Scribe Scribe v3.2.2 [2025-Jul-05] - Entware syslog-ng and logrotate installer for Asuswrt-Merlin

[Martinski]

Release Notes for Scribe v3.2.2 production version now available
[2025-Jul-05]

1) IMPROVED: Set correct permissions to the "/var/lib/logrotate.status" file to avoid "world-readable status" warning message.

2) IMPROVED: Modified code triggered by the 'service-event' calls to avoid excessive repeated executions.

3) Miscellaneous code improvements.


The fork from @cmkelley's Scribe add-on is now hosted on the AMTM-OSR GitHub repo:

GitHub - AMTM-OSR/scribe: Entware syslog-ng and logrotate installer for Asuswrt-Merlin

Entware syslog-ng and logrotate installer for Asuswrt-Merlin - AMTM-OSR/scribe

github.com

For some important notes about Scribe, see the following post by @cmkelley:

Scribe - scribe 3.x_y - syslog-ng and logrotate installer

scribe v3.2_0 2023-06-11 scribe is a script that installs syslog-ng and logrotate from Entware. Filters for various common logs are included, and logrotate files to manage those logs. NOTE WELL: Looking at log files to "see if anything is wrong" is counter-productive. Log files are best used...

www.snbforums.com

 

[cmkelley]

THANK YOU!!! I greatly appreciate this move, I truly felt bad about effectively abandoning scribe, but there are too many other pressures in my life. I hope the community can keep it going.

 

[aru]

I really appreciate the Scribe and uiScribe tools—they make it easy to categorize and read system log information clearly. Not only can they collect system status from AiMesh nodes, but they also allow for flexible customization to return specific information of interest. A sincere thank you to the developers for creating such practical and powerful tools!

 

[elorimer]

For a number of years I modified the S01 (doesn't need to be S01) script to do a few things differently on startup:

1. close the messages file.
2. Write syslog up to starting syslog-ng to a new file.
3. read in that new file once to syslog-ng, filtered to a new messages file, with the current timestamp.
4. write further messages to the new messages file.

That gave me in the gui a messages file that started from the boot of the router, in order with a timestamp starting from the start of syslog-ng. If for diagnostic purposes I wanted to see what had happened to restart the router, I could go to the old messages file. But otherwise it was a current state.

I stopped doing that a few versions ago, because I had to keep revising the overwritten S01 on an update. But it could be an interesting feature to toggle on.

 

[ColDen]

I was away for the rest of the day yesterday soon after having updated Scribe and uiScribe and noticed this morning in the logrotate.log the following (was for me the first time seeing such verbatim display starting from lines in red):

Jul 6 00:05:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/syslog-ng.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 00:45:01 GT-AX6000-1110 logrotate: rotate.status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
Jul 6 00:45:01 GT-AX6000-1110 logrotate: warning: state file /var/lib/logrotate.status is worllogrotate state -- version 2
Jul 6 00:45:01 GT-AX6000-1110 logrotate: can be locked from other unprivileged users. Skipping lock acquisition...
warning: state file /var/lib/logrotate.status is worllogrotate state -- version 2
"/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/syslog-ng.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: usrepeater.com
192.168.50.1 www.asusap.com
192.168.50.1 asusap.com
192.168.50.1 www.asusswitch.com
192.168.50.1 asusswitch.com
192.168.50.1 router.asus.com
192.168.50.1 repeater.asus.com
192.168.50.1 ap.asus.com
192.168.50.1 www.asusnetwork.net
192.168.50.1 asusswitch.net
192.168.50.1 asusrepeater.net
192.168.50.1 asusap.net
192.168.50.1 zenwifi.net
192.168.50.1 expertwifi.net
192.168.50.1 GT-AX6000. GT-AX6000
y messages from kernel

filter f_blank {
program("kernel") and
message("^ *$");
};

log {
source(src);
filter(f_blank);
flags(final);
};

#eof
# gather logrotate logs together for unified log

destination d_logrotate {
file("/opt/var/log/logrotate.log");
};

source s_lr_status {
file("/var/lib/logrotate.status" program-override("logrotate") flags(no-parse));
};

source s_lr_daily {
file("/opt/tmp/logrotate.daily" program-override("logrotate") flags(no-parse));
};

log {
source(s_lr_status);
source(s_lr_daily);
destination(d_logrotate);
flags(final);
};

