What's new

Deciphering the event logs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

leerees

Senior Member
Some of them are obvious, i.e. roamast removes a client from an AP. However, many of us are facing issues with our routers, understanding what all the events mean might enable us to pinpoint and diagnose problems ourselves.

Could those who talk to people like RMerlin ask if there's anything they could share with the forum?

Update:

Wifi related:
Reason Codes - Disconnection & De-Authentication Issues (aboutcher.co.uk)
 
Last edited:
No such guide. Search is your friend. :)
 
You're asking for documentation as to what the whole Linux kernel as well as dozens of userspace applications send to it. Explaining that would fill multiple books.
 
Is there no shortcuts, maybe a list of the applications related to our routers that we could expect to see in the logs? Looking in my logs I only see about 20 different applications. When a crash occurs if we knew what the app was maybe we could use that as a starting point to try and figure out what the problem is. When diagnosing problems in Windows I look at the event logs to figure out the offending app. However, many of us are not linux people and most of the apps have cryptic names.

There are many threads from users who have firmware issues, with no support from Asus we have no choice but to try and figure things out ourselves.
 
Last edited:
Is there no shortcuts, maybe a list of the applications related to our routers that we could expect to see in the logs?

No. It's not something that's documented, it's something that requires people to read through source code to understand what they mean - and many times the code generating those messages isn't available to the general public, so only engineers know what they mean.
 
I managed to find this (link in OP)

Example:
Jan 22 15:20:29 wlceventd: wlceventd_proc_event(481): eth7: Disassoc 04:D9:F5:31:7E:E8, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8)

eth7: Port
BSS = Your router / node
(8) = This is the reason code.
STA = Wifi client

CodeReasonExplanation
0ReservedNormal working operation
1Unspecific ReasonWe don’t know what’s wrong
2Previous authentication no longer validClient has associated but is not authorised.
3Deauthenticated because sending STA is leaving (or has left) IBSS or ESSThe access point went offline, deauthenticating the client.
4Disassociated due to inactivityClient session timeout exceeded.
5Disassociated because AP is unable to handle all currently associated STAsThe access point is busy, performing load balancing, for example.
6Class 2 frame received from nonauthenticated STAClient attempted to transfer data before it was authenticated.
7Class 3 frame received from nonassociated STAClient attempted to transfer data before it was associated.
8Disassociated because sending STA is leaving (or has left) BSSOperating System moved the client to another access point using non-aggressive load balancing.
9STA requesting (re)association is not authenticated with responding STAClient not authorized yet, still attempting to associate with an access point.
10Disassociated because the information in the Power Capability element is unacceptable
11Disassociated because the information in the Supported Channels element is unacceptable
12ReservedNot Used or Special Purpose
13Invalid information element.
14Message integrity code (MIC) failure
154-Way Handshake timeout
16Group Key Handshake timeout
17Information element in 4-Way Handshake different from (Re)Association Request/Probe
Response/Beacon frame
18Invalid group cipher
or
Association denied due to requesting STA not supporting all of the data rates in the BSSBasicRateSet parameter
*NEW*
The link speed requested by the client or AP is incompatible. (i,e. trying to operate N only speeds on a G AP)
19Invalid pairwise cipher
20Invalid AKMP
21Unsupported RSN information element version
22Invalid RSN information element capabilities
23IEEE 802.1X authentication failed
24Cipher suite rejected because of the security policy
25-31ReservedNot Used or Special Purpose
32Disassociated for unspecified, QoS-related reasonQuality of Service has denied the action.
33Disassociated because QoS AP lacks sufficient bandwidth for this QoS STA
34Disassociated because excessive number of frames need to be acknowledged, but are not
acknowledged due to AP transmissions and/or poor channel conditions
35Disassociated because STA is transmitting outside the limits of its TXOPs
36Requested from peer STA as the STA is leaving the BSS (or resetting)
37Requested from peer STA as it does not want to use the mechanism
38Requested from peer STA as the STA received frames using the mechanism for which a
setup is required
39Requested from peer STA due to timeout
45Peer STA does not support the requested cipher suite
45-65ReservedNot Used or Special Purpose
99Typically “No Reason Code” / Unknown State
535ReservedNot Used or Special Purpose
 
Last edited:
I managed to find this (link in OP)

8 Disassociated because sending STA is leaving (or has left) BSS Operating System moved the client to another access point using non-aggressive load balancing.

This explanation is a little odd to me and may be a catch-all description. I don't use any smart connect, aiMesh, etc. Yet I see quite a few (8) in my logs and always have. Don't see how the operating system is "moving" anything to another access point when I don't even have another access point. I'd take these explanations with a grain of salt.
 
Last edited:
You're asking for documentation as to what the whole Linux kernel as well as dozens of userspace applications send to it. Explaining that would fill multiple books.
One reason Linux hasn’t and never will be a client/consumer operating system.
 
One reason Linux hasn’t and never will be a client/consumer operating system.

That's not true. Look at the Windows Event Log, tell me that's any better.
 
Event logs are used for debugging and the events/logs themselves contain info useful to developers and engineers usually for their own troubleshooting purposes so that they can figure out exactly which function is throwing an exception when there are logical errors or other problems in their code. While some events might be useful for the average Joe who is troubleshooting an issue, 95%+ are not useful to the general user population.

Generally you'll find troubleshooting documentation with any product for ways to solve common problems, as well as guidelines to ensure the best setup (to avoid problems). Leave the debug and event logs to the developers/engineers, upon request only of course. ;)
 
Last edited:
The logs aren’t, but the info and documentation is available to help people figure it out.

One thing about Microsoft is everything is documented.

This is what the OP asked about - documentation on how to interpret the content of the log.

Documentation on components of a Linux distro varies from one component to another, but it's out there, you just have to look for it.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top