Add option for remote syslog in WebGUI


Recommended Posts

  • 2 weeks later...

The syslog server has a setting for "local syslog folder", but really it only lets you choose a share.  Can we select an actual folder such as /mnt/user/system/log/ rather than throw the log files in the root of /mnt/user/system/ ?

 

I wouldn't mind manually editing /boot/config/rsyslog.cfg as long as it won't break the gui

Link to comment

The current approach was chosen to ensure the folder exists when using the local syslog functionality and give the user the oppertunity to create a dedicated share/folder which preferably is located on the cache device only.

 

You can make manual tweaks to change the destination folder.

  1. /boot/config/rsyslog.conf & /etc/rsyslog.conf
    change the value of parameter "$template remote"
  2. /boot/config/rsyslog.cfg
    change the value of parameter "server_folder"
  3. restart daemon: /etc/rc.d/rc.rsyslogd restart

These manual changes need to be re-applied each time a change of the syslog settings in the GUI is done.

Edited by bonienl
Link to comment
24 minutes ago, bonienl said:

These manual changes need to be re-applied each time a change of the syslog settings in the GUI is done.

Thanks for this. Any chance the gui could detect when the value it reads from the file isn't what it expects, and just display the value in an input box instead? Just to prevent the gui from overwriting the file and having to remember to fix it :)

Link to comment

I added a <custom> entry. This allows the GUI to show that some "other" setting is used.

image.png.640503e299b4f1b1cce7f355ef7950d3.png

 

When the file /boot/config/rsyslog.cfg is manually edited (=set custom destination folder), you can make a change in the GUI and the custom setting is automatically set in the appropriate files, with rsyslogd restarted and using the custom setting.

 

You can however not set a custom folder in the GUI. This is on purpose 😙

Edited by bonienl
Link to comment
44 minutes ago, bonienl said:

I added a <custom> entry. This allows the GUI to show that some "other" setting is used.

image.png.640503e299b4f1b1cce7f355ef7950d3.png

 

When the file /boot/config/rsyslog.cfg is manually edited (=set custom destination folder), you can make a change in the GUI and the custom setting is automatically set in the appropriate files, with rsyslogd restarted and using the custom setting.

 

You can however not set a custom folder in the GUI. This is on purpose 😙

 

Thanks! I used the Bleeding Edge Toolkit:

to install this and it works great. Now my logs are in a subdirectory of the system share.

Link to comment

Hey @bonienl


In /etc/rsyslog.conf, would you consider copying this line:

$IncludeConfig /etc/rsyslog.d/*.conf

somewhere below the "$RuleSet remote" line, perhaps at line 127?  The line does already exist elsewhere in the file, but it only seems to apply to the default ruleset and not the remote ruleset.

 

This change will allow us to place custom ruleset files in /etc/rsyslog.d and have them apply to messages from remote systems.

 

For instance, I created a "/etc/rsyslog.d/02-blocklist-extra.conf" file containing this one line:

:msg,contains,"DHCPACK on" stop

and it stopped logging certain DHCP messages from my router. But it has no effect without the $IncludeConfig line in the $RuleSet remote area.

 

Tagging @dlandon because we talked about cleaning up these remote syslogs in another thread somewhere :) 

 

Edited by ljm42
Link to comment
Just now, bonienl said:

The placement of the IncludeConfig statement should apply to all.

Have you tested this to work when added to the remote section?

yes, the 02-blocklist-extra.conf file has no effect until I copy the IncludeConfig statement to the "$RuleSet remote" area.

 

Actually, there are several duplicated lines in that section, I wonder if some of them can be removed?

$DefaultRuleset local
$RuleSet remote
$FileOwner nobody
$FileGroup users
$FileCreateMode 0644
#*.* ?remote  <-- needed?
$InputUDPServerBindRuleset remote
$UDPServerRun 514
$RuleSet remote  <-- duplicated?
$FileOwner nobody  <-- duplicated?
$FileGroup users  <-- duplicated?
$FileCreateMode 0644  <-- duplicated?
$IncludeConfig /etc/rsyslog.d/*.conf  <-- I added this
*.* ?remote
$InputUDPServerBindRuleset remote
$UDPServerRun 514

 

Link to comment
1 hour ago, ljm42 said:

Actually, there are several duplicated lines in that section, I wonder if some of them can be removed?

Hmm, these duplicates should not exist.

