iptables log entries truncated

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
View previous topic :: View next topic  
Author Message
gofaster
DD-WRT Novice


Joined: 20 Nov 2010
Posts: 1
PostPosted: Sat Nov 20, 2010 19:09    Post subject: iptables log entries truncated Reply with quote
I had been running "DD-WRT v24-sp2 (10/10/09) vpn" for a while on a wrt54gl v1.1. It was stable and worked well for me.

Recently I decided to log certain dropped packets from iptables to a remote syslogd host. I noticed that longer log messages were truncated to 256 characters. Checking the forums threads and wiki indicated that I should not have been running this build as was recommended by the router database. So I reflashed to Eko's "dd-wrt.v24-15230_NEWD_std-nokaid_nohotspot_nostor.bin" build, hoping that the log truncation would be fixed too. No luck.

Here are some examples. Certain IP addresses have been obfuscated.
Code:

Nov 20 13:06:33 wrt54gl kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:28 SRC=72.14.213.109 DST=71.234.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=57910 PROTO=TCP SPT=993 DPT=49865 SEQ=917032339 ACK=0 WINDOW=0 RES=0x00 RST UR

Nov 20 13:06:33 wrt54gl kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:28 SRC=72.14.213.109 DST=71.234.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=16451 PROTO=TCP SPT=993 DPT=49877 SEQ=2874908834 ACK=0 WINDOW=0 RES=0x00 RST U

Nov 20 13:25:57 wrt54gl kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:30 SRC=85.14.94.154 DST=71.234.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=114 ID=64354 DF PROTO=TCP SPT=3426 DPT=19979 SEQ=2540263093 ACK=0 WINDOW=16384 RES=0x


If the above code block had been displayed in a proportional font, the truncation is obvious at a glance.

And the corresponding tcpdump captures to verify it's not the syslog host that's truncating.

Code:

13:06:32.062456 00:25:9c:28:69:bd (oui Unknown) > 00:01:2e:27:4b:f8 (oui Unknown), ethertype IPv4 (0x0800), length 298: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 284)
    wrt54gl.2061 > rhost.syslog: SYSLOG, length: 256
   Facility user (1), Severity warning (4)
   Msg: Nov 20 13:06:33 kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:28 SRC=72.14.213.109 DST=71.234.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=57910 PROTO=TCP SPT=993 DPT=49865 SEQ=917032339 ACK=0 WINDOW=0 RES=0x00 RST UR\0x0a
....U.<12>Nov 20 13:06:33 kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:28 SRC=72.14.213.109 DST=71.234.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=57910 PROTO=TCP SPT=993 DPT=49865 SEQ=917032339 ACK=0 WINDOW=0 RES=0x00 RST UR

13:06:32.062744 00:25:9c:28:69:bd (oui Unknown) > 00:01:2e:27:4b:f8 (oui Unknown), ethertype IPv4 (0x0800), length 298: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 284)
    wrt54gl.2061 > rhost.syslog: SYSLOG, length: 256
   Facility user (1), Severity warning (4)
   Msg: Nov 20 13:06:33 kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:28 SRC=72.14.213.109 DST=71.234.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=16451 PROTO=TCP SPT=993 DPT=49877 SEQ=2874908834 ACK=0 WINDOW=0 RES=0x00 RST U\0x0a
......<12>Nov 20 13:06:33 kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:28 SRC=72.14.213.109 DST=71.234.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=47 ID=16451 PROTO=TCP SPT=993 DPT=49877 SEQ=2874908834 ACK=0 WINDOW=0 RES=0x00 RST U

