I was doing this on my RBR50 for the last 2.5 years: Every 3am, email me the log. That also resulted in the log getting reset, so every morning I would have a copy of the previous day's log in my email. And I saved them in case I had to go back & look at something. And these logs showed an incredible number of entries of attacks coming in and were being deflected by the router. The same option exists on RBRE960 (using the latest FW V6.0.3.85_3.1.15), so I have the same settings for Administration/Logs (including the all the checkboxes at the bottom of that page) and Security/E-Mail. Yet, what I get at 3am is just a few lines of the log, like for 3am-6am yesterday morning, not 3am-3am from yesterday to today. Even when I go into the Administration/Logs in the middle of the day right now and hit SEND LOG, I receive these 9 lines: [Internet connected] IP address: <redacted>, Friday, Mar 25,2022 05:18:48[Time synchronized with NTP server] Friday, Mar 25,2022 04:48:48[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 04:48:48[Time synchronized with NTP server] Friday, Mar 25,2022 03:48:49[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:48:48[Time synchronized with NTP server] Friday, Mar 25,2022 03:18:49[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:18:49[email sent to: <redacted>] Friday, Mar 25,2022 03:00:07[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:47 For starters, notice how the line I marked in blue is listed way out of time order. Plus, on my screen, I am literally staring at dozens and dozens of log lines since yesterday 3am; here they are, redacted & trimmed: [email sent to: <redacted>] Friday, Mar 25,2022 11:12:38[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 10:57:14[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 10:56:46[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 10:55:28[Time synchronized with NTP server] Friday, Mar 25,2022 10:48:48[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 10:48:48. . . . .[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:54[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:47[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:46. . . . .[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 06:08:14[Time synchronized with NTP server] Friday, Mar 25,2022 05:18:48[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 05:18:48[Time synchronized with NTP server] Friday, Mar 25,2022 04:48:48[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 04:48:48[Time synchronized with NTP server] Friday, Mar 25,2022 03:48:49[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:48:48[Time synchronized with NTP server] Friday, Mar 25,2022 03:18:49[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:18:49[email sent to: <redacted>] Friday, Mar 25,2022 03:00:07 I highlighted in red/blue the 9 lines that SEND LOG decided to send me. Notice how few they are AND how the one blue random line from the middle of the actual log is added to the end of the emailed log, completely out of time order. This definitely looks like a bad bug with handling string buffers during log emailing. I hope nobody can use it to attack the router. Additionally, as I mentioned, RBR50 logs had a huge number of attacks listed in the log. I am not seeing any such log entry on RBRE960 logs despite having checked the box to include "Known DoS attacks and Port Scans" along with all the other checkboxes. I wonder if that (or all) checkbox(es) isn't (aren't) respected properly. Or, if my 30-day free trial of ORBI Armor is filtering them out without letting them get into the logs... Either of these is not good. Router logs should have all things that happened that the user wants/needs to see. In general, logging on a router should work, especially at this price point. This is something that needs to be fixed in a future FW drop. Who needs to hear this directly? ThanksTuna

I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?) Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.) I could not help but notice your 960 appears to be connecting to the Internet a lot. All those "internet Conected" followed by "Time Synchronized" entries. Since they all appear in the log, it is clear that the 960 did not reboot (which would clear the log).

tuna_ertemalp Scheduled and on-demand E-Mailing of router logs has been an issue on Netgear products since some of the first AX capable devices. I have the same issue on my 960 and have had the same issue in regards to this since day 1. Some days I get 1 line, some days I get 20 lines, and they are always from the earliest entry forward, except that the latest entry it decides to actual include in the mail on that run is listed last. Some days the router logs clear after mailing, some days they do not. It's all a crapshoot. I hate to say this, but if nothing else, I am brutally honest. Do not expect consistent and complete router logs through the automated mailing process - at least for now. Hopefully it is something being worked on, and will be corrected in a future firmware update.

tuna_ertemalp wrote:In general, logging on a router should work, especially at this price point. This is something that needs to be fixed in a future FW drop. Who needs to hear this directly? Consider filing a Netgear Support request, not posting the community forum, if you feel that Netgear engineering needs to know about or fix something for you. If you purchased your AXE router within 90 days ago then you have technical support available at https://my.netgear.com/home.aspx

