NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
WAX610 how to send hostname with syslog
I am trying to gather all of my network logs into graylog. It is expecting each sender to include the hostname. Every other device seems to do this as it is apparently standard. How can I get the WAX...
Thank you for the informative reply. I forgot to mention that graylog thinks configd[some number] is the hostname being sent since it is the first field I guess.
I use a public domain for a server I am running. I wonder if I could safely set a domain name in my cheap a$$ router for the local domain without messing that up.
I am upgrading my network backwards. First the wireless, then the switch, and then a server (still waiting to upgrade the router). Although, in my defense it was much cheaper to upgrade those components than it will be to build a new router.
Anyway thanks again.
phirestalker wrote:
I forgot to mention that graylog thinks configd[some number] is the hostname being sent since it is the first field I guess.
Guessing isn't a good advisor here - as there is definitivley something wrong with this syslog app, its config, or whatever. Check the native syslog information sent from the devices, here a hand full of examples, just copy-pasted a random selection of syslog messages collected, as a "complete" data feed on a much more advanced syslog application allowing to capture even the unexpected where the collector/filter/notification/whatever system might struggle. All entries show the IP addresses as part of the header for each record:
<31>1 2022-05-28T14:42:20+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: opening hostwdog message queue failed, will try opening again <31>1 2022-05-28T14:42:20+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: Locking client list <31>1 2022-05-28T14:42:20+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: Client list locked <31>1 2022-05-28T14:42:20+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: Unlocking client list <31>1 2022-05-28T14:42:20+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: Client list unlocked <31>1 2022-05-28T14:42:20+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: opening hostwdog message queue failed, will try opening again <15>1 2022-05-28T14:42:20+02:00 10.10.1.182 configd 3925 - - configd[3925]: [rogue_ap_scan_5g] scan-threshold : 180 | scan-count : 166 | flush-threshold : 2 | flush-count: 2 | initialise-scan : -1 | init_scan = 1 | g_rogueap_enabled_5g = 1 | g_rogueap_policy_t_5g = 1800 <15>1 2022-05-28T14:42:20+02:00 10.10.1.182 configd 3925 - - configd[3925]: [rogue_ap_scan_2g] scan-threshold : 30 | scan-count : 17 | flush-threshold : 2 | flush-count: 1 | initialise-scan : -1 | init_scan = 1 | g_rogueap_enabled_2g = 1 | g_rogueap_policy_t_2g = 1800 <190>1 2022-05-28T14:42:20.755396+02:00 10.10.1.50 - - - 2022-05-28T14:42:20.267+2:00Z: %10.10.1.50-1 STP-6-EDGEPORT proto_stp.c(677): BPDU is received on port XGigabitEthernet9 which is configured as the edge port <31>1 2022-05-28T14:42:21+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: opening hostwdog message queue failed, will try opening again <191>1 2022-05-28T14:42:20.996389+02:00 10.10.1.50 - - - 2022-05-28T14:42:20.507+2:00Z: %10.10.1.50-1 discAgent-7 nal_logging.c(39): cloud operation mode:0 <30>1 2022-05-28T14:42:21+02:00 10.10.1.189 udhcpc 9216 - - udhcpc[9216]: broadcasting discover#012 <31>1 2022-05-28T14:42:22+02:00 10.10.1.184 wifidog 779 - - wifidog[779]: opening hostwdog message queue failed, will try opening again <31>1 2022-05-28T14:42:22+02:00 10.10.1.186 wifidog 21663 - - wifidog[21663]: Locking client list <31>1 2022-05-28T14:42:22+02:00 10.10.1.186 wifidog 21663 - - wifidog[21663]: Client list locked
phirestalker wrote:
I use a public domain for a server I am running. I wonder if I could safely set a domain name in my cheap a$$ router for the local domain without messing that up.
There is nothing impossibe, you are free to configure a fully featured DNS server, taking care of any kind of local private or public domain, taking care of all VLANs and IP subnets, providing A and AAA, providing PTR, ... configure all your computers/clients for adding the local domains to a search path, so you can resolve hostname (just the name), a FQDN, to the IP address, and then you can configure every WAX6xx with a fully blown FQDN. and IP address reverse resolve to the IP address, ... The first thing I would strongly suggest is adding IP address reservations for each device MAC address, so the DHCP does always hand out the same IP address to the same device.
However, keep in mind you might need redundancy, if this nice DNS infrastructure does fail one day, you need at least a second and probably a third service, not difficult, but it must be done with replicaiton et all. Of course, you could also populate ann your computers with hosts files holding FQDNs - yet another never ending effort (depreciated in fact, but a last resolve if you are really keen to force the Web UI be called by that FQDN again, as IP does no longer work then.
phirestalker wrote:
I am upgrading my network backwards. First the wireless, then the switch, and then a server (still waiting to upgrade the router). Although, in my defense it was much cheaper to upgrade those components than it will be to build a new router.
Nothing wrong with that. First you need connectivity, read switching, power like PoE(+), wireless APs, ... then are the needs for a router with multiple VLANs, probably built-in DNS capabilities, ... The day you have the infrastructure ready for handling DNS for your VLANs, start to configure it.
Ya, my WAX610 does not look like that.
Copied from logs page in web interface (cherry picked):
May 28 07:57:00 configd[3194]: Observed Active traffic on wifi1 radio
May 28 07:54:02 hostapd: wifi1vap1: STA [redacted] WPA: pairwise key handshake completed (RSN)
May 28 07:57:29 : Failed to get the accounttype [101] [no more rows available]
None of them have the IP or hostname in them, and this is exactly how graylog shows the message is received. This is why I posted here, as it seems to be neglecting to send the ip or hostname. Is there a tool I can use to collect the logs temporarily that will not mangle the raw data sent? Or should I just set up wireguard between the unit and graylog?
UPDATE:
I just gave the two "rogue" netgear devices their own syslog port so I can filter them properly.
Also, I just discovered that it is only sending limited logs to the remote syslog server. I only see entries from configd and none of the other daemons. How can I make it forward all log messages over syslog?
Ugh, graylog truncated the search results. I am getting all the logs. Thanks for your help.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
