Minimal setup to receive logs?

eduperez · April 10, 2020, 10:35pm

I have two devices running OpenWrt, and I would like to consolidate logs from both devices in one of them; I do not need anything fancy here, just be able to see the messages from both devices.

On the device that will send the logs, looks like I can configure "logd" to send the messages to the other device, so far so good. But, on the device that will receive the logs, looks like I will need something else; what is the minimal setup that would be needed to make this work?

Many thanks!

slh · April 10, 2020, 10:37pm

You probably need a more full-featured syslogging facility (at least on the receiving end), rsyslog or syslog-ng come to mind.

eduperez · April 11, 2020, 1:25pm

Yes, that seems like the only solution, and probably overkill for my needs. Do you know which of those two would be lighter, or how to configure them for a minimal setup?

Many thanks!

anon50098793 · April 11, 2020, 3:12pm

nc -l -u -514 | logger

??????

eduperez · April 11, 2020, 4:57pm

Yes, this was my first thought, too! Netcat receives the messages ok, but piping them to logger does not seem to work, inexplicably...

dl12345 · April 11, 2020, 8:37pm

syslog-ng is pretty easy use to use and nice and flexible. it's config file syntax is quite readable. Here's my config file.

I use the system logger to forward the logs from the ring buffer to a local port on which I have syslog-ng listening. This is so that I can also see the logs using the luci interface in case you're wondering

however, in your case you'd do the same and instead of the source s_locahost, you'd have this defined to be the other machine sending it's logs to the machine on which you're running syslog-ng.

@version: 3.0
  
options {

    chain_hostnames(no);
    stats_freq(43200);
    keep_hostname(yes);     # Enable or disable hostname rewriting.
    log_fifo_size(256);     # The number of messages that the output queue can store.
    log_msg_size(1024);     # Maximum length of a message in bytes.
    flush_lines(0);     	# How many lines are flushed to a destination at a time.
    use_fqdn(no);       	# Add Fully Qualified Domain Name instead of short hostname.
};

source s_localhost {
    udp(ip(127.0.0.1) port(6000) host_override("openwrt"));
};

destination d_messages {
    file("/var/log/messages");
};

destination d_kernel {
    file("/var/log/kernel");
};

destination d_openvpn {
    file("/var/log/openvpn");
};

destination d_pppd {
    file("/var/log/pppd");
};

destination d_firewall {
    file("/var/log/firewall");
};

filter f_iptables {
    facility(kern) and message("SRC=") and message("DST=");
};

filter f_openvpn {
    program("openvpn.*");
};

filter f_pppd {
    program("pppd");
};

filter f_not_pppd {
    not filter(f_pppd);
};

filter f_not_openvpn {
    not filter(f_openvpn);
};

filter f_kernel {
    facility(kern) and program("kernel") and not level(debug);
};

filter f_not_kernel {
    not filter(f_kernel);
};

log {
    source(s_localhost);
    filter(f_kernel);
    filter(f_iptables);
    destination(d_firewall);    
    flags(final);
};

# kernel messages not including iptables

log {
    source(s_localhost);
    filter(f_kernel);
    filter(f_not_iptables);
    destination(d_kernel);
    flags(final);
};

# pppd

log {
    source(s_localhost);
    filter(f_not_kernel);
    filter(f_pppd);
    destination(d_pppd);
    flags(final);
};

# openvpn messages

log {
    source(s_localhost);
    filter(f_not_kernel);
    filter(f_openvpn);
    destination(d_openvpn);
    flags(final);
};

# normal messages not processed by other log paths

log {
    source(s_localhost);
    filter(f_not_kernel);
    destination(d_messages);
    flags(fallback);
};

eduperez · April 12, 2020, 8:50pm

Solid advice here, many thanks! Do you keep the log files in RAM, or an external device? How do you prevent it from filling all the space?

dl12345 · April 13, 2020, 5:08am

My router is a custom one with a big SSD in it, so space is not an issue for me.

That said, you can handle the logs in a number of ways

Log to /var, which is a RAM based tmpfs filesystem symlinked from /tmp and then use logrotate triggered by an hourly cron job with a size parameter in the logrotate.conf, maybe keeping only one old copy of each logfile that is gzipped
Log to a filesystem on an external USB device
Log to a SMB or NFS network filesystem

I'm assuming you don't have a separate machine running syslog that you could log to, otherwise you'd be doing this already

So, for example, /etc/logrotate.d/firewall

/var/log/firewall {
   size 1M
   missingok
   rotate 2
   daily
   compress
   postrotate
      /usr/sbin/syslog-ng-ctl reload
   endscript
}

eduperez · April 13, 2020, 9:30am

I think I havenall the info I need now, many thanks!!!

system · April 23, 2020, 9:30am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.