Log and Traffic Stat Retention

[bitmonster]

Hi everyone..

When the router reboots traffic stats analysis are lost - is it possible to retain this between reboots?

Also - if I want to keep logs securely so they can't be wiped in case of a hack - can this be retained somewhere safely via the log server option? If the log server is down will it cache until back up and transfer?
Ideally I would like to burn ongoing to a CD left in a PC when it boots up or something. Eventually, maybe even a USB CD burner left plugged in to the router. I'm sure logs would take forever to fill a CD or DVD and it's so cheap these days, and physically impossible to wipe.

 

[waeking]

To save your traffic stats you can either manually mount a cifs drive or use a usb drive and change the settings under Tools > Other Settings>Traffic history location.

Under System Log > General Log there are settings to use a remote syslog server.

 

[bitmonster]

Thanks.
So CIFS drive is a USB stick in the USB2 port, which I can also include a Swap file on I believe.

So 8GB stick should do it.

Sent from my SM-G965F using Tapatalk

 

[ColinTaylor]

So CIFS drive is a USB stick...

No CIFS is something else. Just ignore that bit and use a USB stick as you have planned. A USB stick is a USB stick is a USB stick .

 

[bitmonster]

Thanks... USB3 stick formatted EXT4 it is, and I assume I can easily point Swap and whatever else to that.

As for the log server, I will have to work out a permanent solution even if that's a dedicated device to just be the log server. I'd like to burn it to disc rolling-along in case anything ever happens. I assume it would take *forever* to fill up a disc with logs.

 

[ColinTaylor]

As for the log server, I will have to work out a permanent solution even if that's a dedicated device to just be the log server. I'd like to burn it to disc rolling-along in case anything ever happens. I assume it would take *forever* to fill up a disc with logs.

Yes it will take forever. TBH we all start out thinking "wouldn't it be a great idea if I backed up my log files just in case..." Then after we've set it up we come to realise it was a waste of time. We almost never look at the logs files and when we do it's the logs on the router not the backup. It might be different if you're setting up a small business network where you want some sort of audit trail, but for home use it has little value IMHO. YMMV.

To answer your earlier question, if the remote syslog server is offline the router won't buffer the logs, they will be lost. So you'd need to put the remote syslog server on something that's always on. If you don't already have such a device you could use something like a raspberry pi.

 

[bitmonster]

Thanks for saving me a potential waste of time. It would be handy if it could save it to a USB stick or something but it seems it's not really necessary.

 

[bitmonster]

Still would be handy if I could save logs to USB though - I have a 16GB flash drive plugged in. I wonder if there are sophisticated parsing tools that could analyse and display a summary type thing.

If not I'll just leave a Linux laptop running all weekend pulling in logs and see if I can analyse it.

Just interested more than anything.

Is there any way to pull in IDS and firewall logs too?

I have also now set the Traffic Stats to the USB flash drive. It seems to have retained all stats so far though.

 

[ColinTaylor]

Still would be handy if I could save logs to USB though

The router's current and previous syslog are stored in /tmp with periodic copying of these files to /jffs so that they can be preserved across reboots. A crude solution could be to setup a cron job that copied these files to the USB disk, say once a day. Obviously you'd have to append a date stamp to the end of the filenames.

There are various software tools that can analyse syslog files, but out of the box they don't do much for an Asus router. You'd have to create some tailored templates. Have a look at the router's syslog and see if there's anything there that you might be interested in. Normally, after the system has finished booting up, there's very little in the log apart from DHCP messages.

 

[Martineau]

Still would be handy if I could save logs to USB though

Perhaps this will give you ideas Permanently moving syslog.log over to a USB Drive?

I have a 16GB flash drive plugged in. I wonder if there are sophisticated parsing tools that could analyse and display a summary type thing.

If you have entware installed you may alternatively wish to consider Configuring syslog-ng with merlin firmware to provide the initial filtering - if not the actual analysis.

 

[bitmonster]

That's a great idea..
I will look at syslogng.
Does the default log self clear or rotate? It says large logs blog down the Gui.

Yes this would be very handy then I can split out by say severity level and type of events or filter repetitive unnecessary events.

Sent from my SM-G965F using Tapatalk