#eof
# this MUST BE the file configured in Skynet as the syslog.log location
# DO NOT use /tmp/syslog.log or /opt/var/log/messages here!
destination d_skynet {
file("/opt/var/log/skynet-0.log");
};

# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
program("Skynet") or
message("BLOCKED -") or
message("DROP IN=");
};

# final flag stops processing of messages matching the f_skynet filter
log {
source(src);
filter(f_skynet);
destination(d_skynet);
flags(final);
};

#eof
# put syslog-ng's logging stats into /opt/var/log/syslog-ng.log

destination d_syslogng {
file("/opt/var/log/syslog-ng.log");
};

filter f_syslogng {
program("syslog-ng")
};

log {
source(src);
filter(f_syslogng);
destination(d_syslogng);
flags(final);
};

#eof
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
( ( program("WLCEVENTD") or
program("wlceventd") ) and
( message("ssoc") or
message("uth") ) ) or
( program("syslog") and
message("wlceventd") );
};

log {
source(src);
filter(f_wlceventd);
destination(d_wlceventd);
flags(final);
};

#eof

options {
chain_hostnames(no); # Enable or disable the chained hostname format.
create_dirs(yes);
keep_hostname(yes); # Enable or disable hostname rewriting.
log_fifo_size(256); # The number of messages that the output queue can store.
log_msg_size(16384); # Maximum length of a message in bytes.
stats(freq(21600)); # The period between two STATS messages sent by syslog-ng, containing statistics about dropped logs in seconds; 0 disables. (21,600 seconds = 6 hours)
flush_lines(0); # How many lines are flushed to a destination at a time.
use_fqdn(no); # Add Fully Qualified Domain Name instead of short hostname.
};

# syslog-ng gets messages from the system, kernel, and syslog-ng (internal)
# DO NOT use system() source; causes issues on HND routers
# so_rcvbuf = maximum number of messages per second * 1024
source src {
unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
file("/proc/kmsg" program_override("kernel") flags(kernel));
internal();
# udp(ip(192.168.x.y) port(514)); # uncomment this line to pass all network messages through syslog-ng filters
};

# if you only want to pass network messages through some syslog-ng filters, uncomment the source line below
# then add "source(net);" to the log statement in any filter you want to pass network messages through
#source net { udp(ip(192.168.x.y) port(514)); };

# set the filename for the default log file - anything not filtered out will end up here
destination messages { file("/opt/var/log/messages"); };

# to send log messages to the local network, unc0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/syslog-ng.log" 2025-7-6-0:5:0
Jul 6 01:00:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 01:00:01 GT-AX6000-1110 logrotate: "/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 01:00:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 01:00:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0

I am wondering if this was to be expected or that something was not coded right for the latest Scribe revision.

 

[elorimer]

Something looks corrupted. I don't think those error messages before the red should be there, and then stuff looks garbled. I would force reinstall scribe.

 

[ColDen]

Something looks corrupted. I don't think those error messages before the red should be there, and then stuff looks garbled. I would force reinstall scribe.

I agree with you that something looks corrupted but do not want to reinstall scribe until @Martinski comments (might whant me to test something) since everything else still seem to correctly be displayed.

 

[elorimer]

I follow. But all the red stuff is wrong, and the lock file messages were fixed before but came out corrupted. Something in logrotate is now spitting out things from syslog-ng, and neither one of those is easy to debug.

 

[Martinski]

For a number of years I modified the S01 (doesn't need to be S01) script to do a few things differently on startup:

1. close the messages file.
2. Write syslog up to starting syslog-ng to a new file.
3. read in that new file once to syslog-ng, filtered to a new messages file, with the current timestamp.
4. write further messages to the new messages file.

That gave me in the gui a messages file that started from the boot of the router, in order with a timestamp starting from the start of syslog-ng. If for diagnostic purposes I wanted to see what had happened to restart the router, I could go to the old messages file. But otherwise it was a current state.

