Syed Jahanzaib Personal Blog to Share Knowledge !

November 29, 2011

Howto Save Mikrotik Logs to Remote SYSLOG Server


log-title

First Published Date: Nov 29, 2011 @ 11:58
Revision Date : May 15, 2016 @ 1300 hours


In some situations, you may want to save your mikrotik router logs (or web proxy logs) for record / tracking purpose regarding Mikrotik activity. In most countries it is required by the law as well to keep record of users public IP assignment, like when you will apply for LICENSE, it is required to have such record at your disposal. Its much better from management point of view to intercept mikrotik info using external Linux base logs server.

This post demonstrate how to send Mikrotik logs to remote Ubuntu/Linux base syslog server. We will use SYSLOG-NG package in this example.

SYSLOG Server  =  192.168.100.1   [OS > Ubuntu 12.4 32 bit] 
Mikrotik Server = 192.168.100.2

First We will configure Mikrotik section


# MIKROTIK CONFIGURATION

In Mikrotik, Open Terminal & paste the following.

/system logging action
set 0 memory-lines=100
set 1 disk-file-count=30 disk-file-name=MT-log-zaib disk-lines-per-file=500
set 3 remote=192.168.100.1
# 192.168.100.1 is the remote syslog-ng server we will configure in second step.

# Now we will add few topics that we want to be stored in syslog server.zaib
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning

[Note:  192.168.100.1 is Linux syslog server ip, Change this ip to match your remote syslog server ip. You can modify the topics as per your requirement, just an example below]

 

log1
log2

That’s it for Mikrotik 🙂 Now moving to Linux Section, in this example I used Ubuntu 12.4 You can use any other flavor of your choice.


# UBUNTU 12.4 CONFIGURATION

First we have to install the syslog server. In this example we are using syslog-ng log server.

Install syslog-ng package by

apt-get install syslog-ng

After installation, edit its configuration file available in /etc/syslog-ng.conf

Use the following command to edit config file.

nano /etc/syslog-ng/syslog-ng.conf

Now paste following lines before SOURCES section.

# Accept connection on UDP
source s_net { udp (); };

# MIKROTIK ###########
# Add Filter to add our mikroti
filter f_mikrotik { host( "192.168.100.2" ); };
# Add destination file where logs will be stored
#destination df_mikrotik { file("/var/log/mikrotik.log"); };
log { source ( s_net ); filter( f_mikrotik ); destination ( df_mikrotik ); };
destination df_mikrotik {
 file("/var/log/mikrotik/mikrotik.${YEAR}.${MONTH}.${DAY}.log"
# template("${HOUR}:${MIN}:${SEC} ${HOST} ${MSG} ${MSG}\n")
 template-escape(no));
};

As shown below …

syslog

Now Save & Exit.


IMPORTANT:

  • Create ‘mikrotik‘ folder in /var/log and file also, so that mikrotik logs will be saved in separate file.
mkdir /var/log/mikrotik

Restart the syslog-ng service to apply changes

service syslog-ng restart

Monitoring the LOGS

Now check the file name in /var/log/mikrotik and monitor it by tail command

tail -f /var/log/mikrotik/mikrotik.log

At mikrotik , perform any action, for example open ‘New Terminal‘ OR try to add any new rule, you will see its logs in the tail output.

For example.


log

DONE !


LOG ROTATE !

As we have successfully managed to add the new log file to the system, it is crucial that we must configure log rotation to move / delete older logs otherwise it may fill the disk quickly if its heavily used production system.

To add log rotation edit the syslog-ng configuration file.

nano /etc/logrotate.d/syslog-ng

and add following in the start or before end . . . .

[This will rotate log files on daily basis, it will compress the last day log file. useful if you have receive some heavy logs from the devices.

/var/log//mikrotik/*.log {
 daily
 rotate 90
 missingok
 compress
 notifempty
 missingok
 sharedscripts
 /etc/init.d/syslog-ng restart
 endscript
# invoke-rc.d syslog-ng reload > /dev/null
}

Save & Exit. and reload the syslog-ng service

service syslog-ng restart

Explanation of above code.

  • daily the logrotation for mikrotik log in /var/log/mikrotik/mikrotik.log file will be don eon daily basis. this value describes the interval of rotation
  • rotate 90 means syslog will keep 90 log file. [number of files]
  • compress log file will be compressed using the gzip format
  • missingok avoids halting on any error
  • notifempty will not rotate log file if its empty

size‘ parameter is  also very important setting if you want to control the sizing of the logs for heavy production server.

A configuration setting of around 50 MB would look like:

size 50M

Note that If both size and rotation interval are set, then size will override rotation parameter


TIP: Log file name with Year-Date

If we want syslog to store mikrotik file in daily date year format file, then use

Example Config

# MIKROTIK ###########
# Add Filter to add our mikrotik
filter f_mikrotik { host( "192.168.100.2" ); };
# Add destination file where logs will be stored
#destination df_mikrotik { file("/var/log/mikrotik.log"); };
log { source ( s_net ); filter( f_mikrotik ); destination ( df_mikrotik ); };
destination df_mikrotik {
file("/var/log/mikrotik/mikrotik.${YEAR}.${MONTH}.${DAY}.log"
# template("${HOUR}:${MIN}:${SEC} ${HOST} ${MSG} ${MSG}\n")
template-escape(no));
};

log


Change SYSLOG Log Rotation Time

By default log.rotate starts at 6:47am in the morning. To change it to run in midnight, edit file

/etc/crontab

and change the cron.daily line to following

0 0     * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

This will run it in mid night. 🙂


DELETE LOG FILES with ZERO SIZE

You may need this ; )

find /var/log/mikrotik/ -name 'mikrotik*' -size 0 -print0 | xargs -0 rm

DELETE LOG FILES OLDER THEN 90 DAYS

This one too ; )

find /var/log/mikrotik/* -daystart -mtime +90-type f -exec rm {} \;

Or better to use complete script as defined here.


