Remote rsyslog does not log everything

Installing and Using OpenWrt
1

I set up remote logging using luci.
External log server: IPv4 IP of remote ubuntu 24.04 with rsyslog and udp listener
Log output level: Debug
Cron log level: Normal

There are only 2 lines on the remote server at /var/log/syslog

grep OpenWrt syslog
2025-07-02T11:24:31+00:00 OpenWrt logread[6380]: Logread connected to redacted:514 via udp
2025-07-02T11:28:50+00:00 OpenWrt root: testLog Blah1

but on OpenWrt:

Wed Jul  2 11:24:31 2025 daemon.info logread[6380]: Logread connected to redacted:514 via udp
Wed Jul  2 11:28:04 2025 authpriv.info dropbear[6680]: Child connection from redacted:38616
Wed Jul  2 11:28:04 2025 authpriv.notice dropbear[6680]: Pubkey auth succeeded for 'root' with ssh-ed25519 key redacted from redacted:38616
Wed Jul  2 11:28:21 2025 authpriv.info dropbear[6680]: Exit (root) from <redacted:38616>: Disconnect received
Wed Jul  2 11:28:49 2025 authpriv.info dropbear[6731]: Child connection from redacted:36214
Wed Jul  2 11:28:50 2025 authpriv.notice dropbear[6731]: Pubkey auth succeeded for 'root' with ssh-ed25519 key redacted from redacted:36214
Wed Jul  2 11:28:50 2025 user.notice root: testLog Blah1

Which log level do I need to log really everything?

I'm doing the remote logging for 1 reason:
At undetermined times the system simply halts/locks up/other aka is no longer available, and I'd like to find out why and when.
When the system locks up, I don't have access to logs, because I can't ssh connect or even do anything via serial port.
So I'd like to have the complete log

2

Are syslog packets sent to the network? (tcpdump -i eth0 upp port 514 host openwrt.lan)

1 Like
3

tcpdump: can't parse filter expression: syntax error

I did the following now:

tcpdump -i br0 port 514

and ssh'd into openwrt
which lead to the following:

cpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
12:17:30.179779 IP OpenWrt.fritz.box.50899 > redacted.514: SYSLOG authpriv.info, length: 84
12:17:30.338538 IP OpenWrt.fritz.box.50899 > redacted.514: SYSLOG authpriv.notice, length: 172

however, on the remote side

025-07-02T12:15:46+00:00 OpenWrt kernel: [ 6246.417651] br0: entered promiscuous mode
2025-07-02T12:15:47+00:00 OpenWrt kernel: [ 6246.498309] br0: left promiscuous mode
2025-07-02T12:15:52+00:00 OpenWrt kernel: [ 6252.118768] br0: entered promiscuous mode
2025-07-02T12:15:52+00:00 OpenWrt kernel: [ 6252.178210] br0: left promiscuous mode
2025-07-02T12:16:08+00:00 OpenWrt kernel: [ 6267.844516] br0: entered promiscuous mode
2025-07-02T12:16:08+00:00 OpenWrt kernel: [ 6267.917939] br0: left promiscuous mode
2025-07-02T12:17:03+00:00 OpenWrt kernel: [ 6322.972627] br0: entered promiscuous mode
2025-07-02T12:17:05+00:00 OpenWrt kernel: [ 6324.752238] br0: left promiscuous mode
2025-07-02T12:17:07+00:00 OpenWrt kernel: [ 6327.404781] br0: entered promiscuous mode
4

udp ......

5

no difference, I tried both of course, see above

6

tcpdump -i eth0 udp port 514 works for me

7

I have a hunch that maybe rsyslog is not properly configured to receive or rather log all events, because all I did was enable the udp listener and otherwise use the default ubuntu conf and restart rsyslog

PEBKAC

False alarm.

auth,authpriv.*                 /var/log/auth.log
*.*;auth,authpriv.none          -/var/log/syslog
kern.*                          -/var/log/kern.log
mail.*                          -/var/log/mail.log
mail.err                        /var/log/mail.err
*.emerg                         :omusrmsg:*
*.info;mail.none;authpriv.none;cron.none      /var/log/messages

is the rsyslog.conf or rather the part in rsyslog.d
the last line was added by me