I stopped doing that a few versions ago, because I had to keep revising the overwritten S01 on an update. But it could be an interesting feature to toggle on.

So far, I haven't had the need to use Scribe in my own ASUS routers, so I'm not very familiar with how things work internally, or with the minute details of the startup sequence and execution flow during reboot. Given my very limited knowledge in this area at the moment, I cannot say I fully understand what exactly the problem is that you're trying to address with your changes in the 'S01syslog-ng' service script.

Note that all AMTM-OSR GitHub repos are open to accept Pull Requests from anyone, so perhaps if you clearly state the nature of the problem and the symptoms you observe, any of us here in this forum, who is able and willing to lend a hand, could give it a try to address the issue you reported.

 

[Martinski]

I was away for the rest of the day yesterday soon after having updated Scribe and uiScribe and noticed this morning in the logrotate.log the following (was for me the first time seeing such verbatim display starting from lines in red):

Jul 6 00:05:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0
Jul 6 00:05:01 GT-AX6000-1110 logrotate: "/opt/var/log/syslog-ng.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 00:45:01 GT-AX6000-1110 logrotate: rotate.status is world-readable and thus can be locked from other unprivileged users. Skipping lock acquisition...
Jul 6 00:45:01 GT-AX6000-1110 logrotate: warning: state file /var/lib/logrotate.status is worllogrotate state -- version 2
Jul 6 00:45:01 GT-AX6000-1110 logrotate: can be locked from other unprivileged users. Skipping lock acquisition...
warning: state file /var/lib/logrotate.status is worllogrotate state -- version 2
"/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/syslog-ng.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: usrepeater.com
192.168.50.1 www.asusap.com
192.168.50.1 asusap.com
192.168.50.1 www.asusswitch.com
192.168.50.1 asusswitch.com
192.168.50.1 router.asus.com
192.168.50.1 repeater.asus.com
192.168.50.1 ap.asus.com
192.168.50.1 www.asusnetwork.net
192.168.50.1 asusswitch.net
192.168.50.1 asusrepeater.net
192.168.50.1 asusap.net
192.168.50.1 zenwifi.net
192.168.50.1 expertwifi.net
192.168.50.1 GT-AX6000. GT-AX6000
y messages from kernel

filter f_blank {
program("kernel") and
message("^ *$");
};

log {
source(src);
filter(f_blank);
flags(final);
};

#eof
# gather logrotate logs together for unified log

destination d_logrotate {
file("/opt/var/log/logrotate.log");
};

source s_lr_status {
file("/var/lib/logrotate.status" program-override("logrotate") flags(no-parse));
};

source s_lr_daily {
file("/opt/tmp/logrotate.daily" program-override("logrotate") flags(no-parse));
};

log {
source(s_lr_status);
source(s_lr_daily);
destination(d_logrotate);
flags(final);
};

#eof
# this MUST BE the file configured in Skynet as the syslog.log location
# DO NOT use /tmp/syslog.log or /opt/var/log/messages here!
destination d_skynet {
file("/opt/var/log/skynet-0.log");
};

# logs everything from Skynet to /opt/var/log/skynet-0.log
filter f_skynet {
program("Skynet") or
message("BLOCKED -") or
message("DROP IN=");
};

# final flag stops processing of messages matching the f_skynet filter
log {
source(src);
filter(f_skynet);
destination(d_skynet);
flags(final);
};

#eof
# put syslog-ng's logging stats into /opt/var/log/syslog-ng.log

destination d_syslogng {
file("/opt/var/log/syslog-ng.log");
};

filter f_syslogng {
program("syslog-ng")
};

log {
source(src);
filter(f_syslogng);
destination(d_syslogng);
flags(final);
};

#eof
# put wlceventd Assoc/ReAssoc/Disassoc messages into /opt/var/log/wlceventd.log

destination d_wlceventd {
file("/opt/var/log/wlceventd.log");
};

filter f_wlceventd {
( ( program("WLCEVENTD") or
program("wlceventd") ) and
( message("ssoc") or
message("uth") ) ) or
( program("syslog") and
message("wlceventd") );
};

log {
source(src);
filter(f_wlceventd);
destination(d_wlceventd);
flags(final);
};

#eof

options {
chain_hostnames(no); # Enable or disable the chained hostname format.
create_dirs(yes);
keep_hostname(yes); # Enable or disable hostname rewriting.
log_fifo_size(256); # The number of messages that the output queue can store.
log_msg_size(16384); # Maximum length of a message in bytes.
stats(freq(21600)); # The period between two STATS messages sent by syslog-ng, containing statistics about dropped logs in seconds; 0 disables. (21,600 seconds = 6 hours)
flush_lines(0); # How many lines are flushed to a destination at a time.
use_fqdn(no); # Add Fully Qualified Domain Name instead of short hostname.
};

# syslog-ng gets messages from the system, kernel, and syslog-ng (internal)
# DO NOT use system() source; causes issues on HND routers
# so_rcvbuf = maximum number of messages per second * 1024
source src {
unix-dgram("/dev/log" so_rcvbuf(65536) flags(syslog-protocol));
file("/proc/kmsg" program_override("kernel") flags(kernel));
internal();
# udp(ip(192.168.x.y) port(514)); # uncomment this line to pass all network messages through syslog-ng filters
};

# if you only want to pass network messages through some syslog-ng filters, uncomment the source line below
# then add "source(net);" to the log statement in any filter you want to pass network messages through
#source net { udp(ip(192.168.x.y) port(514)); };

# set the filename for the default log file - anything not filtered out will end up here
destination messages { file("/opt/var/log/messages"); };

# to send log messages to the local network, unc0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0
Jul 6 00:45:01 GT-AX6000-1110 logrotate: "/opt/var/log/syslog-ng.log" 2025-7-6-0:5:0
Jul 6 01:00:01 GT-AX6000-1110 logrotate: logrotate state -- version 2
Jul 6 01:00:01 GT-AX6000-1110 logrotate: "/opt/var/log/wlceventd.log" 2025-7-6-0:5:0
Jul 6 01:00:01 GT-AX6000-1110 logrotate: "/opt/var/log/messages" 2025-7-2-0:0:0
Jul 6 01:00:01 GT-AX6000-1110 logrotate: "/opt/var/log/logrotate.log" 2025-7-2-0:0:0

I am wondering if this was to be expected or that something was not coded right for the latest Scribe revision.

I'm not familiar at all with the inner workings of the logrotate or syslog-ng Entware packages, so I can't really help much in debugging problems like the one you're seeing. My 1st suggestion would be to run the following command to gather some debug information when you observe the problem:

/jffs/scripts/scribe debug

Once it's completed, post the results, and then uninstall and reinstall Scribe. Also, I'd suggest double-checking all your current filter files to make sure they have the correct format and are not corrupted.

In the meantime, I'm modifying the script to gather a few more bits of debug info, and add new parameters to be able to switch between the 'develop' and the 'stable' branches (this functionality does not exist in the current version).

 

[elorimer]

I cannot say I fully understand what exactly the problem is that you're trying to address with your changes in the 'S01syslog-ng' service script.

It isn't a problem that needs fixing. Purely aesthetics.

When syslog-ng starts up several hundred messages have already been logged to syslog.tmp. The S01 helper appends those messages to messages, stops syslogd and klogd, and then syslog-ng takes over for new log messages to be filtered to separate destinations and if not then to messages. The result is a messages file spanning one or more reboots, with a sequence of messages with the firmware date stamp, then carrying on with the current date stamp.

What I was doing was creating a messages file that started with the current boot sequence and the current time.

 

[cmkelley]

For a number of years I modified the S01 (doesn't need to be S01) script to do a few things differently on startup:

1. close the messages file.
2. Write syslog up to starting syslog-ng to a new file.
3. read in that new file once to syslog-ng, filtered to a new messages file, with the current timestamp.
4. write further messages to the new messages file.

That gave me in the gui a messages file that started from the boot of the router, in order with a timestamp starting from the start of syslog-ng. If for diagnostic purposes I wanted to see what had happened to restart the router, I could go to the old messages file. But otherwise it was a current state.

I stopped doing that a few versions ago, because I had to keep revising the overwritten S01 on an update. But it could be an interesting feature to toggle on.

That was on my to-do list when life got in the way. You could always write a patch against the S01 script and submit to AMTM-OSR.

 

[ColDen]

I'm not familiar at all with the inner workings of the logrotate or syslog-ng Entware packages, so I can't really help much in debugging problems like the one you're seeing. My 1st suggestion would be to run the following command to gather some debug information when you observe the problem:

/jffs/scripts/scribe debug

Once it's completed, post the results, and then uninstall and reinstall Scribe. Also, I'd suggest double-checking all your current filter files to make sure they have the correct format and are not corrupted.

In the meantime, I'm modifying the script to gather a few more bits of debug info, and add new parameters to be able to switch between the 'develop' and the 'stable' branches (this functionality does not exist in the current version).

Thanks for the reply and suggestions @Martinski.

Unfortunately, I have already reinstall Scribe (using option is) last evening and (as expected) saw that the problem was now gone this morning. If I see that problem again or another similar one with Scribe, I will use your debug script and post as suggested (note that I was previously running the latest dev version of Scribe and uiScribe prior to update to the current prod version).

 

[Martinski]

It isn't a problem that needs fixing. Purely aesthetics.

When syslog-ng starts up several hundred messages have already been logged to syslog.tmp. The S01 helper appends those messages to messages, stops syslogd and klogd, and then syslog-ng takes over for new log messages to be filtered to separate destinations and if not then to messages. The result is a messages file spanning one or more reboots, with a sequence of messages with the firmware date stamp, then carrying on with the current date stamp.

What I was doing was creating a messages file that started with the current boot sequence and the current time.

OK, I understand now. Thanks for the explanation and clarification. Based on your previous posts, it sounds like you already had a solution that was working well for you.

Would you mind sharing your modified 'S01syslog-ng' script that includes your changes?

Or, if you prefer, you could submit a pull request to the 'develop' branch, where we can review the code and integrate it into the next production release.

 

[Martinski]

Thanks for the reply and suggestions @Martinski.

Unfortunately, I have already reinstall Scribe (using option is) last evening and (as expected) saw that the problem was now gone this morning. If I see that problem again or another similar one with Scribe, I will use your debug script and post as suggested (note that I was previously running the latest dev version of Scribe and uiScribe prior to update to the current prod version).

OK, no worries. If you'd like to run the latest 'develop' branch v3.2.3 version, use the following command to download it:

curl -LSs --retry 4 --retry-delay 5 --retry-connrefused \
https://raw.githubusercontent.com/AMTM-OSR/scribe/develop/scribe.sh \
-o /jffs/scripts/scribe && chmod 0755 /jffs/scripts/scribe

If the same or similar problem happens again, please run the script with the 'debug' parameter to gather some system and setup information that provides context and details, which can be useful to review and analyze.

/jffs/scripts/scribe debug

To go back to the stable, production version from the 'develop' v3.2.3 version:

/jffs/scripts/scribe stable

 

[elorimer]

Would you mind sharing your modified 'S01syslog-ng' script that includes your changes?

I will fool with it a bit and see if I can recapture what I was doing. It is actually in the kill_logger() part of the helper script.

Since I last looked at the helper script, there has been a lot done to it, and there is a lot of startup stuff, including a sleep where syslogd and klogd are killed before syslog-ng starts, with other S* scripts running. I was concerned about messages being lost in there, so a lot of the startup stuff I hard coded for my installations (I understand different routers/firmwares may have different log locations that may change between firmwares, but I haven't experienced that over the years, so running it on every boot hasn't been necessary). I also moved syslog-ng from S01 to S99, on the theory there isn't any reason for it to be first. I think that is right for start but wrong for restart unless systemd and klogd are restored when S99 stops, because there is stuff logged on restart as S99 --> S01 stops and S01-->S99 starts.

In looking at it, I'm unsure now how the helpers are running. rc.unslung calls the S* scripts with the action of "restart", but if kill_logger() only runs on PRECMD, which only runs on start and not stop|restart, then the part of kill_logger that restarts systemd and klogd never really runs.