Increasing Wi-Fi Logging: What It Is and Why It's Important

The administrative panels of modern routers and monitoring systems often feature an option for changing the level of detail of recorded events. Users, when faced with setting up logging level, people often ask: what exactly does this term mean and why might the default settings be insufficient? Essentially, it switches the system's operating mode from brief notifications of key events to a comprehensive logging of all processes occurring within network equipment.

When an administrator or advanced user decides to increasing the log level, it instructs the router firmware to stop ignoring background processes. Instead of logging only "Client Connection," the system will begin recording handshake packets, timings, encryption error codes, and retransmission rates. This turns a regular event log into a detailed chronicle of the wireless network, capturing every single activity of the radio module.

However, it's important to understand that such detailing requires resources. The device's processor begins working harder to write data, and free memory space (RAM or Flash) fills up much faster. That's why this mode is rarely enabled by default—it's intended for diagnostics specific problems, and not for continuous background operation in normal mode.

Hierarchy of logging levels and their meaning

Linux-based router operating systems (OpenWrt, DD-WRT, AsusWRT, MikroTik) use a standard gradation of event severity. Understanding this hierarchy is critical for correctly interpreting what's happening on your network. Each tier filters out less significant messages, retaining only those that meet a specified severity threshold.

The lowest level, often referred to as Emergency or Alert, records only fatal errors that cause the system to stop functioning. In contrast, the level Debug or Verbose Logs absolutely everything, including cyclic port status checks and service packets. Increasing the logging level means moving from Warning or Notice to Info or Debug.

⚠️ Warning: Enabling the maximum level of detail (Debug) on ​​routers with limited RAM may cause buffer overflows and device reboot loops. Use this mode only for short periods of time to collect data.

The differences between levels often look like this:

  • 🔴 Critical/Error: Only failures that resulted in a connection break or service failure are recorded.
  • 🟡 Warning: Anomalies that do not interrupt operation but may indicate instability (for example, high CPU load) are recorded.
  • 🟢 Info: Standard mode, displaying successful connections, client disconnections, and IP address changes.
  • 🔵 Debug: Detailed technical information about each packet, the state of the Wi-Fi driver, and the router's internal decision-making logic.
📊 What logging level do you use most often?
Only errors (Error)
Standard (Info)
Full (Debug)
I don't know, it's on by default.

Why do you need detailed event logging?

The main purpose of enabling verbose logging is diagnostics Complex network problems that cannot be detected with standard monitoring tools. If a user complains of "slow internet" or "intermittent disconnects," the standard log may be silent, showing only normal operation. A detailed log, however, will reveal hidden processes, such as constant packet retransmissions or channel conflicts.

In addition, increasing the log level is necessary for security analysisWhen an attacker penetrates a network or malware attempts to scan ports, in normal mode these attempts can get lost among thousands of legitimate connections. In Debug mode, the system will record every authentication attempt, even unsuccessful ones, and every request to open a port, allowing you to identify a brute-force attack.

Also detailed logs are indispensable when setting up corporate networks and VLANs. Engineers need to see how devices roam between access points, how reconnection occurs when changing subnets, and whether QoS policies are applied correctly. Without detailed recordings, reproducing and correcting a configuration error is virtually impossible.

How to enable advanced logging on a router

The process for activating detailed logging depends on the equipment manufacturer and firmware version. In most consumer routers (Asus, TP-Link, Keenetic), these settings are hidden deep in the menu or accessible only through the command line. In professional equipment (MikroTik, Ubiquiti), this is a built-in feature with flexible configuration.

First, you need to log in to the admin web interface. Typically, you can find the path through the section System or Administration. Find the tab System log or Log SettingsThere may be a drop-down list with logging levels. If there isn't one, try looking for a checkbox labeled "Enable debugging" or "Debug Mode."

In some cases, such as on devices Asus with firmware AsusWRT-MerlinTo enable full logging, you need to run the command via SSH. You'll need a terminal and Secure Shell access.

logger -t kernel"Start debug logging"

echo 8 > /proc/sys/kernel/printk

After executing the command, the system will start writing to the file. /tmp/messages or /var/log/syslog significantly more information. Keep in mind that these settings may be reset after a reboot if you do not save them in a startup script (for example, scripts.post-mount).

☑️ Preparing for log collection

Completed: 0 / 5

Log File Analysis: What to Look for

An inexperienced user may feel overwhelmed when presented with a large text file of logs. The key to success is identifying patterns and anomalies. First, pay attention to timestamps that match the moment the user's issue occurred. Look for repeating lines that indicate cyclical processes.

