste the entire line (X out your hostname for security) if that isn't the entire line?
Here is a decent sample of some of the messages I have in my logs....

I have stumbled on same problem.
I just don't feel like redacting the sum of it so i gave you a decent size sample.
Code:
Dec 14 02:54:45  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 02:54:45 syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:02 syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)


Edit:: here is some more
Code:
Dec 14 02:55:02  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(401): eth2: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
 
Last edited:
Here is a decent sample of some of the messages I have in my logs....

I have stumbled on same problem.
I just don't feel like redacting the sum of it so i gave you a decent size sample.
Code:
Dec 14 02:54:45  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 02:54:45 syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:02 syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)


Edit:: here is some more
Code:
Dec 14 02:55:02  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:17  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:26  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:55:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:49  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
Dec 14 02:58:46  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:58:47  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:00:51  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:01:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:01:55  syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:30  syslog: WLCEVENTD wlceventd_proc_event(401): eth2: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:48  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 03:02:54  syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:02:59  syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 03:03:00  syslog: WLCEVENTD wlceventd_proc_event(449): eth2: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Quick hack - try modifying the filter:
Code:
filter f_wlceventd {
    ( program("WLCEVENTD") or
    program ("wlceventd") ) and
    ( message("ssoc") or
    message("uth") ) or
    message("wlceventd");
};
 
Here is a decent sample of some of the messages I have in my logs....

I have stumbled on same problem.
I just don't feel like redacting the sum of it so i gave you a decent size sample.
Code:
Dec 14 02:54:45  syslog: WLCEVENTD wlceventd_proc_event(386): eth1: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated due to inactivity (4)
Dec 14 02:54:45 syslog: WLCEVENTD wlceventd_proc_event(401): eth1: Disassoc XX:XX:XX:XX:XX:XX, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(420): eth1: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:54:54 syslog: WLCEVENTD wlceventd_proc_event(449): eth1: Assoc XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:01 syslog: WLCEVENTD wlceventd_proc_event(386): eth2: Deauth_ind XX:XX:XX:XX:XX:XX, status: 0, reason: Class 3 frame received from nonassociated station (7)
Dec 14 02:55:02 syslog: WLCEVENTD wlceventd_proc_event(420): eth2: Auth XX:XX:XX:XX:XX:XX, status: 0, reason: d11 RC reserved (0)
Quite interesting. Something is getting between the logging facility and syslog-ng as near as I can tell. It appears to be saying the program is "syslog" and everything after "syslog:" is the message. I see you're running Aimesh ... can you tell if those messages coming from one of your mesh nodes and being pushed to the main router?

Just to verify, did you redact your router hostname from between the date and "syslog:" or was it not there?

Would you (both you and @SomeWhereOverTheRainBow ) either post or PM me the output of:
Code:
ps | grep log
Or, PM me the debug file from the scribe menu su, then d.
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top