Openwrt error log

Logging messages This article relies on the following: * Accessing web interface / command-line interface * Managing configs / packages / services / logs Introduction The OpenWrt system logging facility is an important debugging/monitoring capability. The standard logging facility is implemented using logd

This article relies on the following:

The OpenWrt system logging facility is an important debugging/monitoring capability.
The standard logging facility is implemented using logd, the ubox log daemon.
This is implemented as a ring buffer with fixed sized records stored in RAM.
The ring buffer records can be read using logread on the router, streamed to a file or sent to a remote system through a TCP/UDP socket.

# List syslog
logread
 
# Write a message with a tag to syslog
logger -t TAG MESSAGE
 
# List syslog filtered by tag
logread -e TAG
Usage: logger [OPTIONS] [MESSAGE]

Write MESSAGE (or stdin) to syslog

        -s      Log to stderr as well as the system log
        -t TAG  Log using the specified tag (defaults to user name)
        -p PRIO Priority (numeric or facility.level pair)

Examples of using priority and tag values:

logger "example"
logger -p notice -t example_tag "example notice"
logger -p err -t example_tag "example error"
# Fri May  8 00:23:26 2020 user.notice root: example
# Fri May  8 00:23:31 2020 user.notice example_tag: example notice
# Fri May  8 00:23:40 2020 user.err example_tag: example error

The message format differs based on the destination (local logread, local file, remote socket).
Roughly it can be viewed as:

<time stamp> <router name> <subsystem name/pid> <log_prefix>: <message body>

The logging message facility and priority are roughly equivalent to syslog implementations (see linux /usr/include/sys/syslog.h).
The local ‘logread’ executable puts the facility.priority after the time stamp.
Logging to a remote socket puts a numeric value before the time stamp.

For some common OpenWrt messages see log.messages.
FIXME — the log.messages reference is way out of date but a useful placeholder.

logd is configured in /etc/config/system. After changing the file, run

/etc/init.d/log restart
/etc/init.d/system restart

to read in the new configuration and restart the service.

There are three basic destinations for log messages: the RAM ring buffer (the default), a local persistent file, a remote destination listening for messages on a TCP or UDP port.

The full set of log_* options for /etc/config/system are defined in
System Configuration

This is the default interface and the simplest.
It is a local executable that will read the ring buffer records and display them chronologically.

In order to log to a local file on the router, one needs to set the following options:

config system 
...
   option log_file '/var/log/mylog'
   option log_remote '0'

In order to log remotely one needs to set the following options in /etc/config/system

config system
...
   option log_ip <destination IP>
   option log_port <destination port>
   option log_proto <tcp or udp>

For the destination port, if you’ll be manually reading the logs on the remote system as an unprivileged user (such as via the netcat command given below), then specify a high port (e.g. 5555). If you’re sending to a syslog server, use whatever port the syslog server is listening on (typically 514).

Additionally, the firewall3 default is to ACCEPT all LAN traffic. If the router blocks LAN-side access, add the following firewall3 rule to /etc/config/firewall to ACCEPT tcp/udp traffic from the router to the LAN-side.

config rule
      option target 'ACCEPT'
      option dest 'lan'
      option proto 'tcp udp'
      option dest_port '5555'
      option name 'ACCEPT-LOG-DEVICE-LAN'

and then reload the rules using /etc/init.d/firewall restart.

For the LAN-side station/client, there are a large number of mechanisms to listen for log messages.
One of the simplest is ncat:

# TCP
ncat -4 -l 5555
 
# Read UDP logs with ncat or python3
ncat -u -4 -l 5555
python3 -c "import socket
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
s.bind(('0.0.0.0', 5141))
while True:
   print(s.recvfrom(4096)[0].decode('utf-8'))"

Log messages are in traditional syslog format (RFC 3164 / 5424), beginning with a priority number in angle brackets (e.g., <30>) and lacking a terminating newline.
The above netcat method will therefore yield somewhat messy output. The python log reader above will most of the time get the line breaks into the right spots. A cleaner solution is to send messages to a remote machine’s syslog daemon, in which case they will appear in the remote system’s logs.
See Receiving Messages from a Remote System for server configuration instructions for rsyslog.

The advantage to using TCP is reliability — it logs every event.
The disadvantage is it can cause some performance degradation on the router if the logging level is high.
There is a section on iptable event logging which can cause a noticable latency in traffic throughput using TCP socket logging.

If you want to test the logging out, just run a command like

logger testLog “Blah1”

and it should be written to the configured destination.
If an event is not logged, check:

* /sbin/logd is running; it should have an argument of -S <log_size> indicating the size of the ring buffer,
* logd is configured correctly in /etc/config/system,
* restart it using /etc/init.d/log restart and check for warnings/errors

See rsyslog — to e.g. rout all or specific logs to a (central) rsyslog receiver

opkg install rsyslog

With the config file: /etc/rsyslog.conf

*.info;mail.none;authpriv.none;cron.none;kern.none  /var/log/messages
..
kern.*					  @192.168.1.119:514

rsyslog and Logz.io

You can support logging direct to a cloud ELK provider like Logz.io by adding a few lines to your rsyslog.conf.