Particular attention should be paid to messages containing keywords. deauth, disassoc or timeoutThey indicate that the connection was broken not by the user's will, but due to signal loss, interference, or a driver error. It is also important to monitor messages about WPA handshake - If there are too many of them from one device, this may indicate compatibility issues or an attack.

For ease of analysis, you can use a table of correspondence between codes and events frequently found in Wi-Fi logs:

Code/Event Description Possible cause
assoc_req Association request The device is trying to connect to the network
deauth reason=3 Deauthorization (access point unavailable) Weak signal or roaming
deauth reason=2 Deauthorization (previous auth expired) Driver issues or timeouts
4-way handshake timeout Password error or incompatibility Invalid WPA2 key or old client

When analyzing, it's important to consider the context. A single error may be a random glitch, but a series of hundreds of identical errors within a minute is a systemic problem requiring intervention.

What are reason codes in deauthorization?

Reason codes in deauthentication frames inform the client and access point why the connection is being terminated. For example, reason code 3 means the access point is unreachable (often when roaming), and reason code 6 indicates a locally initiated deauthorization (the client has left). Reason code 2 often indicates a timeout for the previous authorization, which may indicate a faulty Wi-Fi driver on the client.

The Impact of Detailed Logging on Performance

It's important to clearly understand the tradeoff between information density and performance. Writing every byte of information to disk or memory requires processor time. On powerful routers with dual-core processors, this impact may be unnoticeable, but on budget models with single-core CPUs, the load can increase by 10-15%.

The second critical resource is writing to flash memoryContinuously writing large amounts of data (typical for Debug mode) leads to accelerated wear on memory cells. Although modern file systems (JFFS2, UBIFS) can distribute the load, there is still a risk of drive failure when logging continuously in debug mode.

Furthermore, filling up your RAM with logs can lead to insufficient RAM for other processes, such as DNS caching or running a torrent client. If you notice free memory dropping to critical levels, you should immediately lower the logging level.

⚠️ Note: Interfaces and menu item names may vary depending on your router's firmware version. If you don't see the settings described, please refer to the manufacturer's official documentation for your router model.

Common mistakes in setup and analysis

One of the most common mistakes is enabling verbose logging. after The problem's occurrence. The log records events in real time; if an error has already occurred and wasn't recorded, enabling debugging after the fact won't help you find it. You need to enable the mode, reproduce the problem, collect data, and then disable it.

Another error is ignoring the log file size. On some systems, the log can grow indefinitely until it fills the entire disk, which will lead to service failure. Always adjust log rotation (log rotation) or limit the maximum file size (e.g. 1 MB) so that older entries are automatically overwritten by new ones.

Users also often forget to clear the buffer before testing. If the log contains 10,000 lines of old junk, finding the error you're looking for will be extremely difficult. Use a clear command, for example: logread -c or the "Clear log" button in the web interface, immediately before starting the diagnostics.

Automating data collection for technical support

In corporate environments or when providing remote user support, automated log collection is often required. Manually accessing each router is inconvenient. A remote syslog server is set up for this purpose. The router sends all its logs, including debug levels, to an external server over the network, where they are stored and analyzed.

To set up remote logging, you need to find the section in the router menu System -> Syslog settingsThe IP address of the log collection server and port (514 by default) are specified there. This allows you to offload the router from storing history and preserve data even in the event of a reboot or failure.

Using external analysis systems such as Graylog or ELK Stack, allows you to visualize data, build channel load graphs, and automatically alert the administrator when critical errors appear in the Wi-Fi logs.

How to safely collect logs to send to the developer?

When sending logs to software developers or your ISP's technical support, it's important to remove any confidential information. Logs may contain MAC addresses of your devices, Wi-Fi network names (SSIDs), and sometimes even traffic fragments. Before sending, open the file in a text editor and replace actual MAC addresses and passwords with placeholders (e.g., AA:BB:CC:DD:EE:FF), unless required for diagnostic purposes by a specific specialist.

Why are there no entries in the logs for last week?

Logs are stored in RAM, which is cleared when the router is powered off. If the router reboots, old logs are lost. To preserve the history longer, you can configure logging to be saved to a USB flash drive or sent to a remote server (remote syslog). Otherwise, you'll only see events since the last reboot.

Can high log levels slow down my internet speed?

Theoretically yes, but in practice, on home networks, this impact is minimal. A noticeable speed reduction (up to 10-20%) may only be noticeable on very weak routers with heavy traffic and Debug mode enabled, when the processor can't process packets and simultaneously record detailed information about them.