System Log

Logi · Mar 26, 2016

Every time I check the System Log I always find the same messages (many more, I just copied 3 of them), is this a normal behavior? I am running the latest Merlin FW 380.58, thanks

Mar 26 08:20:34 kernel: DROP IN=eth0 OUT= MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn SRC=xxx.yyy.zzz.www DST=xxx.yyy.zzz.www LEN=115 TOS=0x00 PREC=0x20 TTL=56 ID=7219 PROTO=TCP SPT=443 DPT=62156 SEQ= ACK= WINDOW=430 RES=0x00 ACK PSH URGP=0 OPT ()

Mar 26 08:20:35 kernel: DROP IN=eth0 OUT= MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn SRC=xxx.yyy.zzz.www DST=xxx.yyy.zzz.www LEN=115 TOS=0x00 PREC=0x20 TTL=58 ID=56104 PROTO=TCP SPT=443 DPT=62070 SEQ= ACK= WINDOW=363 RES=0x00 ACK PSH URGP=0 OPT ()

Mar 26 08:20:35 kernel: DROP IN=eth0 OUT= MAC=aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:ll:mm:nn SRC=xxx.yyy.zzz.www DST=xxx.yyy.zzz.www LEN=108 TOS=0x00 PREC=0x20 TTL=51 ID=901 PROTO=UDP SPT=4500 DPT=1024 LEN=88

NOTE: I have replaced the SRC, DST and MAC data with dummy information.

Logi · Mar 26, 2016

Sanna1967 said:
its look like its related to Firewall, but im not sure.

Have you tried to Hide them until someone have a better answer
http://192.168.1.1/Advanced_DHCP_Content.asp

Hide DHCP/RA queries

It helped, now I am getting much less, but I am still seeing multiple messages many times every minute:

Mar 26 17:29:16 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:29:23 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:33:30 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:33:58 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:34:01 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:35:23 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:35:58 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:36:55 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:36:59 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:37:01 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:37:05 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:37:11 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:37:28 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:39:47 kernel: DROP IN=eth0 OUT= MAC=
Mar 26 17:40:09 kernel: DROP IN=eth0 OUT= MAC=

ColinTaylor · Mar 26, 2016

What is the value of SRC=xxx.yyy.zzz.www.

It looks like you are being scanned from outside which is quite normal. Probably China or Shodan.

It also looks like you have enabled logging of dropped packets (Firewall - General > Logged packets type)

Have you enabled Web or SSH access from the WAN (Administration > System)?

Logi · Mar 26, 2016

ColinTaylor said:
What is the value of SRC=xxx.yyy.zzz.www.

It looks like you are being scanned from outside which is quite normal. Probably China or Shodan.

It also looks like you have enabled logging of dropped packets (Firewall - General > Logged packets type)

Have you enabled Web or SSH access from the WAN (Administration > System)?

Both SSH and WAN access are Disabled.

What should be the correct (default) value for Logging Dropped Packets?

Some of the SRC address are:
- 216.58.216.110
- 216.58.192.174
- 208.54.73.77
- 17.110.227.101
- 17.143.163.228
- 17.143.164.81
- 172.217.3.78
- 17.143.163.228
- 17.143.164.81
- 190.166.17.119
- 93.174.93.50
- 108.168.169.76

Any comment or advice is welcome, thnaks

ColinTaylor · Mar 26, 2016

We'd have to see the complete unedited log entries to have a complete understanding. But it just looks like the normal internet "noise". I wouldn't worry about it as you haven't opened any services to the WAN.

Change "Logged packets type" to None otherwise you can expect your syslog to be full of this "noise".

17.110.227.101 Apple Inc
17.143.163.228 Apple Inc
17.143.164.81 Apple Inc
93.174.93.50 Quasi Networks LTD
108.168.169.76 John W, 185 Madison Avenue
172.217.3.78 Google Inc
190.166.17.119 CODETEL.NET.DO
208.54.73.77 T-Mobile USA
216.58.216.110 Google Inc
216.58.192.174 Google Inc

Logi · Mar 26, 2016

ColinTaylor said:
We'd have to see the complete unedited log entries to have a complete understanding. But it just looks like the normal internet "noise". I wouldn't worry about it as you haven't opened any services to the WAN.

Change "Logged packets type" to None otherwise you can expect your syslog to be full of this "noise".

17.110.227.101 Apple Inc
17.143.163.228 Apple Inc
17.143.164.81 Apple Inc
93.174.93.50 Quasi Networks LTD
108.168.169.76 John W, 185 Madison Avenue
172.217.3.78 Google Inc
190.166.17.119 CODETEL.NET.DO
208.54.73.77 T-Mobile USA
216.58.216.110 Google Inc
216.58.192.174 Google Inc

Thank you very much, the "internet noise" is gone after setting the log to NONE

Thread starter	Title	Forum	Replies	Date
B	Solved Client list in Network Map is empty and changing the System Log verbosity in the web GUI does nothing	Asuswrt-Merlin	7	Mar 6, 2024
L	When I access the System Log --> IPv6 tab the web server crashes	Asuswrt-Merlin	0	Feb 28, 2024
J	How does Asus or Asus Merlin source the device name under the System Log, Wireless Log Tab?	Asuswrt-Merlin	32	Sep 24, 2023
H	Need help interpreting system log (NFP failed, maximum number of concurrent DNS queries)	Asuswrt-Merlin	1	Aug 22, 2023
J	Trying to understand system log entries related to rebooting router	Asuswrt-Merlin	4	May 27, 2023
V	System log page auto-refresh hangs browser?	Asuswrt-Merlin	11	May 23, 2023
	Optimize blocked events from firewall in the system-log	Asuswrt-Merlin	5	May 15, 2023
D	How would you go about syncing/symlinking root home folder to entware drive during system operation?	Asuswrt-Merlin	12	Apr 5, 2024
J	Error code on system long	Asuswrt-Merlin	7	Nov 8, 2023
	Reconfiguring system - which approach?	Asuswrt-Merlin	5	Nov 6, 2023

Search

Search

System Log

Logi

Senior Member

Logi

Senior Member

ColinTaylor

Part of the Furniture

Logi

Senior Member

ColinTaylor

Part of the Furniture

Logi

Senior Member

Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Members online