[SOLVED] OpenWrt is not sending syslog messages to external syslog server

sirizha · October 19, 2020, 12:51am

I replaced my pfSense with OpenWRT today. I've been learning OpenWRT and testing it for about 2 weeks and finally decided I was ready to make it my firewall.

So far, everything is working fine, but now that I'm using OpenWRT as my firewall, I would like to learn some advanced things like being able to send syslog messages to an external syslog server. So, I enabled a syslog server on QNAP, which is listening on UDP and TCP ports 514.

I'm able to send syslog messages from a Cisco 3560cg switch to the QNAP syslog server, and I see those messages in the QNAP syslog viewer. However, there are no messages in the syslog server from OpenWRT. I was able to ping the syslog server from OpenWRT, so network connectivity exists. I've also tried to use either UDP port 514 or TCP port 514 in OpenWRT, but neither setting works. The IP address of the syslog server is 192.168.200.30

The contents of the /etc/config/system file:

cat /etc/config/system

config system
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
	option hostname 'firewall'
	option conloglevel '8'
	option cronloglevel '5'
	option zonename 'America/New York'
	option timezone 'EST5EDT,M3.2.0,M11.1.0'
	option log_ip '192.168.200.30'
	option log_port '514'
	option log_proto 'tcp'

config timeserver 'ntp'
...

cat /etc/config/system

config system
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
	option hostname 'firewall'
	option conloglevel '8'
	option cronloglevel '5'
	option zonename 'America/New York'
	option timezone 'EST5EDT,M3.2.0,M11.1.0'
	option log_ip '192.168.200.30'
	option log_port '514'
	option log_proto 'udp'
config timeserver 'ntp'
....

I am grateful to anyone who can help.

Thank you.

anon50098793 · October 19, 2020, 12:54am

tried restarting the service by any chance?

sirizha · October 19, 2020, 12:55am

Is there a init.d script for it?

Also, what service is in charge of this?

slh · October 19, 2020, 1:07am

Should be /etc/init.d/log. I've tested remote syslogging over udp a bit recently (on master snapshots), albeit only using netcat/ nc on the server side and not a real server speaking the syslog protocol (but testing this would be worth it).

faser · October 19, 2020, 2:38am

Did you check the logs (on the router) to see any issues reported?
Next step is to check with tcpdump if the packets are sent to the server.

reinerotto · October 20, 2020, 5:15am

I am using it on many openwrt devices, no problem. However: On server, it is syslog-ng.
And via udp. As your /etc/config/system is correct, better look at your server.
First, to check the counters in your firewall there. Any packets received on port 514 ?

sirizha · October 20, 2020, 6:16am

It’s working now. Thank you.

faser · October 20, 2020, 7:19am

I think it is always helpful for others to summarize your solution.

sirizha · October 20, 2020, 11:37am

I restarted the syslog service like it was suggested above, and it started working.

system · October 30, 2020, 11:37am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.