Replace codecodecode with your unique Logz.io identifier, it’s 32 characters.
And will appear in help manuals when you’re logged in, reference the guide here.

$template logzFormatFileTagName,"[codecodecodecode] <%pri%>%protocol-version% %timestamp:::date-rfc3339% %HOSTNAME% %app-name% %procid% %msgid% [type=TYPE] %msg%n"
*.* @@listener.logz.io:5000;logzFormatFileTagName

Confirm you have the right config with:

rsyslogd -N1

The logging mechanism discussed here uses logd. There are other packages that
provide the same functionality.

See syslog-ng (log.syslog-ng3).
FIXME — the syslog-ng page appears very out-of-date.

In 12.09 The content of the membuffer that syslogd writes to, by default, consists of up to 16 KB utf-8/ASCII encoded characters. Remember this if/when you use logger. To read the content of the membuffer that syslogd writes to, use the logread utility (for kernel messages use dmesg). Let’s have a look at the MESSAGES different program produces: on OpenWrt they all start with the name of the program that send the message plus his PID.

It would be foolish to even try to display and explain all the Log messages the programs used with OpenWrt generate. We need external links.

Feb  4 21:45:43 openwrt user.info dropbear[9815]: Child connection from 192.168.1.1:46247
Feb  4 21:45:43 openwrt user.notice dropbear[9815]: password auth succeeded for 'username' from 192.168.1.1:46247
Feb  5 00:03:34 openwrt user.info dropbear[9815]: exit after auth (username): Exited normally
Feb  5 03:13:39 openwrt user.warn dropbear[10221]: bad password attempt for 'root' from 192.168.1.1:51570
Feb  5 03:13:40 openwrt user.warn dropbear[10221]: bad password attempt for 'root' from 192.168.1.1:51570
Feb  5 03:13:42 openwrt user.warn dropbear[10221]: bad password attempt for 'root' from 192.168.1.1:51570
Feb  5 03:13:43 openwrt user.warn dropbear[10221]: bad password attempt for 'root' from 192.168.1.1:51570
Feb  5 03:13:45 openwrt user.warn dropbear[10221]: bad password attempt for 'root' from 192.168.1.1:51570
Feb  5 03:13:48 openwrt user.info dropbear[10221]: exit before auth (user 'root', 5 fails): Disconnect received

As you see, it is possible to try many many passwords. You can put an end to this by configuring dropbear or with netfilter.
You can (and should) read your logs regularly, but of course you can also initiate thing with logs.

Yes, when you have any service running 24/7, you are responsible for it. “I didn’t know” doesn’t really count in court. It is your responsibility to keep yourself informed!

Feb 3 16:04:14 openwrt user.warn kernel: IPT_dsl-Rej IN=pppoe-dsl OUT= MAC= SRC=119.121.32.2 DST=141.70.120.8 LEN=79 TOS=0x00 PREC=0x00 TTL=53 ID=22415 PROTO=UDP SPT=15758 DPT=38565 LEN=59
kernel: IPT_dsl-Rej IN=pppoe-dsl OUT= MAC= SRC=222.155.169.237 DST=79.128.154.27 LEN=60 TOS=0x00 PREC=0x40 TTL=46 ID=7247 DF PROTO=TCP SPT=4709 DPT=23 WINDOW=5808 RES=0x00 SYN URGP=0
Part of Message Meaning
kernel: The kernel send this message. (because netfilter is part of the kernel) remember iptables/ip6tables are only the user space programs to configure netfilter.
IPT_dsl-Rej the string you set with --log-prefix, see configuration
IN= Incoming interface
OUT= Outgoing Interface
MAC= dst and src MACs and something else
SRC= Source IP address
DST= Destination IP address
LEN= Overall length of IP packet in bytes
TOS= the ToS-Flag
PREC= belongs to ToS
TTL= Time-to-live in ms or in hops
ID=
DF Don’t Fragment Flag set
PROTO= transport protocol used TCP UDP etc.
SPT= source port
DPT= destination port
LEN= payload size in bytes
WINDOW=
RES=
SYN SYN flag, see Three-way handshake
URGP=

http://logi.cc/en/2010/07/netfilter-log-format/

Feb 22 14:20:13 openwrt daemon.info pppd[18505]: Plugin rp-pppoe.so loaded.
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: pppd 2.4.4 started by root, uid 0
Feb 22 14:20:13 openwrt daemon.info pppd[18505]: PPP session is 1561
Feb 22 14:20:13 openwrt daemon.info pppd[18505]: Using interface pppoe-dsl
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: Connect: pppoe-dsl <--> eth0.2
Feb 22 14:20:13 openwrt daemon.info pppd[18505]: CHAP authentication succeeded: access accepted : xxxxxxx
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: CHAP authentication succeeded
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: peer from calling number xx:xx:xx:xx:xx:xx authorized
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: local  IP address 123.123.123.99
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: remote IP address 123.123.123.1
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: primary   DNS address 100.150.100.200
Feb 22 14:20:13 openwrt daemon.notice pppd[18505]: secondary DNS address 100.150.100.100
Feb 22 14:20:13 openwrt user.notice ifup: Enabling Router Solicitations on dsl (pppoe-dsl)
Feb 22 14:20:15 openwrt user.notice rdate: Synced with ntp0.fau.de
---
Feb 22 23:20:11 openwrt daemon.info pppd[18196]: Terminating on signal 15
Feb 22 23:20:11 openwrt daemon.info pppd[18196]: Connect time 1268.2 minutes.
Feb 22 23:20:11 openwrt daemon.info pppd[18196]: Sent 62343675 bytes, received 1094463306 bytes.
Feb 22 23:20:11 openwrt daemon.notice pppd[18196]: Connection terminated.
Feb 22 23:20:12 openwrt daemon.info pppd[18196]: Exit.

NOTE: You can make pppd verbose with setting option pppd_options debug in your /etc/config/network, see network. With uci commit network and then restart pppd (ifdown pppoe-dsl does NOT restart the daemon, you can achieve that with ???)

Feb  4 20:07:59 openwrt daemon.info dnsmasq-dhcp[1026]: DHCPREQUEST(eth0.1) 192.168.1.1 xx:xx:xx:xx:xx:xx
Feb  4 20:07:59 openwrt daemon.info dnsmasq-dhcp[1026]: DHCPACK(eth0.1) 192.168.1.1 xx:xx:xx:xx:xx:xx wonderwoman
Feb  4 21:16:20 openwrt daemon.info dnsmasq-dhcp[1026]: DHCPREQUEST(eth0.1) 192.168.1.1 xx:xx:xx:xx:xx:xx
Feb  4 21:16:20 openwrt daemon.info dnsmasq-dhcp[1026]: DHCPACK(eth0.1) 192.168.3.1 xx:xx:xx:xx:xx:xx superman

Отправка логов с OpenWRT/LEDE в syslog и обработка событий

2019-01-13 02:31:22 —
Evgeniy Shumilov

  Вдогонку к статье о syslog-ng решил сделать дополнение о том, как завернуть логи с OpenWRT и настроить реакцию на соответствие какому-нибудь фильтру. Дома у меня есть два Xiaomi MiWifi 3G (оказалось крайне доступным и достойным по характеристикам устройством), три штуки Netgear WNR3500L, которые в текущий момент работают в качестве гигабитных свичей в разных частях квартиры и Nexx 3020 для экспериментов. Одним словом, правило для сохранения логов должно быть общее для всех этих устройств, чтобы не писать шесть отдельных конфигурационных файлов. Начать я решил со своего основного Xiaomi роутера с хостнеймом gw01, на котором стоит OpenWRT 18.06.


Настройка роутера

  Есть два пути настройки — через веб интерфейс и через консоль. Первый прост как угол дома. Авторизуемся на роутере, переходим в раздел System -> System и прописываем путь к нашему syslog серверу во вкладке Logging. В принципе, этого достаточно, но тут возникает одна проблема — нам необходимо некое ключевое слово, по которому мы будем фильтровать логи, приходящие именно с OpenWRT таким же образом, как было сделано ранее для докер контейнеров с опцией логирования tag, но в веб интерфейсе такой опции нет, поэтому придётся настраивать через консоль, благо, это не намного сложнее.   Заходим на роутер по ssh и редактируем конфигурационный файл system:

vim /etc/config/system

  В раздел system нам нужно добавить следующие параметры:

        option log_proto 'udp'
        option log_ip '10.11.11.4'
        option log_prefix 'OpenWRT-Routers'                                          
        option conloglevel '7' 
        option cronloglevel '7'

  Если вы не сильны в vi/vim (выход c записью через Esc, затем ввод :wq), есть и другой способ:

uci set system.@system[0].log_proto='udp'
uci set system.@system[0].log_ip='10.11.11.4'
uci set system.@system[0].log_prefix='OpenWRT-Routers'
uci set system.@system[0].conloglevel='7'
uci set system.@system[0].cronloglevel='7'

  После изменения настроек, чтобы они вступили в силу, нужно выполнить

/etc/init.d/log restart

  В официальной документации так же было написано о необходимости затем выплонить

/etc/init.d/system restart

  Но у меня прекрасно заработало и без этого. Для сохранения настроек во флешпамять, выполняем

uci commit

  В описанных выше настройках log_prefix как раз отвечает за то, что будет приходить на наш syslog в поле PROGRAM, что очень удобно для фильтрации. 10.11.11.4 — это адрес моего syslog-ng сервера, у вас он скорее всего будет другим. conloglevel и cronloglevel — это уровни фильтрации для ядра и тех процессов, которые запускаются из cron. Самый низкий — нулевой, самый высокий — восьмой.

