When I went to process my remote firewall log output from OpenWRT, I noticed that the entries were truncated. A quick check with tcpdump
indicated that the syslog
packets were truncated to 256 characters. As syslogd
and klogd
are both provided by BusyBox
, I decided to replace them both. The obvious solution was to replace them with syslog
-ng. opkg
indicated that it was available, so installation was simple.
Unfortunately, configuration is not yet automated. A default configuration file is provided in /etc/syslog-ng
. This simply logs to /var/log/messages
. It also assumes that klogd
is active. After some research and experimentation, I came up with a configuration. It can provide a local log in /var/log/messages.
More importantly it provides complete firewall log entries to the remote server.
options { chain_hostnames(off); sync(0); stats(0); }; source src { unix-stream("/dev/log"); internal(); }; source kernel { file("/proc/kmsg" log_prefix("kernel: ")); }; destination messages { file("/var/log/messages" log_fifo_size(256)); }; destination d_udp { udp("192.168.10.2" port(514)); }; log { source(src); source(kernel); destination(d_udp); # destination(messages); };
There is a conflict between the standard syslog
setup and syslog-ng
. They will both be started when the server restarts. To resolve this I edited /etc/init.d/boot
, and commented out the start up of syslogd
and klogd
.
Log rotation requires additional configuration, so I have disable the local log.