What is the problem?
OpenWRT reports significant events, such as DHCP address assignment, or SSH login in Syslog. Sometimes it’s required to log selected events - to an external syslog server. That’s where logread comes handy.
Logread
Logread is a command which allows to display syslog in realtime, and even send it to an external server.
The example command is logread -f -e keyword -r 10.150.1.5 5514 -u. In this example, -f means that logread is following syslog in realtime, -e that followed are only selected keyword, -r means remote server(10.151.1.5, with port 5514), and -u - UDP port.
Need to detect more keywords?
Then command that is needed is logread -f -e 'keyword1\|keyword2' -r 10.150.1.5 5514 -u. Even though the lines of syslog are matched by regex, there is a need for a \ before | - also called pipe escape.
What if we need to be started on boot?
Let’s create /etc/init.d/syslog-sender, then create inside following content:
#!/bin/sh /etc/rc.common
USE_PROCD=1
START=99
START_DEPENDENCIES="network"
start_service() {
procd_open_instance syslog_sender
procd_set_param command logread -f -e 'dropbear\|DHCPACK' -r 10.150.1.5 5514 -u
procd_close_instance
procd_set_param respawn ${respawn_threshold:-3600} ${respawn_timeout:-5} ${respawn_retry:-5}
}
After the file is created - enable it to be run at every boot - with command /etc/init.d/syslog-sender enable.
In this easy way, the informations about DHCP leases, and SSH logins to router admin panel are logged inside the 10.150.1.5 syslog server