How to Filter syslog Messages

nswanson · January 12, 2026, 4:45pm

I would like to filter my syslog messages so that firewall logs are not sent to the remote syslog server. I would like to collect firewall logs just not send them. Is this possible?

Here is some hardware information:
Device: RUT241
Kernel: 5.15.193
Firmware: RUT2M_R_GPL_00.07.19
Build: 878f4b6
Build date: 2026-01-09 22:48:15

Vilius · January 13, 2026, 7:47am

Greetings, @nswanson,

Welcome to Teltonika Community!

Could you please clarify how you are currently sending syslogs to the remote server, and where you are planning to store the collected firewall logs?

This information will help me better understand your setup and investigate the matter further.

Warm regards,
V.

nswanson · January 13, 2026, 3:44pm

Hello Vilius,

Currently, we are sending syslog messages using the default in the Teltonika SDK of logd to handle sending logs to the remote syslog server. We would like to not send the firewall logs remotely to save bandwidth on our cellular data plan. We would like to log the firewall logs instead of just turning them off but only log them locally to say /tmp/firewall.log.

This way we will not be sending the logs to the remote syslog server but can still use the logs to troubleshoot/investigate if needed. We realize that the logs will be cleared on a reboot and that is okay for us.

Thanks!

Vilius · January 14, 2026, 8:32am

Greetings, @nswanson,

Thank you for your prompt response.

This configuration can be implemented using a custom script, which would filter out firewall-related logs and save them into a separate file (for example, /tmp/firewall.log), while storing the remaining logs in a different file that can then be sent to a remote server. Please note that developing custom scripts is beyond the scope of technical support.

If possible, could you provide a sample of the logs you are receiving, with the firewall-related entries highlighted? Please ensure that any personal or sensitive information is depersonalised before sharing, as this is a public forum. This will allow us to better understand your setup and provide more precise guidance.

I look forward to your reply.

Kind regards,
V.

pegaz · February 11, 2026, 6:18am

Hi @Vilius ,

Looks like some serious conversation is going on here

I am also fighting with logging. Do you know if I can send GSM data (RSRQ, SINR, RSSI etc) to Graylog ? Graylog is operational on my end, but only can see WAN change and some DHCP logs.

Thanks

Peter

Vilius · February 11, 2026, 6:28am

Greetings, @pegaz,

Thank you for your message.

Could you please clarify which protocol should be used for communication between the router and Graylog? This information will be helpful for my further investigation.

I look forward to your reply.

Best wishes,
V.

pegaz · February 11, 2026, 6:32am

Hi @Vilius , thanks for the reply..

Logs I am currently receiving are Syslog UDP

Vilius · February 11, 2026, 7:20am

Hello,

To receive full mobile logs, you will need a custom script that takes data from the gsm.log file and sends its contents to Graylog.

Additionally, you can try utilizing the Data to Server feature, which allows you to send GSM data at configured intervals to your external server. For more information, please refer to this wiki article:

Please let me know if you have any additional questions.

Warm regards,
V.

nswanson · February 11, 2026, 1:44pm

Just to close out my issue. I was looking into using ulog or syslog but the task was giving to another team member who turned off logging to the remote server in the uci system settings and wrote a bash script to send all logs that don’t match a firewall filter using netcat. All logs including firewall logs are still going to logread.

Here is an example of the firewall logs:
109739 Wed Feb 11 13:37:22 2026 kern.warn kernel: [60289.910752] DROP lan in: IN=eth0.1 OUT= MAC=20:97:27:9d:e2:a5 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36037 DF PROTO=ICMP TYPE=8 CODE=0 ID=14409 SEQ=1
109746 Wed Feb 11 13:37:25 2026 kern.warn kernel: [60293.163473] DROP lan in: IN=eth0.1 OUT= MAC=20:97:27:9d:e2:a5 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36334 DF PROTO=ICMP TYPE=8 CODE=0 ID=14412 SEQ=1
109752 Wed Feb 11 13:37:29 2026 kern.warn kernel: [60296.419221] DROP lan in: IN=eth0.1 OUT= MAC=20:97:27:9d:e2:a5 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36949 DF PROTO=ICMP TYPE=8 CODE=0 ID=14415 SEQ=1
109757 Wed Feb 11 13:37:32 2026 kern.warn kernel: [60299.672675] DROP lan in: IN=eth0.1 OUT= MAC=20:97:27:9d:e2:a5 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37100 DF PROTO=ICMP TYPE=8 CODE=0 ID=14418 SEQ=1
109763 Wed Feb 11 13:37:35 2026 kern.warn kernel: [60302.923521] DROP lan in: IN=eth0.1 OUT= MAC=20:97:27:9d:e2:a5 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37201 DF PROTO=ICMP TYPE=8 CODE=0 ID=14421 SEQ=1
109770 Wed Feb 11 13:37:38 2026 kern.warn kernel: [60306.177730] DROP lan in: IN=eth0.1 OUT= MAC=20:97:27:9d:e2:a5 SRC=192.168.100.2 DST=192.168.100.1 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37422 DF PROTO=ICMP TYPE=8 CODE=0 ID=14424 SEQ=1

system · February 14, 2026, 1:45am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.