$DefaultRuleset local
$RuleSet remote
$FileOwner nobody
$FileGroup users
$FileCreateMode 0644
#*.* ?remote
$InputTCPServerBindRuleset remote
$InputTCPServerRun 514
$InputUDPServerBindRuleset remote
$UDPServerRun 514

In the syslog settings disable local server and remove the remote IP address, this should cleanup the file.

Then re-apply the original settings.

Link to comment
On 2/23/2019 at 6:57 PM, bonienl said:

You can however not set a custom folder in the GUI. This is on purpose 😙

 

Why was this, out of interest? I'd ideally like to put output from this on /system/logs, but instead the logs will be on the root of the /system share, which isn't wonderful from an organisational standpoint. I imagine I'm not the only one who would do this. It also seems a little much to have to great a logs share solely for this.

 

nit-picking I'll grant you, but I figure this is the time for it, seeing as it's newly-added.

Link to comment
3 hours ago, bonienl said:

In the syslog settings disable local server and remove the remote IP address, this should cleanup the file.

 

2 hours ago, bonienl said:

I added the "includeConfig" option and changed to 0666 mode.

 

Thanks @bonienl! I disabled / enabled the service and updated to the latest code. Now this is the tail end of my rsyslog.conf:

$DefaultRuleset local
$RuleSet remote
$FileOwner nobody
$FileGroup users
$FileCreateMode 0666
$IncludeConfig /etc/rsyslog.d/*.conf
*.* ?remote
$InputUDPServerBindRuleset remote
$UDPServerRun 514

And my custom rules are working.  Thanks!

Link to comment
7 hours ago, ljm42 said:

Hey @bonienl


In /etc/rsyslog.conf, would you consider copying this line:


$IncludeConfig /etc/rsyslog.d/*.conf

somewhere below the "$RuleSet remote" line, perhaps at line 127?  The line does already exist elsewhere in the file, but it only seems to apply to the default ruleset and not the remote ruleset.

 

This change will allow us to place custom ruleset files in /etc/rsyslog.d and have them apply to messages from remote systems.

 

For instance, I created a "/etc/rsyslog.d/02-blocklist-extra.conf" file containing this one line:


:msg,contains,"DHCPACK on" stop

and it stopped logging certain DHCP messages from my router. But it has no effect without the $IncludeConfig line in the $RuleSet remote area.

Do these rules apply to all logs?  I Want to filter some messages from my router.  It is flooded with extraneous messages.

Link to comment
1 hour ago, dlandon said:

Do these rules apply to all logs?  I Want to filter some messages from my router.  It is flooded with extraneous messages.

yep! The simple "property-based filters" like in my example apply to all sources.  If you want something that applies only to one source (i.e. the router) then I think you'd need to use "expression-based filters" where you can have complex if statements. I haven't tried that yet.

 

This page has more info:

    https://www.rsyslog.com/doc/v8-stable/configuration/filters.html

Link to comment
On 2/25/2019 at 2:21 AM, dlandon said:

I've set it up as you suggested, but it is not working for me yet.  I'll wait for the next release with the fixes.

 

If you've added the additional "$IncludeConfig /etc/rsyslog.d/*.conf" line, then there could be an issue with your rule.  For instance, I was trying to block this line:

Feb  9 16:01:48 192.168.10.1 dhcpd: DHCPREQUEST for 192.168.10.40 (192.168.10.1) from ...

and at first I tried this:

:msg,startswith,"dhcpd: DHCPREQUEST for" stop

but it turns out that "dhcpd" is the application, the msg doesn't start until " DHCPREQUEST".  So this rule worked:

:msg,startswith," DHCPREQUEST for" stop

Also, I believe you have to restart the rsyslogd service after editing any of these files:

/etc/rc.d/rc.rsyslogd restart

 

Edited by ljm42
Link to comment
25 minutes ago, ljm42 said:

If you've added the additional "$IncludeConfig /etc/rsyslog.d/*.conf" line, then there could be an issue with your rule.  For instance, I was trying to block this line:

Ok.  It seems I did have an issue like this.  I changed the rule and we'll see how it works.

 

I'm extremely grateful for the syslog server capability and now with being able to filter a large number of extraneous messages from the router log, I can finally read it.  I can't scroll back in the log on the router because it refreshes a lot and starts all over at the top when it does.

 

I really like the idea of keeping server logs in a more permanent place and current in case of an unplanned shutdown.

 

Thanks @ljm42 for all your help here.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.