OpenWRT syslog-ng Installation

When I went to process my remote firewall log output from OpenWRT, I noticed that the entries were truncated.  A quick check with tcpdump indicated that the syslog packets were truncated to 256 characters.  As syslogd and klogd are both provided by BusyBox, I decided to replace them both.  The obvious solution was to replace them with syslog-ng.  opkg indicated that it was available, so installation was simple.

Unfortunately, configuration is not yet automated.   A default configuration file is provided in /etc/syslog-ng.   This simply logs to /var/log/messages.  It also assumes that klogd is active.  After some research and experimentation, I came up with a configuration. It can provide a local log in /var/log/messages. More importantly it provides complete firewall log entries to the remote server.

options {
    chain_hostnames(off);
    sync(0);
    stats(0);
};

source src { unix-stream("/dev/log"); internal(); };
source kernel { file("/proc/kmsg" log_prefix("kernel: ")); };

destination messages { file("/var/log/messages" log_fifo_size(256)); };
destination d_udp { udp("192.168.10.2" port(514)); };

log {
    source(src);
    source(kernel);
    destination(d_udp);
#    destination(messages);
};

There is a conflict between the standard syslog setup and syslog-ng. They will both be started when the server restarts. To resolve this I edited /etc/init.d/boot, and commented out the start up of syslogd and klogd.

Log rotation requires additional configuration, so I have disable the local log.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>