Scribe scribe - syslog-ng and logrotate installer

[cmkelley]

I think that code segment is missing another set of ( ) around the first "program" and the "uth" message. To get it to work on my RT AC5300 (no AiMesh) I had to use:

filter f_wlceventd {
    ( ( program("WLCEVENTD") or
    program("wlceventd") ) and
    ( message("ssoc") or
    message("uth") ) ) or
    ( program("syslog") and
    message("wlceventd") );
};

I guess that's what I get for not looking at my logs very often. You are correct, thanks.

 

[cmkelley]

I just tried to install scribe (via amtm) on my RT-AC86U, and said "yes" when prompted to install uiScribe. After the installation process, I'm back at the initial amtm screen, which includes both scribe and uiScribe, but the text at the bottom mentions a failure:



I've attached a copy of everything in PuTTY, from when I started to install scribe.


My thoughts:
1) Nothing appears to stand out as having failed, so maybe there is something wrong with the return codes or any post installation checks
2) If something has actually gone wrong, there is a distinct lack of information being displayed, because all I have are the words "scribe installation failed"
3) Leaning towards it just being an issue with the return/checks, because it's too "clean" to have been an unhandled error
4) And that it's just a minor bug, because if it was a handled exception, there would be far more information available


I'm just going by my technical experience and don't actually know for certain. I've currently left PuTTY at the "Enter option" (see last line of the attached scribe.txt) and will hold off on making any changes to router settings, in case anyone wants me to share logs or do any checks (which haven't been muddied by other actions)


/Edit: After this installation, the WebUI's System Log page has more content/options than it did previously. As far as I can tell, everything seems to be working as expected.

The scribe log says scribe installed successfully, so that should be okay. @Jack Yaz this looks like an unexpected interaction between uiScribe and amtm? I'm up to my eyeballs in alligators for a while so I really don't have the bandwidth to test.

 

[elorimer]

Perhaps it has something to do with the thumb drive not having a label?

 

[elorimer]

It's something @thelonelycoder strongly suggests, and the output you posted didn't show a label.
Diversion - the Router Ad-Blocker

 

[thelonelycoder]

Is that in relation to my post?

If so, I'm happy to uninstall scribe + uiScribe, labelling the USB and attempting the install again

It's something @thelonelycoder strongly suggests, and the output you posted didn't show a label.
Diversion - the Router Ad-Blocker

While Diversion and with it Entware happily works with no label set to the USB-device, other apps that don’t use the /opt/ path may not. In fact they usually fail unless they have a built in correction such as the swap file entry and Skynet.

 

[thelonelycoder]

I'm not that familiar with most of this and am trying to get my head around it all. Apologies in advance if what I say/ask is stupid.

• Are you guys just using Diversion as an example? You both mentioned it, but I don't actually have it installed.
• I have the following installed: scribe, nsrum, connmon, ntpMerlin, scMerlin, spdMerlin, uiScribe, Entware and 2GB swap file.
• The only error/issue I've seen is the "scribe installation failed" message when installing scribe, so do you guys think that it happened because a label wasn't set?
• Just to reiterate, the installation itself didn't fail (at least I don't think it did since everything seems to be working fine)... it was just the console message that was incorrect.
• Is setting a label something which is considered to be best practise, or is it being recommended as a potential workaround to issues that are elsewhere?

In this particular scenario, the installation was successful, but the script stated that it failed. If not having set a label was an issue, you would expect the installation to fail. Seems like something is incorrectly returning a failure, there is an issue with the installation success/failure checks, or something has actually failed. However you look at this, and even after considering other possibilities, there is still something wrong in the installation script.

I have no idea what the issue could be (at the end of the day it is effectively a cosmetic thing, so quite trivial) nor do I know how to even start trying to figure it out. More than happy to help with any testing etc though

If you installed Entware trough amtm, then you're fine, no need to set a device label. amtm uses the same fail proof method as Diversion to load the Entware file structure.
And since scribe installs into Entware, there's no chance this could be path related due to a missing device label.

 

[thelonelycoder]

I just tried to install scribe (via amtm) on my RT-AC86U, and said "yes" when prompted to install uiScribe. After the installation process, I'm back at the initial amtm screen, which includes both scribe and uiScribe, but the text at the bottom mentions a failure:



I've attached a copy of everything in PuTTY, from when I started to install scribe.


