Log file deleting itself - Is this normal?

[Sean25689]

HI,
I’m using Merlin 3.0.0.4.270.24 for the RT-N66U and am wondering if the log files in the System Log > General Log section automatically deletes itself every so often? If so, is there a setting to control this? This has happened to me at least once that I know of. Thank you!

 

[joegreat]

HI,
I’m using Merlin 3.0.0.4.270.24 for the RT-N66U and am wondering if the log files in the System Log > General Log section automatically deletes itself every so often? If so, is there a setting to control this? This has happened to me at least once that I know of. Thank you!

Hi Sean,

Yes, it's normal that the Syslog is renewed (deleted) automatically.
How often, or better when(!) it's renewed is defined by the start parameters. Which you can see by looking for the syslogd process:

chief@RT-N66U:/tmp/home/root# ps -w | grep syslog
  352 admin     1336 S    syslogd -m 0 -S -O /tmp/syslog.log -s 512 -l 7

The -s 512 parameter defines the 'Max size (KB) before rotation'. In this case after reaching 512 KB of size the syslog.log will start fresh.

Do you have so many messages in the syslog that this happens often in your case?

With kind regards
Joe

 

[Sean25689]

Hi Joe,
Thank you for your response. So glad to hear that the log the log file was just cleaning up after itself and it wasn’t someone hacking into my router and then trying to cover their tracks. I do have a lot of messages in the syslog file because I’ve set Firewall > General > Logged Packet Types to “Both”.
Thanks again, Sean

 

[RendCycle]

A few days ago, my Internet access got sooo slow. I found out that when I disabled "Samba" under USB App -> Servers Center, access speed went back to normal and the CPU Core 2 load of the router got reduced significantly. I'm not sure why that has happened as I don't even have a USB Stick inserted on the Router. But a few days later, I experienced slow down again. This time, I noticed something strange in my Router's log. It reported having detected DNS-rebind attacks by opsec.com or something. When I changed my router's configuration as I was trying to isolate which device in the network was being used for the attack, I suddenly lost connection to my Router's Admin system. I restarted my router and got https web access only through the local IP but lost the router.asus.com access. When I checked my router's log, I noticed block of entries were erased starting from May 5 13:05:29 up to Jun 9 21:19:06. The "DNS-rebind attacks" in the log that I found earlier was gone. I consider the latest version of Merlin (384.17) NOT secure.

 

[L&LD]

@RendCycle your logic and conclusions leave much to be desired.

Can you expand on how your router was secure before and isn't now?

What steps have you taken to ensure this isn't user error or misunderstanding?

 

[RendCycle]

@RendCycle your logic and conclusions leave much to be desired.

Can you expand on how your router was secure before and isn't now?

What steps have you taken to ensure this isn't user error or misunderstanding?

I did only mention Merlin (384.17) because that was the version I had when I experienced the issue. How can it be user error or misunderstanding if what I just described is what I've read/found in the system log? I am just sharing my experience as a warning to those who can read this. I like the interface and features of Merlin but there are just some weird & strange issues I have encountered recently since I started using it for about a year now. Why would you not think that the latest version of Merlin is secure or any other versions for that matter?

To those who are considering using other Firmware not released by the actual company who made your router, do not do it especially if the software looks like its free. I recommend just sticking to the original and latest Firmware from your router's manufacturer. Just remember to keep updating to the latest version and if its an Asus Router, try to avoid using Download Master especially if you don't know much about increasing the security of your Router and other connected devices. That's all.

 

[L&LD]

@RendCycle, huh? I am not accusing RMerlin firmware to be insecure, you are.

So you've been using firmware for a year and because (seemingly) unrelated items showed some glitches you deem the firmware unsafe, now? And you're warning people about it too?

And you still didn't expand on anything either.

When was the last time you have performed a full reset to factory defaults and then minimally and manually configured the router to secure it and connect to your ISP? Without using a saved backup file or 'blindly' inputting old settings (manually, or otherwise)? Ideally, an M&M Config and/or a Nuclear Reset would be a minimum suggestion and further testing before you can call anything, anything (let alone 'unsafe' or 'insecure').

Many parts of this firmware have been incorporated into official stock Asus firmware over the years. Do you think the Asus engineers and all the users that continuously pour over this code (at least the open source parts) are just turning a blind eye to anything untoward they find?

The user/misunderstanding is still a possibility if you don't give more details than what you already have so far. So far, it seems the likely issue here.

 

[RendCycle]

@RendCycle, huh? I am not accusing RMerlin firmware to be insecure, you are.

So you've been using firmware for a year and because (seemingly) unrelated items showed some glitches you deem the firmware unsafe, now? And you're warning people about it too?

And you still didn't expand on anything either.

When was the last time you have performed a full reset to factory defaults and then minimally and manually configured the router to secure it and connect to your ISP? Without using a saved backup file or 'blindly' inputting old settings (manually, or otherwise)? Ideally, an M&M Config and/or a Nuclear Reset would be a minimum suggestion and further testing before you can call anything, anything (let alone 'unsafe' or 'insecure').

I think I get what you mean and you're saying I was not careful in my Firmware updates and I may have done it incorrectly. But I guess you have to agree that if I did everything correctly as you say and discovered a DNS-rebind attack in the Syslog then suddenly found out a chunk of related logs disappeared after a restart is really quite suspicious. IIRC, I think I have REPLACED the Merlin Firmware 2-3 times. Also tested using a saved backup file once and the rest are full resets.

