MikroTik

Jotne

Lets say that you have a web server (443) and RDP (3389) open to all internett. If some one with bad intention has a script that tests various ports, and if open ports are found trying to breake inn, this script for sure helps. When the hackers script test port 10000 for any reason, he will be block...

Jotne

Or any external tools Syslog/SNMP

See my signature

Jotne

Then start responding to what you are asked for to supply.

Jotne

You do not get it????

To find a specific User in the User Profile, you need to have some search criteria that you fail to post.
Time to close thread.

Jotne

No I understand what you asks for :) I do use a simple setup with one pool pr each vlan. What I would say most do. IP you see after the scope is the host IP. The reason for having it there is that if you have two routers with both have same pool name (default setup), Splunk would mix each scope toge...

Jotne

@7sergeynazarov7
Contact MikroTik and they will help out.
support@mikrotik.com

Jotne

1. I do see you get Duplicate Values under host. This may be that you did change name on one device ore have multiple host with same name. Install Lookup Editor in Splunk if you do not already have done. Got to Apps -> Lookup Editor, select device_kvstore and open it. Remove the duplicate line. 2. T...

Jotne

What is "WISP Setup"?

https://en.wikipedia.org/wiki/Wireless_ ... e_provider

Jotne

Tarpit will cost more time and resources for the attacker.
You do not need this part.

A quick google search
https://en.wikipedia.org/wiki/Tarpit_(networking)
https://www.mtin.net/blog/use-tarpit-vs ... attackers/

Jotne

Its you that search for a solution, but you can not tell me what you want. I do not ask for help.
More strange request I have never seen.............

Jotne

What do you not understand.

You like to find a USER.....
What are the criteria for finding the one, 1 user from all the other users????????????????????
Hi is big/fat/thin green/red ......

Jotne

To find something you need some to search for. Like comments, sittings, part of name.

I would like to find the user that has x y z.......

Jotne

Are this true?

This needs to be the last two filter rules.

Jotne

Please use resource on getting a long term 7.x version. As it is now there are new 7.x train every week, but not may bug fixes for current train.
Latest releases that should be followed up
7.1.5 - 22 Mars 2022 (maybe 7.1.6 LT next)
7.2.3 - 2 May 2022
7.3.1 - 9 Juni 2022
7.4.0 - 19 Juli 2022

Jotne

If you add a nat rule to port 443 (https), you do not need an explicit filter rule, but I do have it. And if you have a filter rule, it must be before the rule that starts to block stuff. Filter rule: add action=accept chain=forward dst-port=443 in-interface=ether1 log=yes log-prefix=FI_A_HTTPS prot...

Jotne

And then I still do not understand what you need. Gives up.

Jotne

This is just simple basic MiroTik scripting. If that is what you need, you should start learning scripting before you make scripts. You can past this to terminal ans see whats result of it # Get all ID for all user and loop trough one and one :foreach id in=[/ip hotspot user profile find] do={ # Get...

Jotne

anyway where's the new testing release?

As usual, under development.
Or MT workers may have vacation.

Jotne

How do you like to find a single user, what is the unique input you have to find the user.

Example. You have a dns name like forum,mikrotik.com. This can be used to find one unique IP 159.148.147.239
Also what do you like to do with that user when its found.

Jotne

I have tested it on bot 7.2.3 and 7.4 without any problem. What do you see when you cut and past this to terminal. { :local CmdHistory true # Get detailed command history RouterOS >= v7 # ---------------------------------- :if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and $CmdHistory)...

Jotne

I have given up. Does not understand what you want. Every time I ask, you reply with more or less the same.
Since no other has answered, I gess no other understand as well.

Jotne

Or you can use an FTP server that automatically make the directory if its missing and the user has create directory permission.

Jotne

From the manual Reserved variable names All built in RouterOS properties are reserved variables. Variables which will be defined the same as the RouterOS built in properties can cause errors. To avoid such errors, use custom designations. For example, following script will not work: { :local type &q...