Continuing... "Hi Tuna,Thank you for taking the time to contact us at NETGEAR Email support.On your initial email, you were asking for an acknowledgment if our engineering team is actually working on the issue of incomplete logs being generated by the router. I asked our Level 2 support regarding your concern and was advised that our engineering team is actually aware of this issue and are currently working on it.He also informed me that if you wish to monitor the progress of this case, then we recommend that we troubleshoot your concern regarding the incomplete logs that you are receiving from your router. And then escalate your case so that they can provide you with real-time updates instead of going through the forum.If you wish to monitor the status of this case, you can either call us back and ask for troubleshooting steps on how to resolve the incomplete logs that you are receiving from the router, or I can change the status of this case from an inquiry to a technical support case and provide you with some troubleshooting steps like resetting the router to factory settings and reconfiguring it. Just some basic troubleshooting steps.By the way, your case number is 45883819.Looking forward to your reply.Again, thank you for choosing NETGEAR.Respectfully,RossNETGEAR Support Expert" My response: "Hello Ross,Then please change the status of this case from an inquiry to a technical support case. However, there are no value in troubleshooting steps. The issue is not with my particular router or my particular settings. This has been happening to every owner of every RBRE960 since the product has been available, across all firmware versions that were released for it, regardless the number of customized settings, including fresh out of the box using the latest firmware with no user modified settings (that is actually the state I had discovered this issue in). Besides, it seems the engineering team already knows about it, so trying to troubleshoot this would not create any additional useful information. I, and all Netgear 960 users interested in seeing proper logs, are simply interested in knowing about the progress of engineering towards the release of a firmware that fixes it. How do we achieve that without taking unnecessary steps?ThanksTuna"

When I edit this post, everything looks beautiful in their colors & fonts, but not when posted, at least not for me. I am sorry. Don't know how to fix that. But the content stands, even if it is hard to read... Tuna

Forum Discussion

tuna_ertemalp

Luminary

Mar 25, 2022

RBRE960 emailing logs has string buffer bug, doesn't send the whole log, doesn't list attacks, etc.

I was doing this on my RBR50 for the last 2.5 years: Every 3am, email me the log. That also resulted in the log getting reset, so every morning I would have a copy of the previous day's log in my email. And I saved them in case I had to go back & look at something. And these logs showed an incredible number of entries of attacks coming in and were being deflected by the router.

The same option exists on RBRE960 (using the latest FW V6.0.3.85_3.1.15), so I have the same settings for Administration/Logs (including the all the checkboxes at the bottom of that page) and Security/E-Mail. Yet, what I get at 3am is just a few lines of the log, like for 3am-6am yesterday morning, not 3am-3am from yesterday to today. Even when I go into the Administration/Logs in the middle of the day right now and hit SEND LOG, I receive these 9 lines:

[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 05:18:48
[Time synchronized with NTP server] Friday, Mar 25,2022 04:48:48
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 04:48:48
[Time synchronized with NTP server] Friday, Mar 25,2022 03:48:49
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:48:48
[Time synchronized with NTP server] Friday, Mar 25,2022 03:18:49
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:18:49
[email sent to: <redacted>] Friday, Mar 25,2022 03:00:07
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:47

For starters, notice how the line I marked in blue is listed way out of time order.

Plus, on my screen, I am literally staring at dozens and dozens of log lines since yesterday 3am; here they are, redacted & trimmed:

[email sent to: <redacted>] Friday, Mar 25,2022 11:12:38
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 10:57:14
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 10:56:46
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 10:55:28
[Time synchronized with NTP server] Friday, Mar 25,2022 10:48:48
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 10:48:48
. . . . .
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:54
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:47
[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 07:05:46
. . . . .

[DHCP IP: (<redacted>)] to MAC address <redacted>, Friday, Mar 25,2022 06:08:14
[Time synchronized with NTP server] Friday, Mar 25,2022 05:18:48
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 05:18:48
[Time synchronized with NTP server] Friday, Mar 25,2022 04:48:48
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 04:48:48
[Time synchronized with NTP server] Friday, Mar 25,2022 03:48:49
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:48:48
[Time synchronized with NTP server] Friday, Mar 25,2022 03:18:49
[Internet connected] IP address: <redacted>, Friday, Mar 25,2022 03:18:49
[email sent to: <redacted>] Friday, Mar 25,2022 03:00:07

I highlighted in red/blue the 9 lines that SEND LOG decided to send me. Notice how few they are AND how the one blue random line from the middle of the actual log is added to the end of the emailed log, completely out of time order.

This definitely looks like a bad bug with handling string buffers during log emailing. I hope nobody can use it to attack the router.

Additionally, as I mentioned, RBR50 logs had a huge number of attacks listed in the log. I am not seeing any such log entry on RBRE960 logs despite having checked the box to include "Known DoS attacks and Port Scans" along with all the other checkboxes. I wonder if that (or all) checkbox(es) isn't (aren't) respected properly. Or, if my 30-day free trial of ORBI Armor is filtering them out without letting them get into the logs... Either of these is not good. Router logs should have all things that happened that the user wants/needs to see.

