The missing firewall logs of DD-WRT

As far as I know, this applies to all versions of DD-WRT at the time of writing (2014/01/08 [yyyy/mm/dd]).

DD-WRT is a really good piece of firmware for your router. Stable, functional, customisable and configurable. Unfortunately it has one or two glitches and one of those affects the firewall logs. DD-WRT comes in a number of flavours and it often re-branded by OEMs to fit in with their marketing (or corporate culture, or deliver the “brand message” or what ever other idiocy some middle-manager has invented to justify their job); this means I can’t 100% guarantee that the web UI details will match your router and I will do my best to be descriptive

First off, let’s make sure the firewall is actually logging and this needs to be done in a couple of places before anything will actually log. On the “Services” tab, first sub-tab (also labelled “Services”) make sure that the “System Log” is enabled. This is “syslogd”. If you have a “Remote Server” defined then all your logs will go there and you are basically done with this guide.; go check your remote server.

Now that the logging system is running, time to turn on the firewall log itself. On “Security” tab, first sub-tab “Firewall” scroll down and enable the log. Set all the options to “High”/”Enabled” for the moment.

No do something that should result in a firewall log message; for example, use one of the many port scanners to probe your router on a port you know is closed.

Next, in the web UI, click on “Incoming Log”. It’s empty. It will always be empty no matter what you do. The web UI simply does not show the firewall log. This, for a while, made me think that the firewall wasn’t working, but of course the port probes where blocked so clearly is was. The logs are also being written, but you need SSH to read ’em: ssh  For example:

ssh admin@

The logs are written to “/tmp/var/log/messages” and we can use many of the normal command line tools to see what has been happening: For exmaple

tail /tmp/var/log/messages
grep DROPPED /tmp/var/log/messages

And that’s it, that’s how you read the logs on a DD-WRT router. When you enabled “syslogd” you will have noticed the “Remote Server” option, you can use that to send the logs to a different computer so you don’t have to SSH into your router all the time.

You can also create a sym-link to the log file that you can access from your browser, but it still won’t be integrated into the UI correctly. You can get the details on how to do that here.

Leave a Reply