NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
RBRE960 emailing logs has string buffer bug, doesn't send the whole log, doesn't list attacks, etc.
I was doing this on my RBR50 for the last 2.5 years: Every 3am, email me the log. That also resulted in the log getting reset, so every morning I would have a copy of the previous day's log in my ema...
CrimpOn wrote:I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
"When Full" is of limited use for me. I liked waking up and looking at the logs to see how I was being attacked... LOL
Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
I checked. The log setting to report is enabled, and the WAN setting to disable is disabled. So, it should work.
CrimpOn wrote:I, also, have two old RBR50's sending me logs. They send "when the log is full", rather than at a specific time. While I agree that the product should do what it says it will do, I wonder as a diagnostic effort what would happen if your 960 is set to send logs when full. (I have also found it somewhat humorous that email settings fall under Security on the older Orbi, while logs fall under Administration. Same on the 960?)
Also, while there is a log setting for "Known DoS attacks and port scans" in the log settings, there is also a check box in the WAN Setup page to "Disable Port Scan and DoS Protection". Is there a similar setting on the 960? (Ah, yes. On page 62 of the user manual.)
I could not help but notice your 960 appears to be connecting to the Internet a lot. All those "internet Conected" followed by "Time Synchronized" entries. Since they all appear in the log, it is clear that the 960 did not reboot (which would clear the log).
Yes, I noticed that, too. RBR50 used to sync time with the NTP server once a day or once per reboot or something like that, and that didn't trigger an "Internet Connected" entry in the log. It seems RBRE960 feels the need to sync the time wayyyyyyy more frequently and a Internet Connected line is written into the log just before that happens. They certainly are not reboots.
While there, let me say that I hate that the log clears at reboot. Yikes! The log leading up to a crash resulting in a reboot is valuable! Like, that is a no brainer. The fact that there isn't the slightest amount of non-volatile memory in this expensive hardware to store the log in a way that is persisted across crashes & reboots, and reported properly is insane!
Tuna
I view "Internet Connected" as the key log entry. There will always be a Time Sync immediately after the internet connection. "Hey, I'm on the internet. Wonder what time it is?" I'd put money on NTP not having anything to do with the Connection happening. There is some other cause. Since I keep all these logs, I just searched. My Orbi put "Internet connected" into the log file on Monday, Dec 13.
My Orbi has been 'up' for 119 days (since Nov 25, 2021) and during that time it has 'connected' to the internet 3-4 times. The last time being Dec 13, 2021. In every case after Nov 25, there was a 'disconnected' message immediately before the 'connected'.
A word about "Full" vs. at a certain time. It is pretty clear that there is a maximum log file size. (Hence the concept "full".) If a log is send once per day, it will be either (a) not completely full yet, or (b) have gone past full and wrapped around, and thus an unknown number of log entries have been written over. Most days, it takes more than 24 hours to fill my log files, so once per day would be convenient. I find several emails, however, that came in less than 24 hours. Since the number of DHCP lease renewals is pretty much constant, the major difference is the number of DoS entries. When some A**H*** out there decides to go fishing, the logs can fill really quickly.
Anyway, the question is more about diagnostics rather than the end goal. If 'when full' actually works, that is a ton better than an email with 9 lines of drivel.
No dice. Since I switched to "email when full" few days back on Friday, just now, this Wednesday 5am, I received my first log email, only containing a whopping 11 lines, from Sunday morning... đ
[DHCP IP: (192.168.1.7)] to MAC address <redacted>, Sunday, Mar 27,2022 06:34:23
[Time synchronized with NTP server] Sunday, Mar 27,2022 06:18:51
[Internet connected] IP address: <redacted>, Sunday, Mar 27,2022 06:18:51
[DHCP IP: (192.168.1.73)] to MAC address <redacted>C, Sunday, Mar 27,2022 06:17:58
[Time synchronized with NTP server] Sunday, Mar 27,2022 05:18:50
[Internet connected] IP address: <redacted>, Sunday, Mar 27,2022 05:18:50
[Time synchronized with NTP server] Sunday, Mar 27,2022 04:48:49
[Internet connected] IP address: <redacted>, Sunday, Mar 27,2022 04:48:49
[DHCP IP: (192.168.1.64)] to MAC address <redacted>, Sunday, Mar 27,2022 04:46:58
[Time synchronized with NTP server] Sunday, Mar 27,2022 03:48:49
[Internet connected] IP address: <redacted>, Sunday, Mar 27,2022 03:48:48The current live log on RBRE960 ranges between:
[Admin login] from source 192.168.1.59, Wednesday, Mar 30,2022 06:50:38
. . . .
[DHCP IP: (192.168.1.12)] to MAC address <redacted, Monday, Mar 28,2022 07:06:17
So, it feels like the router tried to email only entries from Friday through Monday morning, even though it did that on Wednesday morning, but failed to send all of it, yet seemingly still truncated the Fri-to-Mon morning entries from the log, instead of emailing everything properly and resetting the log to empty.
Tuna
Orbi 900 series has not properly E-Mailed router logs since day 1.
Engineers are aware of the issue. Hopefully they are working on it.
