Howto avoid client MACs from being sent to rsyslog server

Hello folks,

i am from the Freifunk Nordwest Community, we have over 3000 Openwrt (using the Gluon framework) nodes running in the north-western part of germany. These nodes are offering an open wifi and many of them are installed in public places, so there are many messages from the hostapd in the log. We are thinking about running a central rsyslog server for being able to better determine why one of our nodes has failed and to make better bug reports or even commit fixes. is there a way to filter out the hostapd messages from the logs before they transmitted to the rsyslog server. That would not only reduce the noise but also avoid the highly sensitve MACs of wifi clients to leak out somewhere between the AP and the log server. They could also be filtered out on the server, but that would not be an elegant solution in my view.

thanks a lot and have a nice day

syslog-ng can filter and split logs to various destinations (multiple included). I assume that rsyslog can as well. Both should be independent of the central logger’s choice. TLS transport and potentially cert-based auth suggested.

Edit: Here's a syslog-ng.conf segment as an example of routing wireless-related messages to another destination. More advanced filtering is also possible:

destination messages {
	file("/var/log/messages" template("$FULLDATE $HOST $PRIORITY $PROGRAM: $MSG\n"));
};

destination wireless {
	file("/var/log/wireless" template("$FULLDATE $HOST $PRIORITY $PROGRAM: $MSG\n"));
};

filter f_wireless { program("hostapd") or program("wpa_supplicant"); };
filter f_messages { level(warning..emerg) or not filter(f_wireless); };

log {
	source(src);
	source(net);
        source(kernel);
	filter(f_messages);
	destination(messages);
};

log {
	source(src);
	source(net);
        source(kernel);
	filter(f_wireless);
	destination(wireless);
};
1 Like

iptables modules are another bespoke option...

with that many nodes you may wish to consider the performance hit for such functionality...

some custom C code / hooks / regexp within logd should be considered.... a fork ... or in collaboration with some other community network groups?

i was told to edit the configuration file of hostapd itself (e.g. /var/run/hostapd-phy0.conf) since it has something like

logger_syslog=127
logger_syslog_level=2
logger_stdout=127
logger_stdout_level=2

in it. but how do i make my changes to the config take effect? wifi or even reboot will reset file to what it was before

See package/network/services/hostapd/files/hostapd.sh for the details of which UCI variables get copied over to the generated config file, for example:

hostapd_set_log_options() {
        local var="$1"

        local log_level log_80211 log_8021x log_radius log_wpa log_driver log_iapp log_mlme
        json_get_vars log_level log_80211 log_8021x log_radius log_wpa log_driver log_iapp log_mlme

        set_default log_level 2
        set_default log_80211  1
        set_default log_8021x  1
        set_default log_radius 1
        set_default log_wpa    1
        set_default log_driver 1
        set_default log_iapp   1
        set_default log_mlme   1

        local log_mask=$(( \
                ($log_80211  << 0) | \
                ($log_8021x  << 1) | \
                ($log_radius << 2) | \
                ($log_wpa    << 3) | \
                ($log_driver << 4) | \
                ($log_iapp   << 5) | \
                ($log_mlme   << 6)   \
        ))

        append "$var" "logger_syslog=$log_mask" "$N"
        append "$var" "logger_syslog_level=$log_level" "$N"
        append "$var" "logger_stdout=$log_mask" "$N"
        append "$var" "logger_stdout_level=$log_level" "$N"

        return 0
}

(As something to consider, as I assume you are in the EU, log messages arguably include "personal data" as defined in Article 4.1 of the GDPR and transmittal of such data over an unencrypted channel may be deemed a violation of that regulation.)

which is why i want to keep them out of remote logs completely. no personal data -- no problem.

thank you for the advise. can you give me an idea which of the 8 log features i have to default to 0 if i want no MAC addresses (client (dis-)connected) messages in the logs at all? by pure guess i would set_default log_80211. am i right?

I am guessing the set_default is used when the named variable is not present in the "decoded" UCI information. You should be able to set the various log_* variables in /etc/config/wireless (probably for the interface) to check them out. Yes, I'd then use a "custom" version of hostapd.sh to have those defaults apply to any other wireless devices the user might create.


I'd still look very, very carefully at what is logged by looking through the source of the hostap packages. Personally, I'd absolutely encrypt (data privacy) and likely authenticate the channel, the latter to help mitigate DoS or data-corruption issues.