Skip to main content
Home
The Baheyeldin Dynasty
The journey for wisdom starts with knowledge
  • Home
  • About
  • Site Map
  • Contact

Logging with Syslog-NG on OpenWRT

  1. Home

By Khalid on 2014/04/01 - 22:15, last updated 2020/07/09 - 22:57

Update 2020-07-09: With the latest 19.07.3, syslog-ng is no longer the preferred option. Instead, read my other article on using rsyslog with OpenWRT.

Update 2014-10-08: If you upgraded to the stable Barrier Breaker 14.07, and Syslog-NG is not available, or if don't want to use Syslog-NG for any other reason, please check our other article on using the built in logging feature of OpenWRT to write the log to a file.

We wrote earlier on OpenWRT on D-Link DIR-835. Now, we need to expand the functionality a bit more.

On OpenWRT, the default logging mechanism is an in-memory circular buffer. The user interface for it is the logread command. The log buffer default size is 16 kB. There are a couple of directives that can be set in the system configuration for OpenWRT, but because of the limited size of flash and the non-permanence of RAM, you need another solution if you want to store logs for anything longer than a day or two.

Syslog-NG

Syslog-NG is a good system logging program that is available for OpenWRT.

To install syslog-ng, enter the following command from ssh:

Install the packages:

opkg update
opkg install syslog-ng3

Make syslog start automatically on boot:

/etc/init.d/syslog-ng enable

Configuration for Syslog-NG

The configuration for syslog-ng goes in to the file /etc/syslog-ng.conf.

The following configuration logs a monthly file to the USB drive, and also excludes a couple of repetitive messages. It also avoid the annoying "--MARK--" entries that just eat up space.

Adjust the configuration to your needs:

@version:3.0

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(8192);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
        # Do not add "--MARK--" entries to the log
        mark_freq(0);
};

source local {
        internal();
        unix-stream("/dev/log");
};

source net {
        udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination logfile {
        # Log to a file on the USB filesystem, and a new file every month
        file("/mnt/usb/logs/syslog-$YEAR-$MONTH.log");
};
# This filter is used to exclude excessive noise in the logs
filter f_not_noise {
        # This is a warning from odhcpd about routing
        not message("there is no public prefix")
        and
        # This is cron executing the bandwidth monitor script every minute,
        # so we just exclude them too
        not message("cmd /mnt/usb/wrtbwmon/wrtbwmon ")
        ;
};

log {
        source(local);
        source(net);
        source(kernel);
       
        filter(f_not_noise);
       
        destination(logfile);
};

Start syslog-ng

Finally, start the syslog-ng program

/etc/init.d/syslog-ng enable

Note that any changes you make to syslog-ng's configuration followed by the command:

/etc/init.d/syslog-ng restart

will not take effect immediately. To solve this, use the following command instead:

killall syslog-ng
/etc/init.d/syslog-ng start

Adjust the startup order

By default, Sylog-NG takes a startup number of 50, that is the init.d script is linked to /etc/rc.d/S50syslog-ng. This can cause some processes that start before syslog-ng to log to the old logging mechanism rather than syslog-ng.

To solve this, check the startup order using the following command:

ls -l /etc/rc.d/S??*

Then change the startup order of syslog-ng to be just after the original logging mechanism.

mv /etc/rc.d/S50syslog-ng /etc/rc.d/S12syslog-ng

Then check the order again:

ls -l /etc/rc.d/S??*

You should see syslog-ng right after S12log.

... /etc/rc.d/S12log -> ../init.d/log
... /etc/rc.d/S12syslog-ng -> ../init.d/syslog-ng

A typical day's worth of logs is around 750 kB, so even a 1GB USB drive should last for a very long time. You can check intrusion attempts or unauthorized connections to WiFi months after they happen.

Further Reading

  • Logging on OpenWRT
  • OpenWRT Basic Log Support
  • Syslog-NG on OpenWRT
Contents: 
Linux
Tags: 
Router
OpenWRT
Syslog-NG
  • Add comment

Current

Pandemic

  • COVID-19
  • Coronavirus

Search

Site map

Contents

  • Family
    • Khalid
    • Ancestry
    • Extended
  • Friends
  • Nokat نكت
  • Writings
    • Cooking
    • Culture
    • Science
    • History
    • Linguistics
    • Media
    • Literature
    • Politics
    • Humor
    • Terrorism
    • Business
    • Philosophy
    • Religion
    • Children
  • Technology
    • Linux
    • Arabization
    • Drupal
      • Association
    • Software
    • Internet
    • Technology in Society
    • Digital Archeology
    • NCR History
    • MidEast Internet
    • Programming
    • Saudi ISPs
    • Miscellaneous
  • Places
    • Canada
      • Weather
    • Egypt
      • Cuisine
      • Alexandria
      • E.G.C.
    • USA
    • Saudi Arabia
  • Interests
    • Astronomy
    • Fishing
    • Photography
    • Snorkeling
    • Nature
    • Photomicroscopy
  • Miscellany

In Depth

  • al-Hakim bi Amr Allah: Fatimid Caliph of Egypt الحاكم بأمر الله
  • Alexandria, Egypt
  • Arabic on the Internet
  • Articles on the history of Muslims and Arabs in the Iberian Peninsula تاريخ المسلمين و العرب في الأند
  • DIY GOTO Telescope Controller With Autoguiding and Periodic Error Correction
  • E.G.C. English Girls College in Alexandria, Egypt
  • Egyptian Cuisine, Food and Recipes مأكولات مصرية
  • George Saliba: Seeking the Origins of Modern Science?
  • Internet Scams and Fraud
  • Mistaken for an Arab or Muslim: Absurdities of being a victim in the War on Terror
  • Mistaken Identity: How some people confuse my site for others
  • One People's Terrorist Is Another People's Freedom Fighter
  • Overview of Google's Technologies
  • Photomicroscopy
  • Pseudoscience: Lots of it around ...
  • Resources for using Google Adsense with Drupal
  • Rockwood Conservation Area, Southern Ontario
  • Selected Symbolic Novels And Movies
  • Snorkeling the Red Sea near Jeddah
  • Updates and Thoughts on the Egyptian Revolution of 2011

Recent Content

Most recent articles on the site.

  • Origin Of COVID-19: Natural Spillover, Lab Leak Or Biological Weapon?
  • Kamal Salibi and the "Israel from Yemen" theory
  • How To Upgrade HomeAssistant Core In A Python Venv Using uv
  • Ancestry - Paternal Side
  • Review of Wait Water Saver For Whole House Humidifiers
more

Most Comments

Most commented on articles ...

  • Another scam via Craigslist: offering more than asking price
  • Warning to female tourists thinking of marrying Egyptians
  • Craigslist classified for used car: Cheque fraud scam
  • Winning the lottery scam email: World Cup South African lottery
  • Email Scam: BMW 5 Series car and lottery winning
more

About Khalid

Various little bits of information ...

  • Khalid Baheyeldin: brief biography
  • Presentations and Talks
  • Youtube Videos
  • GitHub Projects
  • Drupal.org Profile
  • Astrophotography @ Flickr

Sponsored Links

Your Link Ad Here

Tags

Android Mobile Ubuntu Sony OnStep OpenWRT Router Ericsson COVID-19 Rogers Coronavirus Arabic Kubuntu Home Assistant GSM Telescope tablet Spectrum Scam Python 419 Laptop Firefox DIY CPU Conspiracy Comet Balkanization backup App
More

© Copyright 1999-2025 The Baheyeldin Dynasty. All rights reserved.
You can use our content under the Terms of Use.
Please read our privacy policy before you post any information on this site.
All posted articles and comments are copyright by their owner, and reflect their own views and opinions, which may not necessarily be consistent with the views and opinions of the owners of The Baheyeldin Dynasty.

Web site developed by 2bits.com Inc.