Syed Jahanzaib Personnel Blog to Share Knowledge !

November 29, 2011

Howto Save Mikrotik Logs to Remote SYSLOG Server



In some situations, you might need to save logs for record / tracking purpose regarding Mikrotik Actions and users connectivity. Its much easier to intercept info using Linux base logs. Following is an simple article explaining you howto send Mikrotik logs to remote Ubuntu/Linux base syslog server.

First We have to configure Mikrotik.

# MIKROTIK CONFIGURATION
In Mikrotik, Open Terminal & paste the following.

/system logging action
set remote bsd-syslog=yes name=remote remote=192.168.2.1 remote-port=514 src-address=0.0.0.0 syslog-facility=local0 syslog-severity=auto target=remote
/system logging
add action=remote disabled=no prefix="" topics=!async

[Note:  192.168.2.1 is Linux syslog server ip, Change this ip to match your remote syslog server ip. You can modify the topics as per your requirement, above rule will log everything, which sometimes is not required, just an example]



That’s it for Mikrotik :) Now moving to Linux Section, in this example I used Ubuntu (My Favorite), You can use any other flavor of your choice

# UBUNTU/LINUX CONFIGURATION

If you already don’t have syslog server installed, install it by

apt-get install syslogd

After installation is completed, edit its configuration file available in /etc/syslog.conf

nano /etc/syslog.conf

and add following lines at the end.

!*
+192.168.2.10
local0.*        /var/log/mt.log

[Note: 192.168.2.10 is Mikrotik IP , change it accordingly]
Now Save & Exit.

Create a new file by touch command so that syslog can store Mikrotik logs in separate file.

touch /var/log/mt.log
chmod 600 /var/log/mt.log

Restart the syslog service by

/etc/init.d/sysklogd restart

Now monitor the newly created file by following command

tail -f /var/log/mt.log

At mikrotik , perform any action, for example open ‘New Terminal’ OR try to add any new rule, you will see its logs in the tail output. For example.

TIPS N TRICKS

You can also setup one CENTRAL LOG SERVER, and collected all server’s /devices logs in this server for better troubleshooting/monitoring and management purposes. Just search in google for SYSLOG

Howto Prevent Duplicate LOG Entries

By Default there will be duplicate entries for mikrotik logs in /var/log/mt.log & /var/log/messages
To prevent duplicate entries, you have to tell syslog to ignore local0.* to be placed in /var/log/messages. To do this, you have to add an entry ‘local0.none’ in the following section in /etc/syslog.conf

Look for following Lines

mail,news.none          -/var/log/messages

Remove above Line and Add the following syntax

mail,news.none;\
local0.none             -/var/log/messages

SAVE LOGS IN MIKROTIK (Personnel Reference)

#Logging features, I used this to store necessary info of Mikrotik
# written to DISK for record purpose.

/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=14 disk-file-name=MyMikrotik-log disk-lines-per-file=10000 disk-stop-on-full=no name=disk target=disk

/system logging
add action=memory disabled=no prefix="" topics=info,!firewall
add action=echo disabled=no prefix="" topics=error
add action=echo disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
add action=remote disabled=no prefix="" topics=firewall
add action=disk disabled=no prefix="" topics=pppoe,ppp,info
add action=disk disabled=no prefix="" topics=critical
add action=disk disabled=no prefix="" topics=system,info
add action=disk disabled=no prefix="" topics=pppoe,info

Take Care

Regard’s
Syed Jahanzaib

The Silver is the New Black Theme. Create a free website or blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 2,311 other followers