Many parts of this firmware have been incorporated into official stock Asus firmware over the years. Do you think the Asus engineers and all the users that continuously pour over this code (at least the open source parts) are just turning a blind eye to anything untoward they find?

I know as I've also read articles/comments about that in the past before I tried using Merlin. It is also one good reason why its better to use official Asus Firmware over a free open source one because the manufacturer/company who sells the hardware have already double checked/tested/improved the gathered/adapted code from Merlin before they actually implement them in their official Asus Firmware release.

The user/misunderstanding is still a possibility if you don't give more details than what you already have so far. So far, it seems the likely issue here.

I get you and that's fair. All I can say is I did what I think is correct based on information I found in the Internet. Anyhow, the best feature in Merlin that I like is how VPNs are configured. But I just cannot recommend the Firmware to someone new to fiddling with their Router's configuration and if they just use the Internet casually. I also think Download Master from Merlin and Asus has a major security flaw. Every time I use it, my router gets trashed more frequently and its a seemingly never ending cycle of reconfiguration and app reinstall. If I don't use it, I noticed my router gets to work longer and without too much issues. But I'm going back to the official Asus Firmware for now to see what's new.

 

[Jack Yaz]

May 5 is the default date the router boots with. There is no hardware or battery backed clock, so an arbitrary date is used until NTP syncs. I bet if you scroll back through the logs (or check in /jffs) you will find the "missing" logs.

For a more robust log system, I suggest looking into the Scribe project which leverages syslog-ng

 

[Jack Yaz]

Also re dns rebinds, the log was probably telling you that it had prevented a rebind attempt. This was probably caused by you, someone connected to your network or an IOT device connecting to a less than reputable site.

 

[RMerlin]

How can it be user error or misunderstanding if what I just described is what I've read/found in the system log?

For starter, I don't think you understand what a DNS rebind attack is. Protection against these (which are coming from the LAN, not from the router), is actually a security measure only available in my firmware. Switching to the stock firmware without this will actually reduce your network security, not improve it.

Same with DNSSEC validation or DNS over TLS - more security features that are not available in the stock firmware, so switching to the stock firmware will once again reduce your security.

As for Download Master, I've been telling people for 6+ years now to not use this. It's not part of my firmware, it's an external add-on, and I've been saying for years that running a torrent client on your primary network firewall is a bad idea.

To those who are considering using other Firmware not released by the actual company who made your router, do not do it especially if the software looks like its free.

So, nobody should be running Linux over Windows because Linux is free?

 

[RendCycle]

Also re dns rebinds, the log was probably telling you that it had prevented a rebind attempt. This was probably caused by you, someone connected to your network or an IOT device connecting to a less than reputable site.

That makes sense. I was in the middle of figuring out which connected device is the culprit by blocking each one by one starting from the most recent device I added to the network. But then just decided to replace Merlin with the latest Firmware from Asus as I got locked out from our own network... Had to do something and re-bricking the router worked though. Our Internet Connection is faster than ever using the latest Asus Firmware. Will check out whats new. Appreciate the tips though. Thank you.

 

[RendCycle]

May 5 is the default date the router boots with. There is no hardware or battery backed clock, so an arbitrary date is used until NTP syncs. I bet if you scroll back through the logs (or check in /jffs) you will find the "missing" logs.

For a more robust log system, I suggest looking into the Scribe project which leverages syslog-ng

What do you mean "default date the router boots with"? I always turn off the router when we go to sleep if that's what you mean? Also how frequent does NTP sync?

 

[RendCycle]

For starter, I don't think you understand what a DNS rebind attack is. Protection against these (which are coming from the LAN, not from the router), is actually a security measure only available in my firmware. Switching to the stock firmware without this will actually reduce your network security, not improve it.

Same with DNSSEC validation or DNS over TLS - more security features that are not available in the stock firmware, so switching to the stock firmware will once again reduce your security.

As for Download Master, I've been telling people for 6+ years now to not use this. It's not part of my firmware, it's an external add-on, and I've been saying for years that running a torrent client on your primary network firewall is a bad idea.

When the router was using Merlin, I enabled the feature to protect from DNS Rebind Attacks. That is probably one reason the related reports in the log also appeared. Some strange things that I recently experienced with Merlin before I went back to the official Asus Firmware are:

1. Our Internet Connection noticeably slowed down over time to a point that streaming videos always needed to buffer longer.
2. The password text is automatically shown/displayed in the corresponding Password field and the checkbox suddenly got ticked on when I paste a text on the field.
3. Had to frequently change Name Servers so access speed will become acceptable for a period of time before it goes back to a crawl again. This happens more frequent the longer I stayed using a particular version of a Firmware.
4. Got locked out of our own network

Merlin was quite good and I like it when it was working before. Thanks for developing the software. I just got back to using the official firmware from Asus and my Internet access speed went back to its acceptably normal rate. I'm sure everything will bog down again soon because that seems to be the normal process with this router. By then, will have to update or replace the Firmware again. Anyhow, I won't be using Download Master now and might just have to set up a separate temp machine for torrent downloading if needed.

So, nobody should be running Linux over Windows because Linux is free?

If its paid, you can hold the company more accountable. It really depends on how stable / reliable the software is. Its just that this time, my experience with the recent version of Merlin is not that good.