Login or Register for free.
The UHF of the film world.


quietearth [General News 09.27.06]

Share on Google+


I wanted to log messages from my openwrt router to a specific log file based on it's host/ip but unfortunately the regular syslog daemon will not allow this. So since I'm using ubuntu (edgy) I can easily install syslog-ng which is a pre-configured replacement for syslog/klog. First off install it, and it will remove the packages klogd, sysklogd, and ubuntu-minimal.
# apt-get install syslog-ng

Now we need to modify the configuration, edit /etc/syslog-ng/syslog-ng.conf, and first we need to add udp listening to accept remote syslogs. We could do this under the s_all source, but we need to define a different source so our remote hosts logs do not get mixed in with our regular ones. Place this after source s_all is finished.
source s_net { udp (); };


Now further down where logging starts, we need to first add a filter for our openwrt host and I will use it's ip to do this. Then we add a log file destination for that specific host. And after that we put in the log definition with our newly created source, our host filter, and our file destination.
filter f_openwrt { host( "192.168.1.1" ); };
destination df_openwrt { file("/var/log/openwrt.log"); };
log { source ( s_net ); filter( f_openwrt ); destination ( df_openwrt ); };

Go ahead and restart syslog-ng now:
# /etc/init.d/syslog-ng restart

Since we added a new logfile, we need to modify /etc/logrotate.d/syslog-ng. This will make sure our new logfile gets rolled. This entry has to go in before the last one which restarts the syslog-ng daemon. Here's what I put in:
/var/log/openwrt.log {
   rotate 7
   weekly
   missingok
   notifempty
   compress
}

Tested under Ubuntu edgy.

avatar

Andy (5 years ago) Reply

'apt-get install syslog-ng' on edgy does not work for me.. i get ... "Package syslog-ng is not available, but is referred to by another package." etc.

any ideas.. or what's the trick?

avatar

quietearth (5 years ago) Reply

Make sure you have all of the repositories turned on, you can do this under Settings->Repositories in Synaptic. It's in one of the "universe" repositories.
I just tried this on a fresh edgy system with all repo's turned on and it works fine..

avatar

Andy (5 years ago) Reply

Yup.. that fixed it. Now I can't get syslog to actually log anything from a remote host. The testing continues.

avatar

quietearth (5 years ago) Reply

Are you sure you added the source s_net { udp(); }; line?

On the remote host you should be adding something like this in the /etc/syslog.conf:
*.* @hostname

where hostname is something valid, or you can just put an ip.

avatar

claudijd (5 years ago) Reply

You may also want to check to see if you have iptables running. If so, you need to a rule to allow udp 514.

"-A INPUT -m state --state NEW -p udp --dport 514 -j ACCEPT"

avatar

MarkF (4 years ago) Reply

Thank you very much for the terrific HowTo! I used your guide to configure my home system to log all of my VoIP gateway's SIP traffic, and it works perfectly. I appreciate the time you spent to write this up!

avatar

Captain Pleased (3 years ago) Reply

Very nice, see also: appreciated.

avatar

Anonymous (2 years ago) Reply

Thanks allot, I used my own filter to log cisco devices that log to local7 (default for cisco) to cisco.log

#Cisco Device Logs
filter local7 { facility( local7 ); };
destination cisco { file("/var/log/cisco.log"); };
log { source ( s_net ); filter( local7 ); destination ( cisco ); };

avatar

JR (2 years ago) Reply

Great, concise tutorial on getting syslog-ng up and running. This is much easier than configuring syslogd.

avatar

Chiefs Hockey (2 years ago) Reply

Wow, amazing simple tutorial! I used my script to log some output of my firewall to Ubuntu. Sweet!

http://www.chiefs.at

avatar

Anonymous (1 year ago) Reply

really useful - thanks.

avatar

cooba (1 year ago) Reply

Great HOWTO!
For those who has problems with filtering by host...
AFAIK host() requires regexp that's why it didn't work for me (ubuntu 9.04; syslog-ng 2.0.9) - you have to change host filter to:
filter f_openwrt { host( "192.168.1.1" ); };
Good luck!

avatar

cooba_again (1 year ago) Reply

OK - update to previous post...
You have to escape dots in IP address with backslash!!!
Apparently, this site does something strange with backslashes - that's why you can't see them in both original HOWTO and my post.
Still Great HOWTO!

avatar

Anonymous (1 year ago) Reply

i had to use host("192.168.1.1$") why??

avatar

Anonymous (1 year ago) Reply

thx, just what i needed to get my dd-wrt device pushing logs to a central box.

avatar

jentino (1 year ago) Reply

i had to specify the hostname and it worked.

avatar

Anonymous (1 year ago) Reply

Thanks heaps. Old howto but still applies today! Ubuntu 10.04

avatar

tapioca (1 year ago) Reply

works on centos5 too. you rock. :D

avatar

felix (1 year ago) Reply

great post!

avatar

moar props (1 year ago) Reply

Write more walk-throughs and get more props, nice work, it was almost too easy, thanks!

avatar

mgoz (1 year ago) Reply

Thank you, great post, tomato now logging to my Ubuntu machine.

avatar

Anonymous (11 months ago) Reply

Thanks man now i can catch all them dodgy chinese hax0rs

avatar

Anonymous (7 months ago) Reply

Thanks, used this guide to get syslogging working for my Billion router.


Leave a comment








Related articles