My thoughts:
1) Nothing appears to stand out as having failed, so maybe there is something wrong with the return codes or any post installation checks
2) If something has actually gone wrong, there is a distinct lack of information being displayed, because all I have are the words "scribe installation failed"
3) Leaning towards it just being an issue with the return/checks, because it's too "clean" to have been an unhandled error
4) And that it's just a minor bug, because if it was a handled exception, there would be far more information available


I'm just going by my technical experience and don't actually know for certain. I've currently left PuTTY at the "Enter option" (see last line of the attached scribe.txt) and will hold off on making any changes to router settings, in case anyone wants me to share logs or do any checks (which haven't been muddied by other actions)


/Edit: After this installation, the WebUI's System Log page has more content/options than it did previously. As far as I can tell, everything seems to be working as expected.

This bit looks like the only statement that comes near to an error:

Added missing swap file entry to
/jffs/scripts/post-mount

It's an autmatic path correction built into the amtm swap file code.
Since I cannot change the logic of that code because of reasons an elaborate check is built in for a swap file or swap partition to change the path should the path to the USB-device change.
In that case, it would be better to have a label set, as mentioned in the earlier post of mine.

 

[elorimer]

Just to reiterate, the installation itself didn't fail (at least I don't think it did since everything seems to be working fine)... it was just the console message that was incorrect.

I don't think you are out of the woods yet. That message isn't generated by scribe--it is, I think, generated by the scribe.mod file that is part of amtm. It is checking to see if the logrotate daily chron job exists, and you most definitely need that. In a terminal run

cru l

and see if you have a logrotate job set. If not your log files will grow too big to display in uiScribe.

I would start over, set a label, and reinstall.

 

[cmkelley]

I don't think you are out of the woods yet. That message isn't generated by scribe--it is, I think, generated by the scribe.mod file that is part of amtm. It is checking to see if the logrotate daily chron job exists, and you most definitely need that. In a terminal run

cru l

and see if you have a logrotate job set. If not your log files will grow too big to display in uiScribe.

I would start over, set a label, and reinstall.

The last thing the scribe install routine does is run a status, which checks the output of 'cru l' for the presence of the cron job. According to the text file @hshah attached, it was there and everything else was correct. scribe should have exited with "exit 0". I haven't explicitly tried installing without a disk label, but I don't see why scribe wouldn't like it. The only time scribe explicitly looks for the drive name is to redact it when creating a debug file, which is not part of the install routine.

 

[elorimer]

The last thing the scribe install routine does is run a status, which checks the output of 'cru l' for the presence of the cron job. According to the text file @hshah attached, it was there and everything else was correct. scribe should have exited with "exit 0". I haven't explicitly tried installing without a disk label, but I don't see why scribe wouldn't like it. The only time scribe explicitly looks for the drive name is to redact it when creating a debug file, which is not part of the install routine.

I didn't find his error message in scribe itself. I found it in scribe.mod, which is part of amtm, isn't it? It doesn't check "cru l", but checks to see if post-mount has the line in it. So scribe might exit with code zero, but amtm might then do another check that failed.

 

[cmkelley]

I didn't find his error message in scribe itself. I found it in scribe.mod, which is part of amtm, isn't it? It doesn't check "cru l", but checks to see if post-mount has the line in it. So scribe might exit with code zero, but amtm might then do another check that failed.

Right, it is an error message from amtm. I check both the output of 'cru l' and for the cru line in post-mount in scribe's status check. I'm confident his scribe is installed correctly, I'm not sure where the error message is coming from.

 

[elorimer]

I'll put this out in case it helps someone. I recently had a runaway pixelserv.log. For reasons unclear to me, an Android phone in the house started calling two blocked fingerprinting sites repeatedly. As in hundreds of times a second. Because I have pixelserv on level 2 logging, my pixelserv.log was growing tens of megabytes an hour, which brought the webgui display to its knees. That isn't the sort of thing logrotate could handle, even if the logs were useful. So I added a filter and discard log statement like so:

# log all pixelserv-tls logs to /opt/var/log/pixelserv.log and stop processing pixelserv-tls logs
# drop certain logged messages if they contain words in a file
destination d_pixelserv {
    file("/opt/var/log/pixelserv.log");
};
filter f_pixelserv {
    program("pixelserv-tls");
};
filter f_pixelserv_do_not_log {
    message("api.permutive.com"); or
    message("cdn.permutive.com"); or
    message("reports.crashlytics.com");
};
log {source(src);
    filter(f_pixelserv);
    filter(f_pixelserv_do_not_log);
    flags(final);
};
log {
    source(src);
    filter(f_pixelserv);
    destination(d_pixelserv);
    flags(final);
};
#eof

The first log statement discards any message that includes the noisy sites; the second one is the one we usually use.

My first effort was to create a text file with the sites I wanted to discard, and use the in-file filter function, as the filter was going to be unwieldy with multiple "or" statements. But that doesn't allow for substrings, so it wasn't going to work. Still thinking about alternatives.

 

[HardCat]

I'll put this out in case it helps someone. I recently had a runaway pixelserv.log. For reasons unclear to me, an Android phone in the house started calling two blocked fingerprinting sites repeatedly. As in hundreds of times a second. Because I have pixelserv on level 2 logging, my pixelserv.log was growing tens of megabytes an hour, which brought the webgui display to its knees. That isn't the sort of thing logrotate could handle, even if the logs were useful. So I added a filter and discard log statement like so:

# log all pixelserv-tls logs to /opt/var/log/pixelserv.log and stop processing pixelserv-tls logs
# drop certain logged messages if they contain words in a file
destination d_pixelserv {
    file("/opt/var/log/pixelserv.log");
};
filter f_pixelserv {
    program("pixelserv-tls");
};
filter f_pixelserv_do_not_log {
    message("api.permutive.com"); or
    message("cdn.permutive.com"); or
    message("reports.crashlytics.com");
};
log {source(src);
    filter(f_pixelserv);
    filter(f_pixelserv_do_not_log);
    flags(final);
};
log {
    source(src);
    filter(f_pixelserv);
    destination(d_pixelserv);
    flags(final);
};
#eof

The first log statement discards any message that includes the noisy sites; the second one is the one we usually use.

My first effort was to create a text file with the sites I wanted to discard, and use the in-file filter function, as the filter was going to be unwieldy with multiple "or" statements. But that doesn't allow for substrings, so it wasn't going to work. Still thinking about alternatives.

Thanks for this! On my network apple devices are the noisiest mostly to the "reports.crashlytics.com" I am going to give this a go.

 

[cmkelley]

Okay, 2.4.3 is up. Please update Entware first, syslog-ng has been update to 3.27.

Just minor stuff that's been accumulating:

• scribe itself has only cosmetic changes, no changes in functionality
• Filters (w/logrotate files) for Netdata, roaming assistant and Suricata added; h/t to @ttgapers for Netdata and Suricata filters / logrotate files
• Removed /dev/null from the blankmsg filter, completely pointless to write to /dev/null, just don't write it at all
• Missed a pair of parenthesis in the wlceventd filter; h/t @Ayitaka
• Additional comments in A00remote, including sending messages by tcp instead of udp
• Capture ntpMerlin messages in the ntpd log
• Updated README.1st to reflect above
• Editorial changes to the default syslog-ng.conf file

So, yeah, there it is.

 

[Milan]

probably off-topic, but how to add Suricata logs to system log GUI?

 

[elorimer]

probably off-topic, but how to add Suricata logs to system log GUI?

If you've added the suricata file to syslog-ng.d, just rerun uiScribe and reset the webgui, then delete again the ones you don't want to show.

 

[elorimer]

Just minor stuff that's been accumulating

I got a kick out of some of the git commit comments, like "reverse for a reason".

 

[skeal]

Anyone feel like helping me filter "hostapd" and "cake-qos" messages please? I've been trying and uninstalling scribe to get things working again as I keep failing. I create empty logs and nothing gets filtered. I've looked at the examples but seriously I'm drawing blanks now. Please anyone?

 

[ttgapers]

Anyone feel like helping me filter "hostapd" and "cake-qos" messages please? I've been trying and uninstalling scribe to get things working again as I keep failing. I create empty logs and nothing gets filtered. I've looked at the examples but seriously I'm drawing blanks now. Please anyone?

Give me a few and I can do Cake...I'll see if I can get it over before the next publish...

Or share what you built...might just need a tweak or two. One key thing with the config files for both logrotate and syslog-ng is perms....0600 - else if never reads the config.

 

[cmkelley]

I got a kick out of some of the git commit comments, like "reverse for a reason".

It depends on how snarky I'm feeling at the moment - I actually just looked at the commit history, and I have zero idea anymore why I did that. There's a reason my nick on github is cynicastic. Cynical and Sarcastic. Honestly if I could change my nick here without losing my history, I would, but oh well.