System log level with logd

Can you confirm that with logd there is NO WAY to set the level of messages logged in the system log?
I tried and set conloglevel both in /etc/config/system and with UCI:

~# uci get system.@system[0].conloglevel
5

However, after restarring logd, this has apparently no effect and info (log level = 6) messages are still logged.

Solution: Use a different syslog implementation like syslog-ng, see Logd doesn't honor conloglevel (17.01.4, r3560-79f57e422d)

1 Like

Thanks, as I suspected. I wonder why OpenWrt is shipped with logd, not supporting it such basic functionality. Am I the only one needing that?

Storage space, flash wear, and many users who "never" look at the logs. There's enough there with logd to help diagnose problems, should they arise. That may be the first and only time most users looks at logs.

More sophisticated users have the option to install a more-complete logging system, including logging to different media or to different hosts.

2 Likes

Yes, there's even too much! Lots of info messages I don't need, hence the need to filter them out.

I'll look into syslog-ng, thanks!

2 Likes

If it's helpful, here a couple snippets I found useful for the way I do logging

destination messages {
	file("/var/log/messages" template("$FULLDATE $HOST $PRIORITY $PROGRAM: $MSG\n"));
};

destination wireless {
	file("/var/log/wireless" template("$FULLDATE $HOST $PRIORITY $PROGRAM: $MSG\n"));
};

filter f_wireless { program("hostapd") or program("wpa_supplicant"); };
filter f_messages { level(warning..emerg) or not filter(f_wireless); };

logrotate will help keep file size under control

1 Like

Hi I was thinking about having the deepest log as possible to try to figure out what happens when I plug a usb wifi dongle to my router. From the post above its like setting cronlog and conlog level at their maximum won't work. But reading about the syslog-ng on the new wiki (openwrt.org instead of old www.openwrt...) its like the new logging system is not the defaultone yet. Didnt find it in in my recentli generated from trunk bin file for ar150 gl inet. Are there any sources I should be aware of that explain how to move to this new logging system ? About the old one since I want to write everything to an external mounted usb how soon I can start the fstab process in the init.d directory ? I mean what is the minimum number for fstab START=?? that the system would allow?
Right now I have S12log but s40 fstab? Any hint?

Thanks

Best

P.

syslog-ng is an optional logging system, that will likely not be "default" for a variety of reasons, size being a major one.

I run it with the default procd script and it seems to work as I would expect, with boot-time kernel messages appearing in the logs. I do, however, write logs to /var/ and to remote logging hosts, not to late-mounted file systems.

Hi Jeff,

I installed syslog-ng without disabling normal log (i.e. Disable the default logging with /etc/init.d/log disable)

, Cannot find syslog-ng 3 but only syslog-ng inside the repository from Luci interface

wiki page is not realy clear to me:

https://openwrt.org/docs/guide-user/perf_and_log/log.syslog-ng3?s[]=syslog&s[]=ng

Enable and started the process with

/etc/init.d/syslog-ng enable

/etc/init.d/syslog-ng start

Right now I am getting output in var/log/messages

inside var I am getting two strange files syslog-ng.ctl and syslog-ng.persist.

If I kill the process and restart it I get

WARNING: configuration file is too old, syslog-*ng is running in compatibility mode. Pleasse update it to use the syslog-ng 3.16 format at your time of convenience .........

Actually I cannot find config file inside etc/config ??

Any clue ?

Thanks again

Bests

P.

Apparently the example on the wiki is outdated, compared to the current version of syslog-ng.

I crafted my own config based on the man page, available online or on a "full" Linux-based system. Mine does appear to be @version:3.9 so things may have changed since then. Perhaps some clues on the 3.16 format at https://www.syslog-ng.com/technical-documents/doc/syslog-ng-open-source-edition/3.16/administration-guide/13#TOPIC-956435

The entries in /var/ are not surprising for a sophisticated application that allows control over a socket.