In general, logging on a router should work, especially at this price point. This is something that needs to be fixed in a future FW drop. Who needs to hear this directly?

Thanks

Tuna

22 Replies

tuna_ertemalp
Luminary
Mar 25, 2022
When I edit this post, everything looks beautiful in their colors & fonts, but not when posted, at least not for me. I am sorry. Don't know how to fix that. But the content stands, even if it is hard to read...

Tuna
CrimpOn
Guru
Mar 25, 2022
I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)

Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)

I could not help but notice your 960 appears to be connecting to the Internet a lot. All those "internet Conected" followed by "Time Synchronized" entries. Since they all appear in the log, it is clear that the 960 did not reboot (which would clear the log).
- TC_in_Montana
  Virtuoso
  Mar 25, 2022
  tuna_ertemalp
  
  Scheduled and on-demand E-Mailing of router logs has been an issue on Netgear products since some of the first AX capable devices.
  
  I have the same issue on my 960 and have had the same issue in regards to this since day 1. Some days I get 1 line, some days I get 20 lines, and they are always from the earliest entry forward, except that the latest entry it decides to actual include in the mail on that run is listed last.
  
  Some days the router logs clear after mailing, some days they do not. It's all a crapshoot.
  
  I hate to say this, but if nothing else, I am brutally honest. Do not expect consistent and complete router logs through the automated mailing process - at least for now. Hopefully it is something being worked on, and will be corrected in a future firmware update.
- tuna_ertemalp
  Luminary
  Mar 25, 2022
  CrimpOn
  
  CrimpOn wrote:
  I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
  "When Full" is of limited use for me. I liked waking up and looking at the logs to see how I was being attacked... LOL
  
  Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
  I checked. The log setting to report is enabled, and the WAN setting to disable is disabled. So, it should work.
  
  CrimpOn wrote:
  I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
  
  Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
  
  I could not help but notice your 960 appears to be connecting to the Internet a lot. All those "internet Conected" followed by "Time Synchronized" entries. Since they all appear in the log, it is clear that the 960 did not reboot (which would clear the log).
  
  Yes, I noticed that, too. RBR50 used to sync time with the NTP server once a day or once per reboot or something like that, and that didn't trigger an "Internet Connected" entry in the log. It seems RBRE960 feels the need to sync the time wayyyyyyy more frequently and a Internet Connected line is written into the log just before that happens. They certainly are not reboots.
  
  While there, let me say that I hate that the log clears at reboot. Yikes! The log leading up to a crash resulting in a reboot is valuable! Like, that is a no brainer. The fact that there isn't the slightest amount of non-volatile memory in this expensive hardware to store the log in a way that is persisted across crashes & reboots, and reported properly is insane!
  
  Tuna
  - CrimpOn
    Guru
    Mar 25, 2022
    I view "Internet Connected" as the key log entry. There will always be a Time Sync immediately after the internet connection. "Hey, I'm on the internet. Wonder what time it is?" I'd put money on NTP not having anything to do with the Connection happening. There is some other cause. Since I keep all these logs, I just searched. My Orbi put "Internet connected" into the log file on Monday, Dec 13.
    
    My Orbi has been 'up' for 119 days (since Nov 25, 2021) and during that time it has 'connected' to the internet 3-4 times. The last time being Dec 13, 2021. In every case after Nov 25, there was a 'disconnected' message immediately before the 'connected'.
    
    A word about "Full" vs. at a certain time. It is pretty clear that there is a maximum log file size. (Hence the concept "full".) If a log is send once per day, it will be either (a) not completely full yet, or (b) have gone past full and wrapped around, and thus an unknown number of log entries have been written over. Most days, it takes more than 24 hours to fill my log files, so once per day would be convenient. I find several emails, however, that came in less than 24 hours. Since the number of DHCP lease renewals is pretty much constant, the major difference is the number of DoS entries. When some A**H*** out there decides to go fishing, the logs can fill really quickly.
    
    Anyway, the question is more about diagnostics rather than the end goal. If 'when full' actually works, that is a ton better than an email with 9 lines of drivel.
Mikey94025
Hero
Mar 26, 2022
tuna_ertemalp wrote:
In general, logging on a router should work, especially at this price point. This is something that needs to be fixed in a future FW drop. Who needs to hear this directly?

Consider filing a Netgear Support request, not posting the community forum, if you feel that Netgear engineering needs to know about or fix something for you. If you purchased your AXE router within 90 days ago then you have technical support available at https://my.netgear.com/home.aspx