NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBRE960 emailing logs has string buffer bug, doesn't send the whole log, doesn't list attacks, etc.
I was doing this on my RBR50 for the last 2.5 years: Every 3am, email me the log. That also resulted in the log getting reset, so every morning I would have a copy of the previous day's log in my ema...
I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
I could not help but notice your 960 appears to be connecting to the Internet a lot. All those "internet Conected" followed by "Time Synchronized" entries. Since they all appear in the log, it is clear that the 960 did not reboot (which would clear the log).
Scheduled and on-demand E-Mailing of router logs has been an issue on Netgear products since some of the first AX capable devices.
I have the same issue on my 960 and have had the same issue in regards to this since day 1. Some days I get 1 line, some days I get 20 lines, and they are always from the earliest entry forward, except that the latest entry it decides to actual include in the mail on that run is listed last.
Some days the router logs clear after mailing, some days they do not. It's all a crapshoot.
I hate to say this, but if nothing else, I am brutally honest. Do not expect consistent and complete router logs through the automated mailing process - at least for now. Hopefully it is something being worked on, and will be corrected in a future firmware update.
CrimpOn wrote:I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
"When Full" is of limited use for me. I liked waking up and looking at the logs to see how I was being attacked... LOL
Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
I checked. The log setting to report is enabled, and the WAN setting to disable is disabled. So, it should work.
CrimpOn wrote:I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
I could not help but notice your 960 appears to be connecting to the Internet a lot. All those "internet Conected" followed by "Time Synchronized" entries. Since they all appear in the log, it is clear that the 960 did not reboot (which would clear the log).
Yes, I noticed that, too. RBR50 used to sync time with the NTP server once a day or once per reboot or something like that, and that didn't trigger an "Internet Connected" entry in the log. It seems RBRE960 feels the need to sync the time wayyyyyyy more frequently and a Internet Connected line is written into the log just before that happens. They certainly are not reboots.
While there, let me say that I hate that the log clears at reboot. Yikes! The log leading up to a crash resulting in a reboot is valuable! Like, that is a no brainer. The fact that there isn't the slightest amount of non-volatile memory in this expensive hardware to store the log in a way that is persisted across crashes & reboots, and reported properly is insane!
Tuna
I view "Internet Connected" as the key log entry. There will always be a Time Sync immediately after the internet connection. "Hey, I'm on the internet. Wonder what time it is?" I'd put money on NTP not having anything to do with the Connection happening. There is some other cause. Since I keep all these logs, I just searched. My Orbi put "Internet connected" into the log file on Monday, Dec 13.
My Orbi has been 'up' for 119 days (since Nov 25, 2021) and during that time it has 'connected' to the internet 3-4 times. The last time being Dec 13, 2021. In every case after Nov 25, there was a 'disconnected' message immediately before the 'connected'.
A word about "Full" vs. at a certain time. It is pretty clear that there is a maximum log file size. (Hence the concept "full".) If a log is send once per day, it will be either (a) not completely full yet, or (b) have gone past full and wrapped around, and thus an unknown number of log entries have been written over. Most days, it takes more than 24 hours to fill my log files, so once per day would be convenient. I find several emails, however, that came in less than 24 hours. Since the number of DHCP lease renewals is pretty much constant, the major difference is the number of DoS entries. When some A**H*** out there decides to go fishing, the logs can fill really quickly.
Anyway, the question is more about diagnostics rather than the end goal. If 'when full' actually works, that is a ton better than an email with 9 lines of drivel.
