Logging with Syslog-NG on OpenWRT

Update 2020-07-09: With the latest 19.07.3, syslog-ng is no longer the preferred option. Instead, read my other article on using rsyslog with OpenWRT.

Update 2014-10-08: If you upgraded to the stable Barrier Breaker 14.07, and Syslog-NG is not available, or if don't want to use Syslog-NG for any other reason, please check our other article on using the built in logging feature of OpenWRT to write the log to a file.

We wrote earlier on OpenWRT on D-Link DIR-835. Now, we need to expand the functionality a bit more.

On OpenWRT, the default logging mechanism is an in-memory circular buffer. The user interface for it is the logread command. The log buffer default size is 16 kB. There are a couple of directives that can be set in the system configuration for OpenWRT, but because of the limited size of flash and the non-permanence of RAM, you need another solution if you want to store logs for anything longer than a day or two.


Syslog-NG is a good system logging program that is available for OpenWRT.

To install syslog-ng, enter the following command from ssh:

Install the packages:

opkg update
opkg install syslog-ng3

Make syslog start automatically on boot:

/etc/init.d/syslog-ng enable

Configuration for Syslog-NG

The configuration for syslog-ng goes in to the file /etc/syslog-ng.conf.

The following configuration logs a monthly file to the USB drive, and also excludes a couple of repetitive messages. It also avoid the annoying "--MARK--" entries that just eat up space.

Adjust the configuration to your needs:


options {
        # Do not add "--MARK--" entries to the log

source local {

source net {
        udp(ip( port(514));

source kernel {
        file("/proc/kmsg" program_override("kernel"));

destination logfile {
        # Log to a file on the USB filesystem, and a new file every month
# This filter is used to exclude excessive noise in the logs
filter f_not_noise {
        # This is a warning from odhcpd about routing
        not message("there is no public prefix")
        # This is cron executing the bandwidth monitor script every minute,
        # so we just exclude them too
        not message("cmd /mnt/usb/wrtbwmon/wrtbwmon ")

log {

Start syslog-ng

Finally, start the syslog-ng program

/etc/init.d/syslog-ng enable

Note that any changes you make to syslog-ng's configuration followed by the command:

/etc/init.d/syslog-ng restart

will not take effect immediately. To solve this, use the following command instead:

killall syslog-ng
/etc/init.d/syslog-ng start

Adjust the startup order

By default, Sylog-NG takes a startup number of 50, that is the init.d script is linked to /etc/rc.d/S50syslog-ng. This can cause some processes that start before syslog-ng to log to the old logging mechanism rather than syslog-ng.

To solve this, check the startup order using the following command:

ls -l /etc/rc.d/S??*

Then change the startup order of syslog-ng to be just after the original logging mechanism.

mv /etc/rc.d/S50syslog-ng /etc/rc.d/S12syslog-ng

Then check the order again:

ls -l /etc/rc.d/S??*

You should see syslog-ng right after S12log.

... /etc/rc.d/S12log -> ../init.d/log
... /etc/rc.d/S12syslog-ng -> ../init.d/syslog-ng

A typical day's worth of logs is around 750 kB, so even a 1GB USB drive should last for a very long time. You can check intrusion attempts or unauthorized connections to WiFi months after they happen.

Further Reading