Syed Jahanzaib Personal Blog to Share Knowledge !

November 29, 2011

Howto Save Mikrotik/Cisco Logs to Remote SYSLOG Server


Part # 1 – Howto Save Mikrotik/Cisco Logs to Remote SYSLOG Server << You are here

Part # 2 – Centralized Syslog-ng logging to MySql DB

First Published Date: Nov 29, 2011 @ 11:58
Last Modified : Nov 9, 2017

In some situations, you may want to save your mikrotik router or CISCO switches logs (or web proxy logs) for record / tracking purpose regarding Mikrotik activity. In most countries it is required by the law as well to keep record of users public IP assignment, like when you will apply for LICENSE, it is required to have such record at your disposal. Its much better from management point of view to intercept mikrotik info using external Linux base logs server.

This post demonstrate how to send Mikrotik logs to remote Ubuntu/Linux base syslog server. We will use SYSLOG-NG package in this example.

SYSLOG Server  =   [OS > Ubuntu 12.4 32 bit] 
Mikrotik Server =

First We will configure Mikrotik section


In Mikrotik, Open Terminal & paste the following.

/system logging action
set 0 memory-lines=100
set 1 disk-file-count=30 disk-file-name=MT-log-zaib disk-lines-per-file=500
set 3 remote=
# is the remote syslog-ng server we will configure in second step.

# Now we will add few topics that we want to be stored in syslog server.zaib
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning

[Note: is Linux syslog server ip, Change this ip to match your remote syslog server ip. You can modify the topics as per your requirement, just an example below]



That’s it for Mikrotik 🙂 Now moving to Linux Section, in this example I used Ubuntu 12.4 You can use any other flavor of your choice.


First we have to install the syslog server. In this example we are using syslog-ng log server.

Install syslog-ng package by

apt-get install syslog-ng
sudo apt-get install syslog-ng-mod-redis
sudo apt-get install libboost-system-dev libboost-thread-dev libboost-regex-dev
sudo apt-get install libmongo-client0
sudo apt-get install libesmtp6

After installation, edit its configuration file available in /etc/syslog-ng.conf

Use the following command to edit config file.

nano /etc/syslog-ng/syslog-ng.conf

Now paste following lines before SOURCES section.

# Accept connection on UDP
source s_net { udp (); };

# MIKROTIK ###########
# Add Filter to add our mikroti
filter f_mikrotik { host( "" ); };
# Add destination file where logs will be stored
#destination df_mikrotik { file("/var/log/mikrotik.log"); };
log { source ( s_net ); filter( f_mikrotik ); destination ( df_mikrotik ); };
destination df_mikrotik {

As shown below …


Now Save & Exit.


  • Create ‘mikrotik‘ folder in /var/log and file also, so that mikrotik logs will be saved in separate file.
mkdir /var/log/mikrotik

Restart the syslog-ng service to apply changes

service syslog-ng restart

Monitoring the LOGS

Now check the file name in /var/log/mikrotik and monitor it by tail command

tail -f /var/log/mikrotik/mikrotik.log

At mikrotik , perform any action, for example open ‘New Terminal‘ OR try to add any new rule, you will see its logs in the tail output.

For example.




As we have successfully managed to add the new log file to the system, it is crucial that we must configure log rotation to move / delete older logs otherwise it may fill the disk quickly if its heavily used production system.

To add log rotation edit the syslog-ng configuration file.

nano /etc/logrotate.d/syslog-ng

and add following in the start or before end . . . .

[This will rotate log files on daily basis, it will compress the last day log file. useful if you have receive some heavy logs from the devices.

/var/log//mikrotik/*.log {
 rotate 90
 /etc/init.d/syslog-ng restart
# invoke-rc.d syslog-ng reload > /dev/null

Save & Exit. and reload the syslog-ng service

service syslog-ng restart

Explanation of above code.

  • daily the logrotation for mikrotik log in /var/log/mikrotik/mikrotik.log file will be don eon daily basis. this value describes the interval of rotation
  • rotate 90 means syslog will keep 90 log file. [number of files]
  • compress log file will be compressed using the gzip format
  • missingok avoids halting on any error
  • notifempty will not rotate log file if its empty

size‘ parameter is  also very important setting if you want to control the sizing of the logs for heavy production server.

A configuration setting of around 50 MB would look like:

size 50M

Note that If both size and rotation interval are set, then size will override rotation parameter

TIP: Log file name with Year-Date

If we want syslog to store mikrotik file in daily date year format file, then use

Example Config

# MIKROTIK ###########
# Add Filter to add our mikrotik
filter f_mikrotik { host( "" ); };
# Add destination file where logs will be stored
#destination df_mikrotik { file("/var/log/mikrotik.log"); };
log { source ( s_net ); filter( f_mikrotik ); destination ( df_mikrotik ); };
destination df_mikrotik {
# template("${HOUR}:${MIN}:${SEC} ${HOST} ${MSG} ${MSG}\n")


Change SYSLOG Log Rotation Time

By default log.rotate starts at 6:47am in the morning. To change it to run in midnight, edit file


and change the cron.daily line to following

0 0     * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )

This will run it in mid night. 🙂


You may need this ; )

find /var/log/mikrotik/ -name 'mikrotik*' -size 0 -print0 | xargs -0 rm


This one too ; )

find /var/log/mikrotik/* -daystart -mtime +90-type f -exec rm {} \;

Or better to use complete script as defined here.

Centralized log server to store multiple devices logs

Updated: 9-NOV-2017

In a situation where you want to have centralized log server to log multiple devices logs with separate files, you can use following..

# MIKROTIK ###########
# Accept connection on UDP
source s_net { udp (); };
# Add Filter to add our mikroti
filter f_mikrotik { host( "" ); };
filter f_mikrotik2 { host( "" ); };
filter f_ciscoswnoc { host( "" ); };
filter f_ciscosw2 { host( "" ); };
# Add destination file where logs will be stored, for each host
destination d_mikrotik { file("/var/log/mikrotik/$HOST.mikrotik.${YEAR}.${MONTH}.${DAY}.log"); };
destination d_mikrotik2 { file("/var/log/mikrotik/$HOST.mikrotik.${YEAR}.${MONTH}.${DAY}.log"); };
destination d_ciscoswnoc { file("/var/log/mikrotik/$HOST.ciscosw.${YEAR}.${MONTH}.${DAY}.log"); };
destination d_ciscosw2 { file("/var/log/mikrotik/$HOST.ciscosw.${YEAR}.${MONTH}.${DAY}.log"); };
log { source(s_net); filter(f_mikrotik); destination(d_mikrotik); };
log { source(s_net); filter(f_mikrotik2); destination(d_mikrotik2); };
log { source(s_net); filter(f_ciscoswnoc); destination(d_ciscoswnoc); };
log { source(s_net); filter(f_ciscosw2); destination(d_ciscosw2); };

Make sure to restart syslog-ng server

service syslog-ng restart


Salam Alykum

Syed Jahanzaib


%d bloggers like this: