Syslog logging levels

[Mpuk7]

Hi all,

I'm just working out what would be the most suitable logging level for my needs. The default level has lots of recurring entries as below filling the logs:
Mar 14 00:48:18 dnsmasq-dhcp[1745]: DHCPDISCOVER(br0) 00:50:c2:a5:e0:00
Mar 14 00:48:18 dnsmasq-dhcp[1745]: DHCPOFFER(br0) 192.168.1.198 00:50:c2:a5:e0:00
Mar 14 00:49:21 dnsmasq-dhcp[1745]: DHCPDISCOVER(br0) 00:50:c2:a5:e0:00
Mar 14 00:49:21 dnsmasq-dhcp[1745]: DHCPOFFER(br0) 192.168.1.198 00:50:c2:a5:e0:00

I'm mainly interested in anything that might be unauthorised activity and network access generally etc. I wasn't sure if there might be any info on what the different logging levels etc. record or what might work best in my case?

 

[FreshJR]

You can either
1) edit the log to delete known devices present on a whitelist. (Only NON-whitelisted devices will remain)
OR
2) you can parse the log for NON-whitelisted devices and add create new syslog entry when they are discovered. (This is done to leave the original system log history intact).

Use this command to delete any lines from system log with a matching mac address.

sed -i '/MACADDDR/d' /tmp/syslog.log

Use this command to only show log entries that have the word DHCP

cat /tmp/syslog.log | grep "DHCP"

Use this command to create your own system log entry

logger  -t "Entry Tag" "Entry Output"

Perhaps change dnsmasq logging destination so you don't have to parse the entire systemlog.

Perhaps just check active dhcp leases /tmp/var/lib/misc/dnsmasq.leases

 

[Mpuk7]

Excellent, many thanks FreshJR.

 

[hervon]

Good info FreshJR. Is there a way to make those commands (like the sed) permanent? So they never show up later too in the GUI logs

 

[FreshJR]

Good info FreshJR. Is there a way to make those commands (like the sed) permanent? So they never show up later too in the GUI logs

Put it into a script and have the script execute every hour using cron.

sed is like using "find and replace" inside a text editor.
Find "MAC" -> delete line, thats it

Depending how large the log file gets, maybe lookup how to parse only the last 200 lines. I do not know the answer to parse last X lines off the top of my head.

--

Better yet, modify the web page and introduce a button to "filter dnsmasq entries" on demand.

--

I would produce a solution, but supporting my existing releases has taken more time than I expected it too.

 

[Jack Yaz]

There's a setting to hide dhcp queries, i think its under the LAN tab. Will check when I have access to the router.

 

[FreshJR]

There's a setting to hide dhcp queries, i think its under the LAN tab. Will check when I have access to the router.

I think user wanted to keep the logging while only ignoring whitelisted macs.

 

[Jack Yaz]

Ah. Assuming this is wireless mac filtering, do they even make it to dhcp to be rejected? I would have thought they were denied as part of the wireless authentication process earlier.

 

[FreshJR]

Ah. Assuming this is wireless mac filtering, do they even make it to dhcp to be rejected? I would have thought they were denied as part of the wireless authentication process earlier.

I was going to say to change the wireless password aswell. Lol

 

[Mpuk7]

I was going to say to change the wireless password aswell. Lol

Shamefully I only have MAC filtering and no security on the 2.4GHz band, I really need to get round to sorting that (some awkward devices to reconfigure), it was down to some ancient webcams that didn't support any form of security but have since stopped using them.