Take Care

Regard’s
Syed Jahanzaib

Advertisements

28 Comments »

  1. i do that but get error
    root@Squid:~# apt-get install syslogd
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    Package syslogd is a virtual package provided by:
    sysklogd 1.5-6ubuntu1
    busybox-syslogd 1:1.18.4-2ubuntu2
    You should explicitly select one to install.

    E: Package ‘syslogd’ has no installation candidate
    ??????

    Like

    Comment by Ma7mod — April 18, 2012 @ 10:37 AM

  2. i cant get log from mkv5.5.My syslog server installed on centos 5.5.

    Syslog server configuration info:-
    #yum install syslog* -y.
    #vim /etc/syslog.conf
    ###########syslog################
    !*
    +192.168.1.1 ### MK IP ###
    local0.* /var/log/mt.log

    #vim /var/log/mt.log
    #chmod 700 /var/log/mt.log
    #/etc/init.d/syslog restart
    #chkconfig syslog on

    but get no result on /var/log/mt.log

    Like

    Comment by imran — September 27, 2012 @ 10:51 AM

  3. i configure syslog server in buntu 12.04.1 LTS. but still now i cant get any log in syslog server. what parameter should i check

    Like

    Comment by imran — October 14, 2012 @ 2:11 PM

  4. Nice write up. How can I set up a central Ubuntu syslog server that will accept incoming ‘logs’ from remote Mikrotiks that could potentially be at any IP address? I’m good on the Mikrotik side but am lost at how to set up syslog.conf to accept the incoming logs. Any tips?

    Like

    Comment by jimstolz76 (@jimstolz76) — November 30, 2012 @ 4:51 AM

  5. COOL! Thank a lot!!

    Like

    Comment by Jenk Za — December 4, 2012 @ 2:01 PM

  6. someone make a facebook fakei Id on my network, How can I recognize the ip address where from login/created ?? Fake ID make a greate troble for our family.

    Like

    Comment by Qamar — July 23, 2013 @ 10:50 AM

    • Its really hard to track such activity specially if your clients are using private ip scheming. How will you track that what facebook ID is created at which dates? it would be like searching for a needle in a sea. go through all the logs you have and see what clients have logged into facebook registration URL, and do blank guesses, but still its very very hard.

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — July 25, 2013 @ 7:54 AM

  7. Dear Sir,
    I tried a lot but all in vain …be low is my configuration of Mikrotik and Ubuntu

    system logging action print
    Flags: * – default
    # NAME TARGET REMOTE
    0 * memory memory
    1 * disk disk
    2 * echo echo
    3 * remote remote 27.116.59.60
    [bb@MikroTik] > system logging print
    Flags: X – disabled, I – invalid, * – default
    # TOPICS ACTION PREFIX
    0 * info memory
    1 * error memory
    2 * warning memory
    3 * critical echo
    4 !async remote
    ========================================
    I have add lines at the end

    !*
    +180.94.86.214
    local0.* /var/log/mt.log

    Like

    Comment by Muammad Kazim — January 4, 2014 @ 4:07 PM

  8. Thanks for nice article.
    Could you please give us idea how to log user’s activity (url visited) with username (hotspot user with radius accounting) along with IP address?
    Best regards

    Like

    Comment by Inder P. MEEL — February 7, 2014 @ 6:36 PM

  9. Dear Sir,
    I found your articles extremely useful.
    I want to know.. Is it possible to log mikrotik hotspot (without proxy) user’s url visit activity (like sarg) and data transfferd?
    I created syslog as per your article, but it don’t log username, (only log IP address).
    Best regards.
    Inder P. MEEL

    Like

    Comment by Inder P. MEEL — February 11, 2014 @ 9:34 AM

  10. Thank you..

    Like

    Comment by chris — June 10, 2014 @ 4:00 PM

  11. Dear Friends,

    witch syslog server is best????????

    Like

    Comment by bharat — August 7, 2015 @ 8:20 AM

  12. hey sir, you r missed “k” at “apt-get install syslogd”. so u can can change it be “apt-get install sysklogd”

    Like

    Comment by Joko Fani Andrinto — December 21, 2015 @ 11:28 AM

  13. Hi, Thanks for the tutorial, can you advise any way to segregate logs like accesslog, browsing log all in different file name?

    Like

    Comment by Sankar — August 15, 2016 @ 1:19 PM

  14. Hi Sir,

    is there any way to record the connections (TCP/UDP) established by Broadband users to linux server for ISP record

    Like

    Comment by Pawandeep Singh Behgal — September 5, 2016 @ 9:52 PM

  15. Dear Sir i want To view Internet users complete history of web site search downloading and uploading log view and reporting pls help me

    Like

    Comment by Imran Ali — March 9, 2017 @ 12:09 PM

  16. Dear Sir i am use Mikrotik 5.20 in pc and i want To view Internet users complete history of web site search downloading
    and uploading log view and reporting pls help me

    Like

    Comment by Imran Ali — March 9, 2017 @ 12:11 PM

    • you can use squid proxy as addon to route http traffic to squid which can keep the user logs it self.
      OR enable web proxy in mikrotik. then send its log to remote syslog server.

      but there is no simple way of search in such scenarios,

      Like

      Comment by Syed Jahanzaib / Pinochio~:) — March 10, 2017 @ 8:19 AM


RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: