Configure Syslog Logging Levels on the Asus RT-AC66U Router


4614_WizardStressToy_1

So here is a quick little one that I figured out the other day. Having just setup a Splunk server at home I wanted to make sure that I was not going to hit the data limit of 500mb a day for the free version of Splunk. I figured out pretty fast that my ASUS RT-AC66U was a very chatty-cathy when it came to syslog… sending me all sorts of very raw data that I was, at least at first, not so sure I was interested in indexing. So I hit the cli and started poking around.

First off, before we jump in, let’s make sure that we are all on the same page. First thing to note is that I am running the custom Merlin firmware, however that doubt that the stock firmware is much different. Second, let’s make sure that we all know how to configure syslog on our Asus.

To setup forwarding syslog to a remote syslog server, you first client on “Administration” in the “Advanced Settings” panel on the left. Then select the “System” tab near the top of the page. Scroll down to “Miscellaneous”. This section is shown below. Enter the IP address of your syslog server (or Splunk server in this case) in the “Remote Log Server” field.

syslog_asus

Now lets get down to the business of adjusting our logging level. First you need to ssh into your router.

Note that it appears that by default the log level is set to 7.

admin@RT-AC66U: # nvram show | grep log_level
log_level=7

Now before you get too excited, I am actually not sure that the main log level adheres to rfc5424. I have yet to find any published documentation from Asus to confirm this. However, according to this guy’s blog, this configuration might be a bit less chatty. Note that there are a few additional settings here which you can play around with. With these settings, I am assuming that 1 is on, and 0 if off. I am still experimenting.

admin@RT-AC66U: # nvram set log_level=2
admin@RT-AC66U: # nvram set log_enable=1
admin@RT-AC66U: # nvram set log_rejected=1
admin@RT-AC66U: # nvram set log_dropped=1
admin@RT-AC66U: # nvram set log_accepted=0

Now lets save our change and reboot

admin@RT-AC66U: # nvram commit
admin@RT-AC66U: # reboot

Note that there also is a vpn_loglevel=3 setting that can be configured via nvram. This setting might be useful to those running a VPN server on their router.

19 thoughts on “Configure Syslog Logging Levels on the Asus RT-AC66U Router

  1. Hi,

    Nice guide, but I am having some issues. Log level seems to be reset back to log_level=7 after reboot, even though it shows as log_level=2 after the commit.
    Any idea to why this happens?

    I am running Merlin-WRT 376.49_5.

    Liked by 1 person

  2. So I just checked my router – and sure enough my logging level has been reset

    admin@RT-AC66U:/tmp/home/root#  nvram show | grep log_level
    log_level=7
    

    There must be another way that you are supposed to write to NVRAM so that its persistent. Or it might be easier just to write a cron job to set these values if they are not already set.

    Liked by 1 person

  3. Running version the base firmware version 3.0.0.4.378_4585-g44c234f

    Haven’t noticed any difference in setting the log_level from 6 (default for me) to 7 which would normally give you from debug level messages all the way down to emergency messages. (You did say it might not follow the RFC for this). Also noticed that instead of having separate log_accept, log_dropped, log_rejected options I only have a fw_log_x that can take a single value from: both, drop, accept, none.

    Not a lot of information about this out there, so I appreciate the info. I’m trying to write a custom logstash parser pattern for my Asus router.

    Liked by 1 person

    • Hi Christopher and Ben,

      I am tracking Asus RT-AC1200G+ Random Reboots Automatically and needs more log to see what’s going on before the crash point. I read this post but RMerlin explains that log_level is ignored in Asuswrt here.

      Do you have any good idea to get more message in the random reboot issue?

      Have a nice day!

      Like

  4. So I’m trying to edit the hosts file on the router so I don’t have to change it on all of my LAN computers. I can edit /etc/hosts, which actually resides in /tmp/etc/hosts. It doesn’t appear that the changes take.After a reboot, the original file is restored and the hosts backup I made is gone. I also made a backup of the output of nvram show in the root home folder. These are gone as well. Any idea how to make this stuff persistent? I did an nvram commit after the changes.

    Like

  5. yeah, same question here too.. anyone had success to get the complete logging? Even I am interested to set one up for me with the default latest firmware of ASUS.

    Like

  6. Has anyone found a way to enter a hostNAME (not IP) and use a port, on the remote log server field? I’m using papertrail and would like to specify something as logs5.domain.com:11554

    Like

    • I just set up a new RT-AC68U on AsusWRT-Merlin, having come from DD-WRT on my previous router. What I did to continue using papertrail was to manually set the port via telnet:
      nvram set log_port=XXXXX
      nvram commit
      Then used ping to do a lookup of the IP addr of my papertrail logging server (I’m on ‘logs3.papertrailapp.com’ which resolves to 173.247.107.217. Then enter that IP addr thru the GUI. It popped right up and is working fine. I’m assuming that IP address mapping is reasonably static, or there would be a lot of churn by real/paying users of papertrail’s great service.

      There are probably more elegant ways to solve this, but I was in a hurry, and this quick and worked!

      Like

      • That’s a good ideia. Do you know if it can be done using the default firmware? Also, how persistent is that in firmware upgrades?

        I ended up using their logs.papertrail method with the default port, but it’s very limited compared to what we are used with our customs ports.

        Like

      • >> Do you know if it can be done using the default firmware?
        I don’t know for sure as I skipped by the stock firmware and went straight to using Merlin custom firmware. But since Merlin is based on, and very similar to Asus stock, I would think it’d work so long as you had Telnet access. I’d say just try it, and see (and share what you learn).

        >> Also, how persistent is that in firmware upgrades?
        I wouldn’t count on it. Very likely a firmware upgrade would reset the port to the default value. But not a big deal for me as I already have a fairly extensive list of custom mods I do, so this is just another one on the list. (I bulk load my reserved IP list, set non-expiring leases on specific IPs, add custom firewall rules, etc. I love these 3rd party firmwares for their ability to customize to my liking.)

        Like

  7. Pingback: Asus RT-AC1200G+ Random Reboots Automatically | Amigo's Technical Notes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s