Настройка syslog-ng

  Теперь можно заглянуть в логи контейнера syslog-ng. Мы должны увидеть примерно такую запись:

[2019-01-05T10:04:20.894114] Incoming log entry; line='Jan 5 15:04:20 gw01 OpenWRT-Routers: logread[32051]: Logread connected to 10.11.11.4:514' 
[2019-01-05T10:04:20.894234] Setting value; msg='0x55e2eb847c00', name='HOST_FROM', value='gw01.lan' 
[2019-01-05T10:04:20.894270] Setting value; msg='0x55e2eb847c00', name='SOURCE', value='src_net'

  Как мы видим, logd на роутере успешно подключился к нашему syslog-ng. Теперь напишем конфигурационный файл. Для удобства Будем складывать логи в директорию logs/network/%hostname%.

filter f_openwrt { 
    match("OpenWRT-Routers" value("PROGRAM")); 
}; 

destination dst_openwrt { 
    file( "/logs/network/${HOST}/$YEAR-$MONTH-$DAY.log" template("$ISODATE $LEVEL $MSGn") ); 
}; 

log { 
    source(src_net);
    filter(f_openwrt);
    destination(dst_openwrt); 
};

  И перезагрузим специально предназначенным для этого скриптом

scripts/reload

  В консоли роутера можем проверить отправку логов при помощи команды

logger test123

  Можем убедиться, что всё работает.

$ tail -n 1 logs/network/gw01/2019-01-05.log 
2019-01-05T20:56:52+00:00 notice root: test123

Реакция на события

  А теперь сделаем кое-что поинтереснее — заставим syslog-ng реагировать на какой-нибудь скрипт. Скрипт в свою очередь должен постоянно слушать stdin, иначе вас завалит сообщениями вида

syslog-ng[2673]: POLLERR occurred while idle; fd='12'

  В качестве примера будем дёргать http запросы в момент, когда в логах приходит нужная запись. К url будем добавлять последнее слово из входящей записи. Содержимое scripts/testscripts:

#!/bin/sh 
while read line; do 
    echo "$line" | sed 's#^.* #wget -q -O - http://10.11.11.224:8000/#' | sh 
done < /dev/stdin

  На хосте 10.11.11.224:8000 я подниму тестовый веб сервер. И пусть он отдаёт 404-ю ошибку, но в логах мы будем видеть обращения — это именно то, что нам нужно.

$ python -m SimpleHTTPServer 
Serving HTTP on 0.0.0.0 port 8000 ...

  Далее нам нужен конфигурационный файл для syslog-ng:

filter f_openwrttest { 
    match("test123" value("MESSAGE")) and match("OpenWRT-Routers" value("PROGRAM")); 
};

destination dst_openwrttest { 
    program("/scripts/testscript"); 
}; 

log { 
    source(src_net); 
    filter(f_openwrttest); 
    destination(dst_openwrttest); 
};

  Теперь возвращаемся к консоли любого из роутеров и выполняем:

$ logger test12345 
$ logger test123456

  И в логах веб сервера видим следующее:

[06/Jan/2019 00:48:04] code 404, message File not found 10.11.11.4 - - 
[06/Jan/2019 00:48:04] "GET /test12345 HTTP/1.1" 404 - 10.11.11.4 - - 
[06/Jan/2019 00:48:06] code 404, message File not found 10.11.11.4 - - 
[06/Jan/2019 00:48:06] "GET /test123456 HTTP/1.1" 404 -

  Таким образом мы можем вызывать внешние апи. Например, я могу по наступлению какого-нибудь события, (скажем, разрыва VPN соединения) отправить на ближайшую свою управляемую розетку мелодию главной темы из «Семейства Аддамс» в формате RTTTL, или отправить событие в систему мониторинга, но об этом я напишу как-нибудь в другой раз.


  Ещё я только что добавил к образу две полезных фичи — сжатие и очистку старых логов. Так как ротацией syslog-ng замечательно занимается сам, то очистка и компрессия никакой сложности для реализации не представляют. Я сделал следующим образом — entrypoint при старте запускает в фоновом режиме скрипт scripts/cleaner, который в свою очередь ищет в директории с логами файлы с именем .clean со следующим содержимым:

archive=7
clean=60

  Для данного примера все файлы (кроме самого файла .clean конечно) старше 60-ти дней будут удалены в той же директории и всех поддиректориях. Оставшиеся файлы (кроме того же .clean и файлов с расширением bz2 будут сжаты с помощью bzip2. Скрипт по умолчанию запускается каждые 2 часа.

  Репозиторий лежит всё там же: https://github.com/alive-corpse/es-syslog-ng

Теги: админское, docker, logging

Update 2020-07-09: With the latest 19.07.3, syslog-ng is no longer the preferred option. Instead, read my other article on using rsyslog with OpenWRT.

Update 2014-10-08: If you upgraded to the stable Barrier Breaker 14.07, and Syslog-NG is not available, or if don’t want to use Syslog-NG for any other reason, please check our other article on using the built in logging feature of OpenWRT to write the log to a file.

We wrote earlier on OpenWRT on D-Link DIR-835. Now, we need to expand the functionality a bit more.

On OpenWRT, the default logging mechanism is an in-memory circular buffer. The user interface for it is the logread command. The log buffer default size is 16 kB. There are a couple of directives that can be set in the system configuration for OpenWRT, but because of the limited size of flash and the non-permanence of RAM, you need another solution if you want to store logs for anything longer than a day or two.

Syslog-NG

Syslog-NG is a good system logging program that is available for OpenWRT.

To install syslog-ng, enter the following command from ssh:

Install the packages:

opkg update
opkg install syslog-ng3

Make syslog start automatically on boot:

/etc/init.d/syslog-ng enable

Configuration for Syslog-NG

The configuration for syslog-ng goes in to the file /etc/syslog-ng.conf.

The following configuration logs a monthly file to the USB drive, and also excludes a couple of repetitive messages. It also avoid the annoying «—MARK—» entries that just eat up space.

Adjust the configuration to your needs:

@version:3.0

options {
        chain_hostnames(no);
        create_dirs(yes);
        flush_lines(0);
        keep_hostname(yes);
        log_fifo_size(256);
        log_msg_size(8192);
        stats_freq(0);
        flush_lines(0);
        use_fqdn(no);
        # Do not add "--MARK--" entries to the log
        mark_freq(0);
};

source local {
        internal();
        unix-stream("/dev/log");
};

source net {
        udp(ip(0.0.0.0) port(514));
};

source kernel {
        file("/proc/kmsg" program_override("kernel"));
};

destination logfile {
        # Log to a file on the USB filesystem, and a new file every month
        file("/mnt/usb/logs/syslog-$YEAR-$MONTH.log");
};
# This filter is used to exclude excessive noise in the logs
filter f_not_noise {
        # This is a warning from odhcpd about routing
        not message("there is no public prefix")
        and
        # This is cron executing the bandwidth monitor script every minute,
        # so we just exclude them too
        not message("cmd /mnt/usb/wrtbwmon/wrtbwmon ")
        ;
};

log {
        source(local);
        source(net);
        source(kernel);

                filter(f_not_noise);

                destination(logfile);
};

Start syslog-ng

Finally, start the syslog-ng program

/etc/init.d/syslog-ng enable

Note that any changes you make to syslog-ng’s configuration followed by the command:

/etc/init.d/syslog-ng restart

will not take effect immediately. To solve this, use the following command instead:

killall syslog-ng
/etc/init.d/syslog-ng start

Adjust the startup order

By default, Sylog-NG takes a startup number of 50, that is the init.d script is linked to /etc/rc.d/S50syslog-ng. This can cause some processes that start before syslog-ng to log to the old logging mechanism rather than syslog-ng.

To solve this, check the startup order using the following command:

Then change the startup order of syslog-ng to be just after the original logging mechanism.

mv /etc/rc.d/S50syslog-ng /etc/rc.d/S12syslog-ng

Then check the order again:

You should see syslog-ng right after S12log.

... /etc/rc.d/S12log -> ../init.d/log
... /etc/rc.d/S12syslog-ng -> ../init.d/syslog-ng

A typical day’s worth of logs is around 750 kB, so even a 1GB USB drive should last for a very long time. You can check intrusion attempts or unauthorized connections to WiFi months after they happen.

Further Reading

  • Logging on OpenWRT
  • OpenWRT Basic Log Support
  • Syslog-NG on OpenWRT

When debugging OpenWRT network components and user software, the system problems need to be solved through the analysis of log information; Product online quality tracking also requires log information to analyze product bugs, so the use of system logs is very important. This article records the process of OpenWRT-19.07 log opening and log automatic reporting to the server.

1. Operating environment description

  1. The server side adopts the rsyslog component automatically installed by ubuntu-16.04 system;
  2. Porting syslog components to openwrt-19.07 system;
  3. The client uses mtk7621 router.

2. Server ubuntu16 system rsyslog parameter configuration

2.1 parameter configuration file of rsyslog, etc / rsyslog conf

#  /etc/rsyslog.conf    Configuration file for rsyslog.
#
#                       For more information see
#                       /usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
#
#  Default logging rules can be found in /etc/rsyslog.d/50-default.conf

module(load="imuxsock") # provides support for local system logging
module(load="imklog")   # provides kernel logging support
#module(load="immark")  # provides --MARK-- message capability

# provides UDP syslog reception
module(load="imudp")
input(type="imudp" port="514")      # Open the udp listening port on the server

# provides TCP syslog reception
module(load="imtcp")
input(type="imtcp" port="514")      # Open the server tcp listening port

# Enable non-kernel facility klog messages
$KLogPermitNonKernelFacility on

###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat

# Filter duplicated messages
$RepeatedMsgReduction on

#
# Set the default permissions for all log files.
#
$FileOwner syslog
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
$PrivDropToUser syslog
$PrivDropToGroup syslog
#
# Where to place spool and state files
#
$WorkDirectory /var/spool/rsyslog       # Storage path of log content received by the server

