OpenWRT syslog-ng Installation

When I went to process my remote firewall log output from OpenWRT, I noticed that the entries were truncated.  A quick check with tcpdump indicated that the syslog packets were truncated to 256 characters.  As syslogd and klogd are both provided by BusyBox, I decided to replace them both.  The obvious solution was to replace them with syslog-ng.  opkg indicated that it was available, so installation was simple.

Unfortunately, configuration is not yet automated.   A default configuration file is provided in /etc/syslog-ng.   This simply logs to /var/log/messages.  It also assumes that klogd is active.  After some research and experimentation, I came up with a configuration. It can provide a local log in /var/log/messages. More importantly it provides complete firewall log entries to the remote server.

options {
    chain_hostnames(off);
    sync(0);
    stats(0);
};

source src { unix-stream("/dev/log"); internal(); };
source kernel { file("/proc/kmsg" log_prefix("kernel: ")); };

destination messages { file("/var/log/messages" log_fifo_size(256)); };
destination d_udp { udp("192.168.10.2" port(514)); };

log {
    source(src);
    source(kernel);
    destination(d_udp);
#    destination(messages);
};

There is a conflict between the standard syslog setup and syslog-ng. They will both be started when the server restarts. To resolve this I edited /etc/init.d/boot, and commented out the start up of syslogd and klogd.

Log rotation requires additional configuration, so I have disable the local log.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Cookie Consent with Real Cookie Banner