CE/PE Log Management

Starting with CE/PE version 24.10.1-b6, their logging capabilities have been enhanced to ensure log persistence across reboots and improve disk space utilization. All system logs are now stored in /var/log/messages-YYYY-MM-DD files, and connection flow logs are saved in /var/log/flow-YYYY-MM-DD files.

Log Persistence Across Reboots

Starting with version 24.10.1-b6, CE/PE (probably stands for "Control Engine" and "Policy Engine" or similar, although not clearly defined in the given text) now maintains logs across reboots. These persistent logs are stored in files named /var/log/messages-YYYY-MM-DD.

Viewing System Logs

Several options are available for viewing system logs.

Real-time Logs: To see logs as they are generated, use the command:

logread -f

Example Result:

root@Network_testing_CE:~# logread -f
Jun  4 12:49:52 Network_testing_CE openvpn(vtun38_1)[4677]: Preserving previous TUN/TAP instance: vtun38_1
Jun  4 12:49:52 Network_testing_CE openvpn(vtun38_1)[4677]: TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.31.50:50015
Jun  4 12:49:52 Network_testing_CE openvpn(vtun38_1)[4677]: Socket Buffers: R=[212992->425984] S=[212992->425984]
Jun  4 12:49:52 Network_testing_CE openvpn(vtun38_1)[4677]: UDPv4 link local (bound): [AF_INET][undef]:50015
Jun  4 12:49:52 Network_testing_CE openvpn(vtun38_1)[4677]: UDPv4 link remote: [AF_INET]192.168.31.50:50015
Jun  4 12:49:58 Network_testing_CE dropbear[10029]: Bad password attempt for 'hiclouds' from 172.20.10.2:35668
Jun  4 12:50:03 Network_testing_CE dropbear[10029]: Password auth succeeded for 'hiclouds' from 172.20.10.2:35668
Jun  4 12:50:22 Network_testing_CE sudo: hiclouds : TTY=pts/0 ; PWD=/hiclouds ; USER=root ; COMMAND=/usr/bin/su -
Jun  4 12:50:22 Network_testing_CE su[12037]: Successful su for root by root
Jun  4 12:50:22 Network_testing_CE su[12037]: + /dev/pts/1 root:root

This command displays real-time log entries.

Current Day's Logs: To view all system logs for the current day, use:

logread

Example Result:

root@Network_testing_CE:~# logread 
Jun  4 12:12:33 Network_testing_CE : [origin software="rsyslogd" swVersion="8.24
08.0" x-pid="2792" x-info="https://www.rsyslog.com"] start
Jun  4 12:12:33 Network_testing_CE kernel: Linux version 6.6.86 (builder@buildho
st) (x86_64-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r28597-0425664679) 13.3.0
, GNU ld (GNU Binutils) 2.42) #0 SMP Sun Apr 13 16:38:32 2025
Jun  4 12:12:33 Network_testing_CE kernel: Command line: BOOT_IMAGE=/boot/vmlinu
z root=PARTUUID=14b3d1d5-02 rootwait console=tty1 console=ttyS0,115200n8 noinitr
d
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-provided physical RAM map:
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x0000000000000000-0x
000000000009fbff] usable
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x000000000009fc00-0x
000000000009ffff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000000f0000-0x
00000000000fffff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x0000000000100000-0x
000000001ffeffff] usable
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x000000001fff0000-0x
000000001fffffff] ACPI data
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000fec00000-0x
00000000fec00fff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000fee00000-0x
00000000fee00fff] reserved

Logs for a Specific Date: To check logs from a particular date, use the -D flag followed by the date in YYYY-MM-DD format. For example, to view logs from June 4, 2025:

logread -D YYYY-MM-DD

For example, to view logs from June 4, 2025:

logread -D 2025-06-04

Example Result:

