So here is a quick little one that I figured out the other day. Having just setup a Splunk server at home I wanted to make sure that I was not going to hit the data limit of 500mb a day for the free version of Splunk. I figured out pretty fast that my ASUS RT-AC66U was a very chatty-cathy when it came to syslog… sending me all sorts of very raw data that I was, at least at first, not so sure I was interested in indexing. So I hit the cli and started poking around.
First off, before we jump in, let’s make sure that we are all on the same page. First thing to note is that I am running the custom Merlin firmware, however that doubt that the stock firmware is much different. Second, let’s make sure that we all know how to configure syslog on our Asus.
To setup forwarding syslog to a remote syslog server, you first client on “Administration” in the “Advanced Settings” panel on the left. Then select the “System” tab near the top of the page. Scroll down to “Miscellaneous”. This section is shown below. Enter the IP address of your syslog server (or Splunk server in this case) in the “Remote Log Server” field.
Now lets get down to the business of adjusting our logging level. First you need to ssh into your router.
Note that it appears that by default the log level is set to 7.
admin@RT-AC66U: # nvram show | grep log_level
log_level=7
Now before you get too excited, I am actually not sure that the main log level adheres to rfc5424. I have yet to find any published documentation from Asus to confirm this. However, according to this guy’s blog, this configuration might be a bit less chatty. Note that there are a few additional settings here which you can play around with. With these settings, I am assuming that 1 is on, and 0 if off. I am still experimenting.
admin@RT-AC66U: # nvram set log_level=2
admin@RT-AC66U: # nvram set log_enable=1
admin@RT-AC66U: # nvram set log_rejected=1
admin@RT-AC66U: # nvram set log_dropped=1
admin@RT-AC66U: # nvram set log_accepted=0
Now lets save our change and reboot
admin@RT-AC66U: # nvram commit
admin@RT-AC66U: # reboot
Note that there also is a vpn_loglevel=3 setting that can be configured via nvram. This setting might be useful to those running a VPN server on their router.
How do you enable SSH for this router?
Using the stock firmware you can’t. You need the Merlin firmware. Telnet is available on the default firmware however.
I am actually trying to do the same here. But I am new to splunk so if you could go into greater detail that would be great!!
Hi,
Nice guide, but I am having some issues. Log level seems to be reset back to log_level=7 after reboot, even though it shows as log_level=2 after the commit.
Any idea to why this happens?
I am running Merlin-WRT 376.49_5.
Very interesting, let me take a look at my config and see if the same happens to me.
So I just checked my router – and sure enough my logging level has been reset
There must be another way that you are supposed to write to NVRAM so that its persistent. Or it might be easier just to write a cron job to set these values if they are not already set.
Running version the base firmware version 3.0.0.4.378_4585-g44c234f
Haven’t noticed any difference in setting the log_level from 6 (default for me) to 7 which would normally give you from debug level messages all the way down to emergency messages. (You did say it might not follow the RFC for this). Also noticed that instead of having separate log_accept, log_dropped, log_rejected options I only have a fw_log_x that can take a single value from: both, drop, accept, none.
Not a lot of information about this out there, so I appreciate the info. I’m trying to write a custom logstash parser pattern for my Asus router.
Hi Christopher and Ben,
I am tracking Asus RT-AC1200G+ Random Reboots Automatically and needs more log to see what’s going on before the crash point. I read this post but RMerlin explains that log_level is ignored in Asuswrt here.
Do you have any good idea to get more message in the random reboot issue?
Have a nice day!
So I’m trying to edit the hosts file on the router so I don’t have to change it on all of my LAN computers. I can edit /etc/hosts, which actually resides in /tmp/etc/hosts. It doesn’t appear that the changes take.After a reboot, the original file is restored and the hosts backup I made is gone. I also made a backup of the output of nvram show in the root home folder. These are gone as well. Any idea how to make this stuff persistent? I did an nvram commit after the changes.
Editing the hosts file on the router will not affect DNS for the clients. Bind does not look at the hosts file, only the local resolver. You probably want to setup bind with a local zone. Don’t think you can do this on the router
darn.
thanks for the reply
Has anyone been able to get the FULL URL events into syslog using the base, default firmware?
yeah, same question here too.. anyone had success to get the complete logging? Even I am interested to set one up for me with the default latest firmware of ASUS.
I only get inbound logging to work with the stock firmware without using this telnet configuration. Use Wallwatcher (free, http://www.wallwatcher1.com/) to show logging real time. set routertab on syslog and port 512.
Has anyone found a way to enter a hostNAME (not IP) and use a port, on the remote log server field? I’m using papertrail and would like to specify something as logs5.domain.com:11554
I just set up a new RT-AC68U on AsusWRT-Merlin, having come from DD-WRT on my previous router. What I did to continue using papertrail was to manually set the port via telnet:
nvram set log_port=XXXXX
nvram commit
Then used ping to do a lookup of the IP addr of my papertrail logging server (I’m on ‘logs3.papertrailapp.com’ which resolves to 173.247.107.217. Then enter that IP addr thru the GUI. It popped right up and is working fine. I’m assuming that IP address mapping is reasonably static, or there would be a lot of churn by real/paying users of papertrail’s great service.
There are probably more elegant ways to solve this, but I was in a hurry, and this quick and worked!
That’s a good ideia. Do you know if it can be done using the default firmware? Also, how persistent is that in firmware upgrades?
I ended up using their logs.papertrail method with the default port, but it’s very limited compared to what we are used with our customs ports.
>> Do you know if it can be done using the default firmware?
I don’t know for sure as I skipped by the stock firmware and went straight to using Merlin custom firmware. But since Merlin is based on, and very similar to Asus stock, I would think it’d work so long as you had Telnet access. I’d say just try it, and see (and share what you learn).
>> Also, how persistent is that in firmware upgrades?
I wouldn’t count on it. Very likely a firmware upgrade would reset the port to the default value. But not a big deal for me as I already have a fairly extensive list of custom mods I do, so this is just another one on the list. (I bulk load my reserved IP list, set non-expiring leases on specific IPs, add custom firewall rules, etc. I love these 3rd party firmwares for their ability to customize to my liking.)
Pingback: Asus RT-AC1200G+ Random Reboots Automatically | Amigo's Technical Notes
I just bought this router RT-N66U B1
and was excited to run merlin on it. 380.67
I loaded the July 2017 version, set up my configuration and as I do always on a new router, ran GRC shields up to make sure there were no open ports and such.
To my horror, the router became non-responsive and basically stopped working, internet would not load at all till the test completed (I can only guess it completed cause the webpage timed out).
I’ve narrowed it down to the firewall “Logged packets”which I had set to dropped.
disabling it fixes the issue.
Both merlin and factory f/w have this issue, which basically makes it possible to dos these routers with ease.
Understanding the construct of TCP/UDP port numbering is key here to sorting out the confusion. Normally, HTTPS (SSL) defaults to port 443 like SSH defaults to port 22. When you enter https://192.168.1.1 into your browser, it automatically goes to the default 443 port. Since Asus puts a curve ball into the situation by changing the HTTPS LAN port to 8443 your browser misses the router unless it scans all ports for any address. You can edit the port back to default 443 (or any port you desire) on the Administration page > System tab underneath the Authentication Method. If you change it to 443, you should be able to omit adding the port number in the browser address field.
The whole point of Asus modifying the port to 8443 is another layer of security. Ideally they should have left the port at 443 and let the administrators change the port in setup.
see: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Be aware that the default HTTPS port might be in use by anothe application line de AICloud thing that is present in the router.