Edit
Config is at /etc/syslogd-ng.conf

commit 7e9c044f1fd2061e380d8d57cf664cf275eb1af9
Author: W. Michael Petullo <mike@XXX>
Date:   Sun Jul 15 20:18:24 2018 -0400

    syslog-ng: update to 3.16.1
    
    Signed-off-by: W. Michael Petullo <mike@XXX>
jeff@office:~$ syslog-ng --version
syslog-ng 3 (3.16.1)
Config version: 3.16
Installer-Version: 3.16.1
[...]

Yes, I do see similar messages in my running config

jeff@devel:~$ sudo /etc/init.d/syslog-ng restart

2018 Sep 18 10:51:03 devel notice syslog-ng: syslog-ng shutting down; version='3.16.1'
[2018-09-18T10:51:04.918484] WARNING: Configuration file format is too old, syslog-ng is running in compatibility mode. Please update it to use the syslog-ng 3.16 format at your time of convenience. To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @version header at the top of the configuration file.;
2018 Sep 18 10:51:05 devel notice syslog-ng: syslog-ng starting up; version='3.16.1'

Not a guarantee that your file is compatible with 3.16, but a quick edit of the header of mine to @version:3.16 has quelled the warning and it seems to be running properly. I did this based on the logged message and the absence of any "warnings about incompatible changes".

To upgrade the configuration, please review the warnings about incompatible changes printed by syslog-ng, and once completed change the @version header at the top of the configuration file.


Hi thanks JEFF syslog-ng is starting now,

but log is kind of empty need to figure out how to fill:

............

source src {
internal();
unix-dgram("dev/log");
};

source net {
ud(ip(0.0.0.0) port(514));
};

source kernel {
file"/proc/kmsg" program_override("kernel"));
};

.........

in the /etc/syslog.conf

I'll try to figure out

Thanks

P.

I'm not sure of your logging requirements, but the config below might help. I split "everyday wireless" out from my "main" log, and use the un-Linux-y /var/log/messages for my main log by personal preference.

I'd implement logrotate to help make sure you don't overflow the tempfs that is mounted on /tmp/ and, by way of symlink, /var/

"source net" and later references to it are probably not needed if you aren't logging to the OpenWrt box with standard, UDP-based syslog protocol.

@version:3.16

options {
	chain_hostnames(no);
	create_dirs(yes);
	flush_lines(0);
	keep_hostname(yes);
	log_fifo_size(256);
	log_msg_size(1024);
	stats_freq(0);
	flush_lines(0);
	use_fqdn(no);
};

source src {
	internal();
	unix-dgram("/dev/log");
};

source net {
	udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination messages {
	file("/var/log/messages" template("$FULLDATE $HOST $PRIORITY $PROGRAM: $MSG\n"));
};

destination wireless {
	file("/var/log/wireless" template("$FULLDATE $HOST $PRIORITY $PROGRAM: $MSG\n"));
};

filter f_wireless { program("hostapd") or program("wpa_supplicant"); };
filter f_messages { level(warning..emerg) or not filter(f_wireless); };

log {
	source(src);
	source(net);
	source(kernel);
	filter(f_messages);
	destination(messages);
};

log {
	source(src);
	source(net);
	source(kernel);
	filter(f_wireless);
	destination(wireless);
};

# put any customization files in this directory
@include "/etc/syslog-ng.d/"

Typical output from those formatting statements look like this

2018 Sep 21 14:00:00 office info crond: USER root pid 14408 cmd /usr/sbin/logrotate /etc/logrotate.conf
2018 Sep 21 14:39:43 office err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=7c:04:d0:xx:xx:xx ifname=wlan0-2 vlan_id=0) failed: -2 (No such file or directory)
2018 Sep 21 15:00:00 office info crond: USER root pid 14599 cmd /usr/sbin/logrotate /etc/logrotate.conf
2018 Sep 21 15:09:26 office info sshd: Accepted password for jeff from 10.xx.xx.xx port 64901 ssh2
2018 Sep 21 15:17:07 office notice sudo:     jeff : TTY=pts/0 ; PWD=/home/jeff ; USER=root ; COMMAND=/usr/bin/tail /var/log/messages

(No, I don't know that that hostapd error is all about!)