13:25:55.314227 00:25:9c:28:69:bd (oui Unknown) > 00:01:2e:27:4b:f8 (oui Unknown), ethertype IPv4 (0x0800), length 298: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 284)
    wrt54gl.2061 > rhost.syslog: SYSLOG, length: 256
   Facility user (1), Severity warning (4)
   Msg: Nov 20 13:25:57 kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:30 SRC=85.14.94.154 DST=71.234.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=114 ID=64354 DF PROTO=TCP SPT=3426 DPT=19979 SEQ=2540263093 ACK=0 WINDOW=16384 RES=0x\0x0a
.....!<12>Nov 20 13:25:57 kernel: DROP IN=vlan1 OUT= MAC=00:25:9c:28:69:be:00:24:c4:27:b6:e2:08:00:45:20:00:30 SRC=85.14.94.154 DST=71.234.xxx.xxx LEN=48 TOS=0x00 PREC=0x20 TTL=114 ID=64354 DF PROTO=TCP SPT=3426 DPT=19979 SEQ=2540263093 ACK=0 WINDOW=16384 RES=0x


wrt54gl log settings, configured via webGUI
Code:

root@wrt54gl:~# nvram show|grep log
zebra_log=0
log_ipaddr=0
syslogd_rem_ip=192.168.xxx.xxx
log_accepted=0
log_dropped=1
log_level=2
syslogd_enable=1
log_enable=1



I've searched this forum, the wiki and Google'd but have not found any other reports of this. I would appreciate any pointers.

The upgrade to the Eko build was done per the peacock thread. 30-30-30, upgrade-wait 5mins, 30-30-30, manually reconfigure settings. This build seems to be working well so far too.
Back to top View user's profile Send private message
Sponsor
david.woodward
DD-WRT Novice


Joined: 12 Mar 2011
Posts: 6
PostPosted: Sat Mar 12, 2011 8:21    Post subject: Same here Reply with quote
I'm having the same problem and I also can confirm that it's not the syslog server truncating things because I have log entries from other sources that exceed the 256 character limit.

My DD-WRT firmware version is reported by the DD-WRT admin interface as:

DD-WRT v24-sp2 (09/18/10) mini-usb-ftp - build 15230M NEWD-2 Eko
Back to top View user's profile Send private message
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777
PostPosted: Sat Mar 12, 2011 9:01    Post subject: Reply with quote
So?????
_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
Back to top View user's profile Send private message
david.woodward
DD-WRT Novice


Joined: 12 Mar 2011
Posts: 6
PostPosted: Wed Mar 16, 2011 19:54    Post subject: So, what? Reply with quote
So? (I'm not sure if you're trying to be smart or looking for an answer like we are)

So... is this by design? A Known bug? On the radar to be fixed soon?

I can appreciate that they probably had to "draw the line" somewhere on log length. But it would be nice if the "line" could be adjusted through the web interface or command line.
Back to top View user's profile Send private message
frater
DD-WRT Guru


Joined: 07 Jun 2006
Posts: 2777
PostPosted: Wed Mar 16, 2011 20:12    Post subject: Re: So, what? Reply with quote
david.woodward wrote:
So? (I'm not sure if you're trying to be smart or looking for an answer like we are)

So... is this by design? A Known bug? On the radar to be fixed soon?

I can appreciate that they probably had to "draw the line" somewhere on log length. But it would be nice if the "line" could be adjusted through the web interface or command line.

It does the same on my full-blown linux box. You should look for a non DD-WRT specific answer
_________________
Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge

DD-WRT v24-sp2 vpn (c) 2010 NewMedia-NET GmbH
Release: 12/16/10 (SVN revision: 15758M)
Back to top View user's profile Send private message
oxygenx
DD-WRT Guru


Joined: 11 Nov 2007
Posts: 566
PostPosted: Wed Mar 16, 2011 20:51    Post subject: Reply with quote
it depends on the configured klog buffersize. unfortuneatly it can only be changed on compile time (CONFIG_LOG_BUF_SHIFT).
_________________
Router: WNDR3300 (wl0: n-Only 5Ghz, WPA2-AES, wl1: g-Only, WPA-Mixed-Mixed)
WDS Node 1: WNDR3300 (wl0: n-Only 5Ghz, WPA2-AES, WDS-connected Router, wl1: g-Only WPA-Mixed-Mixed)
WDS Node 2: WRT54GL (g-Only, WPA-Mixed-Mixed WDS-connected to Router)
Modem: Cisco EPC3202
clients: Notebook 1, D-Link 323, PS3 Slim, Kathrein UFC960 connected to WDS Node 1 via Gigabit Switch. Notebook 2, Deskjet 6980 connected to WDS Node 2
Back to top View user's profile Send private message Visit poster's website
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum