Skynet Skynet - syslog-ng.conf - log forwarding to syslog server

[rlunsingh]

Hi everyone,

I have set up my ASUS RT-AC68U with Skynet and Scribe.

I have configured the syslog-ng.conf for log forwarding to my syslog server.
Some log information is coming in now from scribe as well as general events from the router, but I see no Skynet log info being forwarded yet when there are plenty of events in the skynet tab of the webgui.
In the syslog-ng.conf is states that you also need to specify per source that it needs to be forwarded, but I cannot find where and or how.

Can anyone tell me what I should configure more? Is there any other config file or script that I should edit for this.
I attached my current syslog-mg.conf as a .txt file.

 

[elorimer]

You need to make a change in the file /opt/etc/syslog-ng.d/skynet file.

TL;DR:Syslog-ng is built around a series of logging statements that basically say, if a message comes from this source and meets this filter, then send the message to this place. Scribe sets up syslog-ng with one logging statement in /opt/etc/syslog-ng.conf for messages that don't meet any other particular logging statement. As you have set this up, that logging statement sends such messages to a log server destination at 10.1.1.1. I'm assuming that isn't the LAN ip address of the router itself, and you've figured out the route to it.

Now, syslog-ng will also look for logging statements in files in /opt/etc/syslog-ng.d, and Scribe sets up a bunch of them there built around the idea that when a message meets one of the filters, it sends it to a particular destination, and then stops processing the message. This is because the logging statement includes a line for flags(final). One of those is for skynet (/opt/etc/syslog-ng.d/skynet), so a message from skynet is written to /opt/etc/var/log/skynet-0.log, and then further processing of the message stops.

If you want to send a message that meets one of those statements to your log server also, you can adjust this in one of three ways. First, you can delete the flags(final) instruction. Then the message will continue to be processed through all the other filters, and not meeting them, drops to the messages statement and gets sent to your log server. Another way is to include in the skynet file your log server destination, so a message is written both to the skynet-0 file and your log server. You would do one or the other for each of the files in syslog-ng.d that you want to send along to the log server. A third way is to create a new file with a logging statement that sends everything (or things that meet a filter) to your log server, and give it an alphabetic name like "00logserver" so it gets processed first. Here, for example is the file that I used to use to send messages to loggly:

filter f_loggly1 { not filter("f_pixelserv"); };
filter f_loggly2 { not filter("f_skynet"); };

# Change this template to insert your own unique loggly code and the name of your router
# Loggly will accept messages from other sources and use this tag to identify them
#

template LogglyFormat { template("<${PRI}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} ${MSGID} [MYKEY tag=\"86U\" ] $MSG\n");
    template_escape(no);
};

destination d_loggly {
    tcp("logs-01.loggly.com" port(514) template(LogglyFormat));
};


log { 
    source(src); 
    filter(f_loggly1);
    filter(f_loggly2);
    destination(d_loggly); 
};
### END Syslog-ng Logging Directives for Loggly.com ###

i don't find the skynet log messages of more than ephemeral value, and skynet deletes them every hour from skynet-0 and summarizes them.

 

[rlunsingh]

I found another way after reloading router config, partition and reformatting the USB stick:

The problem was that my remote syslog server setting in the edge router was incorrect before I started with skynet and scribe and I corrrected it in the .conf file afterwards.
I thought that I could directly send it from the edge router to the core router by ip since I added static routes for it, but I noticed that that was not working well.
Now I have corrected the setting in the router webgui, fowarding it to the WAN / DMZ IP of the core router, which has a port forward to the syslog server in the core network, and just installed skynet with it and now all is fine without scribe installed.
My syslog server now receives all the info from skynet that I want.

Thanks a lot for your help and your time.