Need Help to Log Syslog Messages with Dropped Packets to Remote Syslog Server

Installing and Using OpenWrt Network and Wireless Configuration
1

I enabled logging on the "outside (aka "wan") firewall zone, and I see that the packets dropped by OpenWRT are logged to the kernel log and to the system log in OpenWRT:

Kernel Log:

[70536.118709] DROP outside in: IN=eth0 OUT= MAC=00:01:c0:19:XX:XX:00:01:5c:67:XX:XX:08:00 SRC=194.26.27.104 DST=73.237.XXX.XX LEN=40 TOS=0x00

System Log:

Wed Oct 21 16:37:57 2020 kern.warn kernel: [70959.000404] DROP outside in: IN=eth0 OUT= MAC=00:01:c0:19:XX:XX:00:01:5c:67:XX:XX:08:00 SRC=192.35.169.46 DST=73.237.XXX.XX LEN=44 TOS=0x00 PREC=0x00 TTL=34 ID=9678 PROTO=TCP SPT=12557 DPT=21290 WINDOW=1024 RES=0x00 SYN URGP=0

I have a few questions:

  1. The source IP addresses of dropped packets' messages logged in the Kernel Log do not match source IP addresses of dropped packets' messages logged in the System Log. It looks like some such messages are logged to the Kernel Log, while other such messages are logged to the System Log. I haven't been able to correlate one single source IP of the dropped packets messages between the two logs.

  2. Regardless of the Log Output Level Set in LuCI > System > Logging : Log Output Level, none of the dropped packets show up in the syslog server. The syslog server does receive syslog messages from OpenWRT, just not the messages with DROP in them. Why?

  3. Is it possible to reformat the output sent by OpenWRT to a remote host (syslog server)? If so, where is this done?

Thank you.

2

Remote logging: https://openwrt.org/docs/guide-user/base-system/system_configuration
You need to configure it on remote server, too. Depends upon syslog-ng or rsyslog.
syslog-ng, udp, port 514 works like a charm for me.

1 Like
3

I had reviewed that page before I posted the question. Like I mentioned in my question, I do receive syslog messages from OpenWRT to the syslog server. However, I do not receive any messages in the syslog server about the packets dropped that enter the *wan *zone from the Internet that are dropped by the firewall even though these messages appear in the System Log in OpenWRT. There is nothing to configure on this syslog server. It doesn't have an option to filter received syslog messages by their syslog level. Everything sent to this server is logged in to a file, so OpenWRT is not sending the messages about the packets dropped by the firewall to a remote syslog server.

Can someone help me figure this out?

Thank you.