Update 2020-07-09: With the latest 19.07.3, syslog-ng is no longer the preferred option. Instead, read my other article on using rsyslog with OpenWRT.
Update 2014-10-08: If you upgraded to the stable Barrier Breaker 14.07, and Syslog-NG is not available, or if don't want to use Syslog-NG for any other reason, please check our other article on using the built in logging feature of OpenWRT to write the log to a file.
We wrote earlier on OpenWRT on D-Link DIR-835. Now, we need to expand the functionality a bit more.
On OpenWRT, the default logging mechanism is an in-memory circular buffer. The user interface for it is the logread command. The log buffer default size is 16 kB. There are a couple of directives that can be set in the system configuration for OpenWRT, but because of the limited size of flash and the non-permanence of RAM, you need another solution if you want to store logs for anything longer than a day or two.
Syslog-NG
Syslog-NG is a good system logging program that is available for OpenWRT.
To install syslog-ng, enter the following command from ssh:
Install the packages:
opkg update
opkg install syslog-ng3Make syslog start automatically on boot:
/etc/init.d/syslog-ng enableConfiguration for Syslog-NG
The configuration for syslog-ng goes in to the file /etc/syslog-ng.conf.
The following configuration logs a monthly file to the USB drive, and also excludes a couple of repetitive messages. It also avoid the annoying "--MARK--" entries that just eat up space.
Adjust the configuration to your needs:
@version:3.0
options {
chain_hostnames(no);
create_dirs(yes);
flush_lines(0);
keep_hostname(yes);
log_fifo_size(256);
log_msg_size(8192);
stats_freq(0);
flush_lines(0);
use_fqdn(no);
# Do not add "--MARK--" entries to the log
mark_freq(0);
};
source local {
internal();
unix-stream("/dev/log");
};
source net {
udp(ip(0.0.0.0) port(514));
};
source kernel {
file("/proc/kmsg" program_override("kernel"));
};
destination logfile {
# Log to a file on the USB filesystem, and a new file every month
file("/mnt/usb/logs/syslog-$YEAR-$MONTH.log");
};
# This filter is used to exclude excessive noise in the logs
filter f_not_noise {
# This is a warning from odhcpd about routing
not message("there is no public prefix")
and
# This is cron executing the bandwidth monitor script every minute,
# so we just exclude them too
not message("cmd /mnt/usb/wrtbwmon/wrtbwmon ")
;
};
log {
source(local);
source(net);
source(kernel);
filter(f_not_noise);
destination(logfile);
};Start syslog-ng
Finally, start the syslog-ng program
/etc/init.d/syslog-ng enableNote that any changes you make to syslog-ng's configuration followed by the command:
/etc/init.d/syslog-ng restartwill not take effect immediately. To solve this, use the following command instead:
killall syslog-ng
/etc/init.d/syslog-ng startAdjust the startup order
By default, Sylog-NG takes a startup number of 50, that is the init.d script is linked to /etc/rc.d/S50syslog-ng. This can cause some processes that start before syslog-ng to log to the old logging mechanism rather than syslog-ng.
To solve this, check the startup order using the following command:
ls -l /etc/rc.d/S??*Then change the startup order of syslog-ng to be just after the original logging mechanism.
mv /etc/rc.d/S50syslog-ng /etc/rc.d/S12syslog-ngThen check the order again:
ls -l /etc/rc.d/S??*You should see syslog-ng right after S12log.
... /etc/rc.d/S12log -> ../init.d/log
... /etc/rc.d/S12syslog-ng -> ../init.d/syslog-ngA typical day's worth of logs is around 750 kB, so even a 1GB USB drive should last for a very long time. You can check intrusion attempts or unauthorized connections to WiFi months after they happen.
Most Comments
Most commented on articles ...