Syed Jahanzaib Personal Blog to Share Knowledge !

November 29, 2011

Howto Save Mikrotik Logs to Remote SYSLOG Server


log-title

First Published Date: Nov 29, 2011 @ 11:58
Revision Date : May 15, 2016 @ 1300 hours


In some situations, you may want to save your mikrotik router logs (or web proxy logs) for record / tracking purpose regarding Mikrotik activity. In most countries it is required by the law as well to keep record of users public IP assignment, like when you will apply for LICENSE, it is required to have such record at your disposal. Its much better from management point of view to intercept mikrotik info using external Linux base logs server.

This post demonstrate how to send Mikrotik logs to remote Ubuntu/Linux base syslog server. We will use SYSLOG-NG package in this example.

Mikrotik Server = 192.168.100.2
SYSLOG Server  =  192.168.100.1

First We will configure Mikrotik section


# MIKROTIK CONFIGURATION

In Mikrotik, Open Terminal & paste the following.

/system logging action
set 0 memory-lines=100
set 1 disk-file-count=30 disk-file-name=MT-log-zaib disk-lines-per-file=500
set 3 remote=192.168.100.1
# 192.168.100.1 is the remote syslog-ng server we will configure in second step.

# Now we will add few topics that we want to be stored in syslog server.zaib
/system logging
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning

[Note:  192.168.100.1 is Linux syslog server ip, Change this ip to match your remote syslog server ip. You can modify the topics as per your requirement, just an example below]

 

log1
log2

That’s it for Mikrotik:) Now moving to Linux Section, in this example I used Ubuntu 12.4 You can use any other flavor of your choice.


# UBUNTU 12.4 CONFIGURATION

First we have to install the syslog server. In this example we are using syslog-ng log server.

Install syslog-ng package by

apt-get install syslog-ng

After installation, edit its configuration file available in /etc/syslog-ng.conf

Use the following command to edit config file.

nano /etc/syslog-ng/syslog-ng.conf

Now paste following lines before SOURCES section.

##
# Accept connection on UDP
source s_net { udp (); };

# Add Filter to add our mikroti
filter f_mikrotik { host( "192.168.100.2" ); };

# Add destination file where logs will be stored
destination df_mikrotik { file("/var/log/mikrotik/mikrotik.log"); };
log { source ( s_net ); filter( f_mikrotik ); destination ( df_mikrotik ); };
##

As showed below …

syslog-ng-config-file

Now Save & Exit.


IMPORTANT:

  • Create ‘mikrotik‘ folder in /var/log and file also, so that mikrotik logs will be saved in separate file.
mkdir /var/log/mikrotik
touch /var/log/mikrotik/mikrotik.log

Restart the syslog-ng service to apply changes

service syslog-ng restart

Monitoring the LOGS

Now monitor the newly created file by following command

tail -f /var/log/mikrotik/mikrotik.log

 

At mikrotik , perform any action, for example open ‘New Terminal‘ OR try to add any new rule, you will see its logs in the tail output.

For example.

log-sysng

DONE !


LOG ROTATE !

As we have successfully managed to add the new log file to the system, it is crucial that we must configure log rotation to move / delete older logs otherwise it may fill the disk quickly if its heavily used production system.

To add log rotation edit the syslog-ng configuration file.

nano /etc/logrotate.d/syslog-ng

and add following in the end . . .


/var/log//mikrotik/mikrotik.log {
rotate 7
daily
missingok
notifempty
compress
}

Save & Exit. and reload the syslog-ng service

service syslog-ng restart

Take Care

Regard’s
Syed Jahanzaib

The Silver is the New Black Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 3,383 other followers