i am from the Freifunk Nordwest Community, we have over 3000 Openwrt (using the Gluon framework) nodes running in the north-western part of germany. These nodes are offering an open wifi and many of them are installed in public places, so there are many messages from the hostapd in the log. We are thinking about running a central rsyslog server for being able to better determine why one of our nodes has failed and to make better bug reports or even commit fixes. is there a way to filter out the hostapd messages from the logs before they transmitted to the rsyslog server. That would not only reduce the noise but also avoid the highly sensitve MACs of wifi clients to leak out somewhere between the AP and the log server. They could also be filtered out on the server, but that would not be an elegant solution in my view.
syslog-ng can filter and split logs to various destinations (multiple included). I assume that rsyslog can as well. Both should be independent of the central logger’s choice. TLS transport and potentially cert-based auth suggested.
Edit: Here's a syslog-ng.conf segment as an example of routing wireless-related messages to another destination. More advanced filtering is also possible:
See package/network/services/hostapd/files/hostapd.sh for the details of which UCI variables get copied over to the generated config file, for example:
(As something to consider, as I assume you are in the EU, log messages arguably include "personal data" as defined in Article 4.1 of the GDPR and transmittal of such data over an unencrypted channel may be deemed a violation of that regulation.)
which is why i want to keep them out of remote logs completely. no personal data -- no problem.
thank you for the advise. can you give me an idea which of the 8 log features i have to default to 0 if i want no MAC addresses (client (dis-)connected) messages in the logs at all? by pure guess i would set_default log_80211. am i right?
I am guessing the set_default is used when the named variable is not present in the "decoded" UCI information. You should be able to set the various log_* variables in /etc/config/wireless (probably for the interface) to check them out. Yes, I'd then use a "custom" version of hostapd.sh to have those defaults apply to any other wireless devices the user might create.
I'd still look very, very carefully at what is logged by looking through the source of the hostap packages. Personally, I'd absolutely encrypt (data privacy) and likely authenticate the channel, the latter to help mitigate DoS or data-corruption issues.