root@Network_testing_CE:~# logread -D 2025-06-04 
/sbin/logread: illegal option -- D
Jun  4 12:12:33 Network_testing_CE : [origin software="rsyslogd" swVersion="8.2408.0" x-pid="2792" x-info="https://www.rsyslog.com"] start
Jun  4 12:12:33 Network_testing_CE kernel: Linux version 6.6.86 (builder@buildhost) (x86_64-openwrt-linux-musl-gcc (OpenWrt GCC 13.3.0 r28597-
0425664679) 13.3.0, GNU ld (GNU Binutils) 2.42) #0 SMP Sun Apr 13 16:38:32 2025
Jun  4 12:12:33 Network_testing_CE kernel: Command line: BOOT_IMAGE=/boot/vmlinuz root=PARTUUID=14b3d1d5-02 rootwait console=tty1 console=ttyS
0,115200n8 noinitrd
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-provided physical RAM map:
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x000000000009fc00-0x000000000009ffff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000000fffff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x0000000000100000-0x000000001ffeffff] usable
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x000000001fff0000-0x000000001fffffff] ACPI data
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000fec00000-0x00000000fec00fff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000fee00000-0x00000000fee00fff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000ffffffff] reserved
Jun  4 12:12:33 Network_testing_CE kernel: NX (Execute Disable) protection: active
Jun  4 12:12:33 Network_testing_CE kernel: APIC: Static calls initialized
Jun  4 12:12:33 Network_testing_CE kernel: SMBIOS 2.5 present.
Jun  4 12:12:33 Network_testing_CE kernel: DMI: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
Jun  4 12:12:33 Network_testing_CE kernel: Hypervisor detected: KVM
Jun  4 12:12:33 Network_testing_CE kernel: kvm-clock: Using msrs 4b564d01 and 4b564d00
Jun  4 12:12:33 Network_testing_CE kernel: kvm-clock: using sched offset of 8619324921 cycles
Jun  4 12:12:33 Network_testing_CE kernel: clocksource: kvm-clock: mask: 0xffffffffffffffff max_cycles: 0x1cd42e4dffb, max_idle_ns: 8815905914
83 ns
Jun  4 12:12:33 Network_testing_CE kernel: tsc: Detected 2496.000 MHz processor
Jun  4 12:12:33 Network_testing_CE kernel: e820: update [mem 0x00000000-0x00000fff] usable ==> reserved
Jun  4 12:12:33 Network_testing_CE kernel: e820: remove [mem 0x000a0000-0x000fffff] usable
Jun  4 12:12:33 Network_testing_CE kernel: last_pfn = 0x1fff0 max_arch_pfn = 0x400000000
Jun  4 12:12:33 Network_testing_CE kernel: MTRRs disabled by BIOS
Jun  4 12:12:33 Network_testing_CE kernel: x86/PAT: Configuration [0-7]: WB  WC  UC- UC  WB  WP  UC- WT  
Jun  4 12:12:33 Network_testing_CE kernel: found SMP MP-table at [mem 0x0009fff0-0x0009ffff]
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: Early table checksum verification disabled
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: RSDP 0x00000000000E0000 000024 (v02 VBOX  )
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: XSDT 0x000000001FFF0030 00003C (v01 VBOX   VBOXXSDT 00000001 ASL  00000061)
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: FACP 0x000000001FFF00F0 0000F4 (v04 VBOX   VBOXFACP 00000001 ASL  00000061)
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: DSDT 0x000000001FFF0610 002353 (v02 VBOX   VBOXBIOS 00000002 INTL 20200925)
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: FACS 0x000000001FFF0200 000040
Jun  4 12:12:33 Network_testing_CE kernel: ACPI: FACS 0x000000001FFF0200 000040

Connection Flow Logs

CE also maintains connection flow logs, which record information about new and terminated connections. These flow logs are stored in files named /var/log/flow-YYYY-MM-DD.

To view these flow logs, use the cat command, specifying the date:

cat /var/log/flow-YYYY-MM-DD

Example result:

root@Network_testing_CE:~# cat /var/log/flow-logger-2025-06-04.log 
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:58646 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:58586 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:50149 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:58917 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:58435 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:52072 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:35 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:50015 => 192.168.31.50:50015 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:41564 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:41414 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:40141 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:44169 => 117.186.234.100:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:44169 => 103.78.41.247:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:44169 => 8.8.8.8:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:44169 => 4.2.2.2:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:37231 => 117.186.234.100:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:37231 => 103.78.41.247:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:37231 => 8.8.8.8:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:37231 => 4.2.2.2:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:53603 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 127.0.0.1:52568 => 127.0.0.1:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:36728 => 117.186.234.100:53 upload=0 download=0
Jun  4 12:12:37 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:36728 => 103.78.41.247:53 upload=0 download=0
Jun  4 12:12:38 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:36728 => 8.8.8.8:53 upload=0 download=0
Jun  4 12:12:38 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:36728 => 4.2.2.2:53 upload=0 download=0
Jun  4 12:12:38 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:39715 => 117.186.234.100:53 upload=0 download=0
Jun  4 12:12:38 Network_testing_CE flow-logger[2045]: opened udp 172.20.10.5:39715 => 103.78.41.247:53 upload=0 download=0

Disk Space Utilization Improvement

Before version 24.10.1-b6, unused disk space on CE/PE hardware remained unutilized.

Now, whenever CE/PE boots for the first time on firmware version 24.10.1-b6 or later, it will automatically create a new partition and mount it to /var/log. This ensures better utilization of available disk space for storing logs.

note

The logging and viewing methods described above apply identically to both CE and PE outputs.

CE/PE Log Management

Log Persistence Across Reboots​

Viewing System Logs​

Example Result:​

Example Result:​

Example Result:​

Connection Flow Logs​

Example result:​

Disk Space Utilization Improvement​

Log Persistence Across Reboots

Viewing System Logs

Example Result:

Example Result:

Example Result:

Connection Flow Logs

Example result:

Disk Space Utilization Improvement