I have two devices running OpenWrt, and I would like to consolidate logs from both devices in one of them; I do not need anything fancy here, just be able to see the messages from both devices.
On the device that will send the logs, looks like I can configure "logd" to send the messages to the other device, so far so good. But, on the device that will receive the logs, looks like I will need something else; what is the minimal setup that would be needed to make this work?
Yes, that seems like the only solution, and probably overkill for my needs. Do you know which of those two would be lighter, or how to configure them for a minimal setup?
syslog-ng is pretty easy use to use and nice and flexible. it's config file syntax is quite readable. Here's my config file.
I use the system logger to forward the logs from the ring buffer to a local port on which I have syslog-ng listening. This is so that I can also see the logs using the luci interface in case you're wondering
however, in your case you'd do the same and instead of the source s_locahost, you'd have this defined to be the other machine sending it's logs to the machine on which you're running syslog-ng.
@version: 3.0
options {
chain_hostnames(no);
stats_freq(43200);
keep_hostname(yes); # Enable or disable hostname rewriting.
log_fifo_size(256); # The number of messages that the output queue can store.
log_msg_size(1024); # Maximum length of a message in bytes.
flush_lines(0); # How many lines are flushed to a destination at a time.
use_fqdn(no); # Add Fully Qualified Domain Name instead of short hostname.
};
source s_localhost {
udp(ip(127.0.0.1) port(6000) host_override("openwrt"));
};
destination d_messages {
file("/var/log/messages");
};
destination d_kernel {
file("/var/log/kernel");
};
destination d_openvpn {
file("/var/log/openvpn");
};
destination d_pppd {
file("/var/log/pppd");
};
destination d_firewall {
file("/var/log/firewall");
};
filter f_iptables {
facility(kern) and message("SRC=") and message("DST=");
};
filter f_openvpn {
program("openvpn.*");
};
filter f_pppd {
program("pppd");
};
filter f_not_pppd {
not filter(f_pppd);
};
filter f_not_openvpn {
not filter(f_openvpn);
};
filter f_kernel {
facility(kern) and program("kernel") and not level(debug);
};
filter f_not_kernel {
not filter(f_kernel);
};
log {
source(s_localhost);
filter(f_kernel);
filter(f_iptables);
destination(d_firewall);
flags(final);
};
# kernel messages not including iptables
log {
source(s_localhost);
filter(f_kernel);
filter(f_not_iptables);
destination(d_kernel);
flags(final);
};
# pppd
log {
source(s_localhost);
filter(f_not_kernel);
filter(f_pppd);
destination(d_pppd);
flags(final);
};
# openvpn messages
log {
source(s_localhost);
filter(f_not_kernel);
filter(f_openvpn);
destination(d_openvpn);
flags(final);
};
# normal messages not processed by other log paths
log {
source(s_localhost);
filter(f_not_kernel);
destination(d_messages);
flags(fallback);
};
My router is a custom one with a big SSD in it, so space is not an issue for me.
That said, you can handle the logs in a number of ways
Log to /var, which is a RAM based tmpfs filesystem symlinked from /tmp and then use logrotate triggered by an hourly cron job with a size parameter in the logrotate.conf, maybe keeping only one old copy of each logfile that is gzipped
Log to a filesystem on an external USB device
Log to a SMB or NFS network filesystem
I'm assuming you don't have a separate machine running syslog that you could log to, otherwise you'd be doing this already