Logging with Syslog-NG on OpenWRT

Update 2014-10-08: If you upgraded to the stable Barrier Breaker 14.07, and Syslog-NG is not available, or if don't want to use Syslog-NG for any other reason, please check our other article on using the built in logging feature of OpenWRT to write the log to a file.

We wrote earlier on OpenWRT on D-Link DIR-835. Now, we need to expand the functionality a bit more.

On OpenWRT, the default logging mechanism is an in-memory circular buffer. The user interface for it is the logread command. The log buffer default size is 16 kB. There are a couple of directives that can be set in the system configuration for OpenWRT, but because of the limited size of flash and the non-permanence of RAM, you need another solution if you want to store logs for anything longer than a day or two.

Syslog-NG

Syslog-NG is a good system logging program that is available for OpenWRT.

To install syslog-ng, enter the following command from ssh:

Install the packages:

opkg update
opkg install syslog-ng3

Make syslog start automatically on boot:

/etc/init.d/syslog-ng enable

Configuration for Syslog-NG

The configuration for syslog-ng goes in to the file /etc/syslog-ng.conf.

The following configuration logs a monthly file to the USB drive, and also excludes a couple of repetitive messages. It also avoid the annoying "--MARK--" entries that just eat up space.

Adjust the configuration to your needs:

@version:3.0

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(8192);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
        # Do not add "--MARK--" entries to the log
        mark_freq(0); 
};

source local {
        internal();
        unix-stream("/dev/log");
};

source net {
        udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination logfile {
        # Log to a file on the USB filesystem, and a new file every month
        file("/mnt/usb/logs/syslog-$YEAR-$MONTH.log");
};
# This filter is used to exclude excessive noise in the logs
filter f_not_noise {
        # This is a warning from odhcpd about routing
        not message("there is no public prefix")
        and 
        # This is cron executing the bandwidth monitor script every minute,
        # so we just exclude them too
        not message("cmd /mnt/usb/wrtbwmon/wrtbwmon ")
        ;
};

log {
        source(local);
        source(net);
        source(kernel);
        
        filter(f_not_noise);
        
        destination(logfile);
};

Start syslog-ng

Finally, start the syslog-ng program

/etc/init.d/syslog-ng enable

Note that any changes you make to syslog-ng's configuration followed by the command:

/etc/init.d/syslog-ng restart

will not take effect immediately. To solve this, use the following command instead:

killall syslog-ng
/etc/init.d/syslog-ng start

Adjust the startup order

By default, Sylog-NG takes a startup number of 50, that is the init.d script is linked to /etc/rc.d/S50syslog-ng. This can cause some processes that start before syslog-ng to log to the old logging mechanism rather than syslog-ng.

To solve this, check the startup order using the following command:

ls -l /etc/rc.d/S??*

Then change the startup order of syslog-ng to be just after the original logging mechanism.

mv /etc/rc.d/S50syslog-ng /etc/rc.d/S12syslog-ng

Then check the order again:

ls -l /etc/rc.d/S??*

You should see syslog-ng right after S12log.

... /etc/rc.d/S12log -> ../init.d/log
... /etc/rc.d/S12syslog-ng -> ../init.d/syslog-ng

A typical day's worth of logs is around 750 kB, so even a 1GB USB drive should last for a very long time. You can check intrusion attempts or unauthorized connections to WiFi months after they happen.

Further Reading

Contents: 

Tags: