1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

[Q] Syslog Server for TomatoUSB

Discussion in 'Tomato Firmware' started by Dr Strangelove, Nov 20, 2012.

  1. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    I have a Linksys E4200v1 with Toastman Tomato firmware v1.28.0500 in use.

    I would like to use my E4200 as a syslog server for other network devices and the E4200 .

    I would like to use a USB 'stick' on the USB port of my E4200 to log all my syslog events.

    I also have a NAS and an ADSL2 modem which I'd also like to have the E4200 act as a syslog server for.

    In the past I've used my NAS as a syslog server, but this never allows the HDD to sleep as it's only a one HDD NAS and the OS need to access connections.tdb and etc each time.

    What's available in the way of syslog servers for TomatoUSB firmware?

    I am correct in assuming that TomatoUSB firmware doesn't natively support a syslog server structure and that I'd have to source optware applications to provide this service?

    I note there is something like optware syslog-ng which may provide a solution.
    Is there anything else?

    Given the router is always on and has USB storage available I though a Google search would turn up a bit of an overview of such a setup, but was surprised that I couldn't find a lot of info on the subject.
    So I hope I've not missed something in asking this question.
  2. koitsu

    koitsu Network Guru Member

    TomatoUSB Toastman comes with Busybox syslogd. It does support writing to a file of your choice (i.e. /yourdisk/somefile). The GUI supports this option as well.

    Supported options for busybox syslogd:

    BusyBox v1.18.5 (2012-06-26 18:24:12 ICT) multi-call binary.
    Usage: syslogd [OPTIONS]
    System logging utility.
    This version of syslogd ignores /etc/syslog.conf
            -n              Run in foreground
            -O FILE        Log to given file (default:/var/log/messages)
            -l N            Set local log level
            -S              Smaller logging output
            -s SIZE        Max size (KB) before rotate (default:200KB, 0=off)
            -b N            N rotated logs to keep (default:1, max=99, 0=purge)
            -R HOST[:PORT]  Log to IP or hostname on PORT (default PORT=514/UDP)
            -L              Log locally and via network (default is network only if -R)
    The default flags for TomatoUSB are -L -s 50 -b 1, and GUI options/toggles/etc. affect these (or append to them) as expected.

    Please note there is no support for separate facility and level logging mechanisms in this version of Busybox syslogd. A newer Busybox build does offer this capability (via /etc/syslog.conf), however it has already had numerous bugs found in it, so I would be wary of using it (i.e. you should expect to report bugs to them directly).

    Alternately you could install Entware (please do not use Optware; nobody maintains that crap any more) and install the syslog-ng package (opkg install syslog-ng) and get used to editing things in /opt/etc and so on. You will need a storage device (USB flash drive, USB hard disk, etc.) that is always on to use this reliably. Please make sure the drive is formatted as ext2, ext3, or ext4 (and not NTFS). Monk E. Boy has written good instructions for that. Swap is optional (I would recommend not worrying about it unless you absolutely know you're going to run out of RAM on the router for some reason. I tend to remind people: these are embedded devices, not PCs! Do not treat them like a PC workstation!)

    You will also need to ensure you start syslog-ng yourself via the TomatoUSB GUI under Init -> Scripts (my recommendation is to place the startup under WAN Up, not Init, since your USB storage device might not be ready by the time the daemon attempts to start. I can point you to a thread/topic recently where I brought this fact up if need be).
  3. Dr Strangelove

    Dr Strangelove Networkin' Nut Member

    Thank you Koitsu.

    Your information (and such good detail too) was more than I was expecting and will easily see me will on my way to creating a workable syslog server on my TomatoUSB router.

    Thank you.
  4. koitsu

    koitsu Network Guru Member

    Oh, one thing I didn't cover: you may end up with a conflict of syslogd vs. syslog-ng both trying to bind to UDP port 514; syslogd will get first dibs obviously.

    I *think* syslogd is one of the daemons which if you kill off, Busybox init itself will actually re-start/re-spawn it. I don't know if there's a way to inhibit that behaviour (I've gone through output of nvram show | grep log and I couldn't find anything relevant), and that makes things fairly tricky to solve. What this means is effectively you need to run two syslog servers on the same box (syslogd and syslog-ng), and that's very very tricky. I have lots of ways to try and solve this but none are as clean as disabling syslogd entirely and starting syslog-ng instead.

    The best solution -- and god this is a disgusting hack, I'm sorry, I hate solutions like this -- I can come up with is the following:

    1. Run syslog-ng on a different UDP port (ex. UDP port 5114 (note the extra 1))
    2. Set syslogd (via GUI or nvram variables log_remoteip and log_remoteport) to log to port 5114
    3. Make sure syslog-ng binds to port 5114
    4. Make sure syslog-ng does not try to open up a UNIX domain socket that correlates to /dev/log (syslogd will already have that; see netstat -x)

    This sounds simple but let me explain exactly how this will work:

    When the router boots up, syslogd will start up and begin trying to send syslog messages (for things like dhcp, ntpc, etc.) to syslog-ng (which isn't started yet). syslogd will hopefully queue some of the messages for redelivery -- I don't know if it will or won't, and if it doesn't I have some alternate ways of dealing with this but they make the situation even hackier.

    A few moments will pass (say 15 seconds?), USB devices are enumerated, mounts are mounted, and syslog-ng starts, binding to (let's say for now) port 5114. syslogd will retry message delivery, and now that syslog-ng is up, it'll get a flurry of messages from syslogd. syslog-ng will then log to whatever file you want (presumably on your USB drive).

    Messages coming from systems on your LAN will be answered by syslogd, but be forwarded (due to the redirection bit) to syslog-ng.

    Caveats to this model:

    1. We don't know if syslogd has a queuing mechanism for messages when remote delivery is used. If it doesn't, you will lose every logging message sent to the system from the time syslogd starts to the time syslog-ng is started
    2. We don't know if syslog-ng can be told to not bind a UNIX domain socket to /dev/log

    There is another complexity which I had forgotten about, and that pertains to my proposal to use WAN Up as your way to launch syslog-ng. There are caveats/problems with this as well. They're discussed in this thread (despite the thread being for a different subject), and the one that will work for you best (hands down, no argument!) is the use of the mount.autorun file to start syslog-ng (see the reply from menses), which is a shell script that will get run when the USB drive is mounted. That relieves a ton of complexity/annoyance of dealing with starting daemons on reboot when stored on an external drive. :)

    Welcome to the many nuances of embedded environments. Stuff like this is why I tell people not to treat these routers the same as they would a "standard" Linux desktop/server -- there are many differences in how things are done, and little catches along the way. It's too bad we have the pile of junk that is Busybox. The OpenWRT guys solved many nuances in their firmware by getting rid of it and using standard software + designing things cleanly (i.e. the router acts more like a normal Linux server than some weird hack of a thing).

Share This Page