Scribe scribe - syslog-ng and logrotate installer

[SomeWhereOverTheRainBow]

syslog-ng not working is a symptom of a much larger problem. The first problem to tackle is ensuring your clock is set correctly.

good ol'ntp

 

[cmkelley]

good ol'ntp

Meh, ntp is pretty reliable, if anything it's a great canary for other network problems. Now, granted I live in a very large metro area where there are plentiful servers with low ping latency. IMHO, running an ntp server on a machine without a battery-backed clock (or a means of getting time independent of the network) is madness.

 

[Centrifuge]

Just use "scribe status" at the command line or the "s" option on the scribe menu

Just noticed my logs stopped updating, since 4-10, when I did the big messy Entware update. Guess I should have been subscribed to this thread, but came to the same solution purely by accident. Glad our scripters give us their robust work, thanks for saving my bacon again.

 

[Torson]

I just installed Scribe and uiScribe on an AC86U a few days ago. What works, works well.
My questions are with regards to a couple of event logs that do not get generated. I copied 'ioctl', 'crash' and 'jffs' from the respective 'examples' directories to the *.d directories as described in the README.1ST. I also made sure that they are writable by the user only (chmod 0600.)

The result is that 'ioctl' log works the other 2 mentioned above do not show up in /opt/var/log/ and the web UI is empty for those. However, the entries do not show anymore in the system messages log. Also, Scribe status shows all checks in green.

Could you please provide some pointers to solve this?

 

[elorimer]

The result is that 'ioctl' log works the other 2 mentioned above do not show up in /opt/var/log/ and the web UI is empty for those.

I think syslog-ng doesn't create the file until it has a message to send to the file.

I only get two jffs messages at boot time. Hardly worth the sifting. In the standard setup, most of the start up sequence doesn't go through syslog-ng in the first place and is appended directly to messages.

I have a crash log on my 86U, though.

 

[Butterfly Bones]

I think syslog-ng doesn't create the file until it has a message to send to the file.

That is my experience as well.

 

[Torson]

@elorimer - I forgot to mention that I did reboot the router at some point after installing Scribe and copying those files. Still no logs.

As I mentioned, the crashes are not logged anymore to the system log, but there is no crash log either.
@Butterfly Bones - ok, thank you both. I'll wait and see.

 

[cmkelley]

I think syslog-ng doesn't create the file until it has a message to send to the file.

Correct

I only get two jffs messages at boot time. Hardly worth the sifting. In the standard setup, most of the start up sequence doesn't go through syslog-ng in the first place and is appended directly to messages.

I have a crash log on my 86U, though.

Yes, my jffs log is usually empty as well. But I've had problems in the past with a certain file filling up the jffs (I can't remember which one it was, it's a firmware-created file and I've seen others occasionally have the same issue). So it's nice to check every now and then.

@Torson, an 86U with an empty crash log? What is this sorcery!!

 

[Torson]

@cmkelley - that's what I'm trying to figure out - sorcery may indeed be the answer - we're living uncertain times . However, running TrendMicro software is far from that; quite predictable. Those crash entries were there since I started using the AC86U. After installing Scribe and copying the 'crash' files to the right places the entries are gone.

What I believe, is that they still exist somewhere, I just can't figure out where, since they're nowhere to be found.

 

[elorimer]

@Torson, an 86U with an empty crash log? What is this sorcery!!

Yes indeed. My 86U on .16 posts to the crash.log every 15 minutes or so.

What does your crash file in /syslog-ng.d look like?

 

[Torson]

@elorimer - that's it:

# log dcd crash dump to /opt/var/log/crash.log only

destination d_crash {
    file("/opt/var/log/crash.log");
};

filter f_crash {
    message("dcd") or
    message("v8A") or
    message("pgd = ") or
    message("\\[00000000\\]") or
    message("task: ") or
    message("PC is at") or
    message("LR is at") or
    message("pc :") or
    message("sp :") or
    message("x12:") or
    message("x11:") or
    message("x9 :") or
    message("x7 :") or
    message("x5 :") or
    message("x3 :") or
    message("x1 :");
};

log {
    source(src);
    filter(f_crash);
    destination(d_crash);
    flags(final);
};

#eof

 

[cmkelley]

@cmkelley - that's what I'm trying to figure out - sorcery may indeed be the answer - we're living uncertain times . However, running TrendMicro software is far from that; quite predictable. Those crash entries were there since I started using the AC86U. After installing Scribe and copying the 'crash' files to the right places the entries are gone.

What I believe, is that they still exist somewhere, I just can't figure out where, since they're nowhere to be found.

If you want you can send me a debug file ("d" in "su" sub-menu, although you can use "d" from the main menu as well) via PM but I'm crazy overloaded right now (I'm an "essential" employee) so I can only give it a once-over.

 

[Torson]

@cmkelley - I thank you and appreciate your offer to take a look at the debug file.
Smile... Last week I installed Scribe in an attempt to spreading out those spurious log messages across some width. That was after for unknown reasons and out of the blue my reliable AC86U decided to reboot itself and I could not make sense of it. So, I uninstalled some scripts, removed some GUI options... and, yes among those was AiProtection...
Needless to say that after re-enabling AiProtection the crash log came to life fast and wild. End of story. Thank you!

 

[XIII]

Just noticted that my NextDNS log file is empty since April 12.

I think I had manually created a config file with "nextdns" as program string, but it got updated about a week ago to a new included config file with program string "NextDNS"?

Should I change it to "nextdns" again?

 

[elorimer]

Should I change it to "nextdns" again?

If the messages are not going to a separate log, then they should end up in messages. Look in messages for the style, as the filter is case sensitive unless you include the flag "flags(ignore-case)"

 

[XIII]

As an experiment I already changed it to lower case.

My separate NextDNS is no longer empty...

 

[cmkelley]

Just noticted that my NextDNS log file is empty since April 12.

I think I had manually created a config file with "nextdns" as program string, but it got updated about a week ago to a new included config file with program string "NextDNS"?

Should I change it to "nextdns" again?

If you're saying the filter file in /opt/etc/syslog-ng.d/ changed, scribe doesn't include any filters for nextdns, so something else changed your filter.

If you're talking about the config file for nextdns, I would suggest either using the ignore-case flag as @elorimer suggested, or change your syslog-ng filter to match the case in the nextdns config file, as I'd guess something in nextdns is changing it and will change it again in the future. I don't use nextdns, so I can only guess about its operation.

 

[XIII]

Unfortunately I can't remember the exact details, but I thought it happened when I executed the "uf" (update filters) option of Scribe.

I'm quite sure I even got to see a delta with the option to choose the update (which I did), so I thought you included NextDNS in Scribe.

Since you din't, I'm kind of curious what has happened instead...

 

[XIII]

In fact:

 Update available for /opt/etc/syslog-ng.d/nextdns.
    (a)ccept, (r)eject, or (v)iew diff for this file?

Oh, I guess I made the mistake myself long ago in /opt/share/syslog-ng/examples/nextdns:

filter f_nextdns {
    program("NextDNS");
};

 

[andrew2018]

Hi all, really liking this tool, thanks to the developer! I added one line to /opt/etc/syslog-ng.d/openvpn to catch the 'openvpn-event' entries, would it be possible to add to the example file in future? Thanks.