#
# Include all config files in /etc/rsyslog.d/
#
$IncludeConfig /etc/rsyslog.d/*.conf   # The path of rsyslog configuration file set. Users can supplement custom log storage, packaging and deletion rules

2.2 configuring log file storage rules

In / etc / rsyslog D / new router Conf configuration file, which configures the file name of the receiving log file, as follows:

root@ubuntu:/# cat /etc/rsyslog.d/router.conf
#
:FROMHOST-IP,startswith, "192.168.90." /var/spool/rsyslog/%fromhost-ip%-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log
:fromhost-ip,isequal,"192.168.1.1" /var/spool/rsyslog/%fromhost-ip%-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log
&~      #Indicates that the receiving log does not need to be written to the local log file

2.3 restart rsyslog service and detect the service startup status

sudo service rsyslog restart
sudo netstat -tulpn | grep rsyslog

root@ubuntu:/# netstat -tulpn|grep rsyslog
tcp        0      0 0.0.0.0:514             0.0.0.0:*               LISTEN      8778/rsyslogd
tcp6       0      0 :::514                  :::*                    LISTEN      8778/rsyslogd
udp        0      0 0.0.0.0:514             0.0.0.0:*                           8778/rsyslogd
udp6       0      0 :::514                  :::*                                8778/rsyslogd

3. syslog migration and parameter configuration of client OpenWRT system

3.1 configuring syslog components

make menuconfig select the syslog component, as shown in

Base system

busybox… Core utilities for embedded Linux

System Logging Utilities

Select content

  [*] syslogd (13 kb)                                                                                  │ │
  [*]   Rotate message files                                                                           │ │
  [*]   Remote Log support                                                                             │ │
  [*]   Support -D (drop dups) option                                                                  │ │
  [*]   Support syslog.conf                                                                            │ │
  (256) Read buffer size in bytes                                                                      │ │
  [*]   Circular Buffer support                                                                        │ │
  (4)     Circular buffer size in Kbytes (minimum 4KB)                                                 │ │
  [*]   Linux kernel printk buffer support

Compile and write to mtk7621 router.

3.2 enable router log

  • The first method is to configure the parameters of syslog through uci set command. The contents are as follows:
Example:
uci set system.system.log_file=/tmp/syslog 

The configured contents are as follows:

config system
	option hostname 'OpenWrt'
	option ttylogin '0'
	option log_size '64'
	option urandom_seed '0'
# The following are syslog configuration parameters
	option log_ip '192.168.90.180'  #Server side address of log reporting
	option log_file '/tmp/syslog'  #Local log file storage location
	option conloglevel '7'
	option cronloglevel '8'
	option log_proto 'udp'       #udp communication is adopted for reporting
# The following time zone configuration information		
	option zonename 'Asia/Shanghai'
	option timezone 'CST-8'
  • The second method: configure through the WEB management interface of openWRT

After logging into the configuration interface, the configuration page path is: System — > System — > log.

4. Verify the client syslog local log

View local log files root@eCloud:~# cat /tmp/syslog, as follows:

Thu Jun 17 08:10:47 2021 daemon.info logread[10237]: Logread connected to 192.168.90.180:514
Thu Jun 17 08:12:27 2021 daemon.warn zabbix_agentd[17566]: active check configuration update from [172.16.29.171:10051] started to fail (ZBX_TCP_READ() timed out)
Thu Jun 17 08:13:14 2021 daemon.err uhttpd[4723]: luci: accepted login on / for root from 192.168.90.29
Thu Jun 17 08:13:27 2021 daemon.warn zabbix_agentd[17566]: active check configuration update from [172.16.29.171:10051] is working again
Thu Jun 17 08:16:00 2021 daemon.err netdata[6426]: PROCFILE: Cannot open file '/proc/sysvipc/shm'
Thu Jun 17 08:16:42 2021 daemon.info dnsmasq[3711]: read /etc/hosts - 4 addresses
Thu Jun 17 08:16:42 2021 daemon.info dnsmasq[3711]: read /tmp/hosts/odhcpd - 0 addresses
Thu Jun 17 08:16:42 2021 daemon.info dnsmasq[3711]: read /tmp/hosts/dhcp.cfg01411c - 0 addresses
Thu Jun 17 08:16:42 2021 daemon.err netdata[6426]: PROCFILE: Cannot open file '/proc/sysvipc/shm'

This log is the local log content of OpenWRT virtual machine. The log shows that the ZABBIX client failed to start because the file cannot open ‘/ proc/sysvipc/shm’.

5. Verify the contents of the server-side rsyslog remote log

View the remote report log on the server side, root@ubuntu:/# cat var/spool/rsyslog/r-network.log |head -n 80
The contents are as follows:

Jun 17 06:33:22 ixe pppd[23653]: sent [LCP EchoRep id=0x83 magic=0xffaaa8e9]
Jun 17 06:33:31 ixe dnsmasq[4030]: read /etc/hosts - 4 addresses
Jun 17 06:33:31 ixe dnsmasq[4030]: read /tmp/hosts/odhcpd - 1 addresses
Jun 17 06:33:31 ixe dnsmasq[4030]: read /tmp/hosts/dhcp.cfg01411c - 2 addresses
Jun 17 06:33:31 ixe dnsmasq-dhcp[4030]: read /etc/ethers - 0 addresses
Jun 17 14:33:52 ixe pppd[23653]: rcvd [LCP EchoReq id=0x84 magic=0x6cf92d34]
Jun 17 14:33:52 ixe pppd[23653]: sent [LCP EchoRep id=0x84 magic=0xffaaa8e9]
Jun 17 14:34:09 ixe pppd[23653]: Terminating on signal 15
Jun 17 14:34:09 ixe pppd[23653]: Connect time 194.1 minutes.
Jun 17 14:34:09 ixe pppd[23653]: Sent 152 bytes, received 0 bytes.
Jun 17 14:34:09 ixe pppd[23653]: MPPE disabled
Jun 17 14:34:09 ixe pppd[23653]: Overriding mtu 1500 to 1400
Jun 17 14:34:09 ixe pppd[23653]: PPPoL2TP options: debugmask 0
Jun 17 14:34:09 ixe pppd[23653]: Overriding mru 1500 to mtu value 1400
Jun 17 14:34:09 ixe pppd[23653]: sent [LCP TermReq id=0x4 "MPPE disabled"]
Jun 17 14:34:09 ixe pppd[23653]: Overriding mtu 1500 to 1400
Jun 17 14:34:09 ixe pppd[23653]: PPPoL2TP options: debugmask 0
Jun 17 14:34:09 ixe pppd[23653]: Overriding mru 1500 to mtu value 1400
Jun 17 14:34:09 ixe pppd[23653]: sent [LCP TermReq id=0x5 "MPPE disabled"]
Jun 17 14:34:12 ixe pppd[23653]: sent [LCP TermReq id=0x6 "MPPE disabled"]
Jun 17 14:34:12 ixe pppd[23653]: Connection terminated.
Jun 17 14:34:12 ixe pppd[23653]: Modem hangup
Jun 17 14:34:12 ixe pppd[23653]: Exit.
Jun 17 14:34:33 ixe pppd[27050]: Plugin pppol2tp.so loaded.
Jun 17 14:34:33 ixe pppd[27050]: pppd 2.4.7 started by root, uid 0
Jun 17 14:34:33 ixe pppd[27050]: using channel 3
Jun 17 14:34:33 ixe pppd[27050]: Using interface ppp0
Jun 17 14:34:33 ixe pppd[27050]: Connect: ppp0 <-->
Jun 17 14:34:33 ixe pppd[27050]: Overriding mtu 1500 to 1400
Jun 17 14:34:33 ixe pppd[27050]: PPPoL2TP options: debugmask 0
Jun 17 14:34:33 ixe pppd[27050]: Overriding mru 1500 to mtu value 1400
Jun 17 14:34:33 ixe pppd[27050]: sent [LCP ConfReq id=0x1 <mru 1400> <asyncmap 0x0> <magic 0x7d73ba8d>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <mru 1450> <magic 0xfb92c32>]
Jun 17 14:34:33 ixe pppd[27050]: sent [LCP ConfAck id=0x1 <auth chap MS-v2> <mru 1450> <magic 0xfb92c32>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Jun 17 14:34:33 ixe pppd[27050]: sent [LCP ConfReq id=0x2 <mru 1400> <magic 0x7d73ba8d>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [LCP ConfAck id=0x2 <mru 1400> <magic 0x7d73ba8d>]
Jun 17 14:34:33 ixe pppd[27050]: PPPoL2TP options: debugmask 0
Jun 17 14:34:33 ixe pppd[27050]: rcvd [CHAP Challenge id=0x1 <5570fcc24838fe7fa186d6a7f2688529>, name = "CHR-GZ-DY-Router003-MGT-1"]
Jun 17 14:34:33 ixe pppd[27050]: added response cache entry 0
Jun 17 14:34:33 ixe pppd[27050]: sent [CHAP Response id=0x1 <ea6f73fb3f10a92293b903f0b9ad13d40000000000000000f31a83726597822671b76789c9079504f9d054bf654db79b00>, name = "test02"]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [CHAP Success id=0x1 "S=9DCD53371E49AE8C63FEF51C461FCD90329C8978"]
Jun 17 14:34:33 ixe pppd[27050]: response found in cache (entry 0)
Jun 17 14:34:33 ixe pppd[27050]: CHAP authentication succeeded
Jun 17 14:34:33 ixe pppd[27050]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: sent [CCP ConfReq id=0x1 <mppe -H -M -S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: sent [CCP ConfNak id=0x1 <mppe -H -M +S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [proto=0x8281] 01 01 00 04
Jun 17 14:34:33 ixe pppd[27050]: Unsupported protocol 0x8281 received         #There are unsupported protocols here
Jun 17 14:34:33 ixe pppd[27050]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [IPCP ConfReq id=0x1 <addr 172.20.156.1>]
Jun 17 14:34:33 ixe pppd[27050]: sent [IPCP ConfAck id=0x1 <addr 172.20.156.1>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [IPCP ConfNak id=0x1 <addr 172.20.156.3>]
Jun 17 14:34:33 ixe pppd[27050]: sent [IPCP ConfReq id=0x2 <addr 172.20.156.3>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [CCP ConfNak id=0x1 <mppe +H -M +S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: sent [CCP ConfReq id=0x2 <mppe +H -M +S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [CCP ConfReq id=0x2 <mppe -H -M +S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: sent [CCP ConfAck id=0x2 <mppe -H -M +S -L -D -C>]
Jun 17 14:34:33 ixe pppd[27050]: rcvd [IPCP ConfAck id=0x2 <addr 172.20.156.3>]
Jun 17 14:34:33 ixe pppd[27050]: local  IP address 172.20.156.3
Jun 17 14:34:33 ixe pppd[27050]: remote IP address 172.20.156.1

Log information includes l2tp link and heartbeat message; And have unsupported protocols.

Improve the remote reporting of logs after Internet NAT

Through the log file, we can quickly find the problems existing in the system operation and improve the efficiency of finding problems. At present, there are still some problems in the system operation in the rsyslog configuration.

Question 1 The configuration log file name generation rule is incorrect

As follows:

root@ubuntu:/# ls var/spool/rsyslog/
%fromhost-ip%-%HOSTNAME%-%$YEAR%-%$MONTH%-%$DAY%.log  r-network.log

The file name here does not get the client ip address and date information.

Problem 2: the device reports via the Internet, and the naming rules of log files

If the device is connected to the cloud server through the Internet, the device address passes through the NAT address, and the factory settings of the host name are the same; How to distinguish the log information of different devices? This problem will be solved later.

If you have any good methods, please leave a message, thank you.

LUCI native debug interface is not very comfortable, searching for the following debugging method online.

Save the following LUA code as log.lua, then placed in / usr / lib / lua / luci, you can call any directory of LuCI

local M = {}

local tconcat = table.concat
local tinsert = table.insert
local srep = string.rep

local function local_print(str)
    local dbg = io.open("/tmp/luci.output", "a+")
    local str = str or ""
    if dbg then
        dbg:write(str..'n')
        dbg:close()
    end
end

function M.print(...)
    local dbg = io.open("/tmp/luci.output", "a+")
    if dbg then
        dbg:write(os.date("[%H:%M:%S]: "))
        for _, o in ipairs({...}) do
            dbg:write(tostring(o)..'  ')
        end
        dbg:write("n")
        dbg:close()
    end
end

function M.print_r(data, depth)
    local depth = depth or 3
    local cstring = "";
    local top_flag = true

    local function table_len(t)
    local i = 0
    for k, v in pairs(t) do
        i = i + 1
    end
    return i
    end

    local function tableprint(data,cstring, local_depth)
        if data == nil then
            local_print("core.print data is nil");
        end

        local cs = cstring .. "    ";
    if top_flag then
            local_print(cstring .."{");
        top_flag = false
    end
        if(type(data)=="table") then
            for k, v in pairs(data) do
        if type(v) ~= "table" then
            if type(v) == "string" then
                        local_print(cs..tostring(k).." = ".."'"..tostring(v).."'");
            else
                        local_print(cs..tostring(k).." = "..tostring(v));
            end
        elseif table_len(v) == 0 then
            local_print(cs..tostring(k).." = ".."{}")
        elseif local_depth < depth then
                    local_print(cs..tostring(k).." = {");
                      tableprint(v,cs,local_depth+1);
        else
            local_print(cs..tostring(k).." = ".."{*}")
        end
            end
        else
            local_print(cs..tostring(data));
        end
        local_print(cstring .."}");
    end

    tableprint(data,cstring,0);
end

return M

Call method:

- as an example of just code block
local password
 - Import log module
local log = require "luci.log"
 - Get incoming data
password = luci.http.formvalue('password')
 - Print log
log.print(password)
log.print_r(password)

Use TAIL -F trace log output file with tail -f/tmp/luci.output

tail -f /tmp/luci.output

Transferred fromhttps://blog.csdn.net/bailyzheng/article/details/48663369

Понравилась статья? Поделить с друзьями:

Читайте также:

  • Openvpn ошибка сертификата
  • Openvpn ошибка подключения
  • Openvpn ошибка no server certificate verification method has been enabled
  • Openvpn ошибка 10060
  • Openvpn выдает ошибку

  • 0 0 голоса
    Рейтинг статьи
    Подписаться
    Уведомить о
    guest

    0 комментариев
    Старые
    Новые Популярные
    Межтекстовые Отзывы
    Посмотреть все комментарии