Jotne

Not an answer to your question, but som script cleaning. Removed outer {} that is not needed. Removed all ; at end of line. Only needed between multiple commands on same line. You did have it on some line, not all. Removed :set verifySSL "yes". You can set ut while declare the variable. :d...

Jotne

What is the previous command?

Post a flow diagram or complete code. This is very unclear and you only repeat your self.

Jotne

So you want to find User Profile with name XXXX and then change its name to something else?

Jotne

Still unclear. The command you have now, will give you the mac-cookie-timeout for the user-profile XXXX What name do you like ( the name XXXX ?) to be stored where. I have a USER PROFILE with the name "XXXX" and I want that name VVVV<-------------| that here points to "XXXX", tha...

Jotne

Copy what to where?

Jotne

Simply open the backup with "notepad"

I have never thought about that

Notepad++ is a must have tool.

Jotne

Not tested, but this may work?

https://github.com/BigNerd95/RouterOS-Backup-Tools

Jotne

If you for some reason need to auto upgrade using a script, them make the script check an external web server if a flag is set. Flag says no, do not upgrade, if flag says yes, then script can upgrade. This to make sure it does not upgrade before you let it do it. Before you upgrade, test all your di...

Jotne

I would like to see 7.3.2. As it is know it seems to be a rush to release new main version.
Need a 7.x long term version.

Jotne

Did enter same situation. Someone was not able to go to my webserver and after some investigation we see that he tried IPv6, that I have disabled 2 years ago. A lookup of DNS to google and other did show both IPv4 and IPv6 ip for my Cloud name. Just disable DDNS in cloud and enable it again did reso...

Jotne

You can not easily read the creation time "jul/19/2022 22:37:42" and compare with something. This has been discussed for many many years. I did hope with v7.x that MikroTik would use a standard time format. For example EPOCH time. Here are some help to do that. https://forum.mikrotik.com/...

Jotne

This sript moves static IP that has more than 100 days of no use. You can see have I calculate days to get an idea on how to use it. # Created Jotne 2021 v1.0 # Remove all static DHCP and corresponding DNS leases more than 100 week old :local counter 0 /ip dhcp-server lease :foreach id in=[find wher...

Jotne

Here is a script that I do use. If an IP are found in access list "Whitelist_IP" and also fond in access list "Block_list", remove it from "Block_list" Then send a pushbullet message to my phone. (Can be any type of message, logging, email, telegram etc) # Remove ip fro...

Jotne

Have you looked at Kid control? For me it gives more or less the same as I did get from accounting.

Jotne

As far as I know, you can not make custom OID. I do use Syslog to send whatever data you like to monitor from the Router to Splunk instead of using SNMP

Jotne

Do a search before asking.

viewtopic.php?t=157059

Jotne

Adding ports to a Bridge, just make them able to talk together. Bridge will act just a switch and switch data from one port to another port. As akakua points out, you need to look at bonding. That will make multiple interface act as one big line. But there are various types of bonding, look at linke...

Jotne

Save up time in an global variable, then when going down calculate the difference in time.

Or you can use Splunk like I do and see it graphically:
viewtopic.php?p=888800#p888800

Jotne

If your try to upload a file to a FTP server and the file do already exist (on the FTP server), you will get an error if user do not have delete access.

Jotne

@k6ccc
Instead of hardcode subject name, you can make a dynamic name, based on serial, identity etc.

See backup script to gmail here:
viewtopic.php?t=183631

Jotne

I was looking at this as well.
My goal was to read a global variable from the router using SNMP directly, but there seems to not be any OID to do that.
And even better if you could set a global variable on the router using write SNMP.

Jotne

Why?

You should add picture to the post. Edit post and click Attachments.

Jotne

Look at this post:
viewtopic.php?t=102375
It shows how to loop through a text string from start to end (len of string)

Then you need to make some logic to extract one and one number.

Jotne

Working on hAP ac^2 :) You need to specify i for integer. And 1 is up and 2 is down. snmpwalk -v2c -c public 192.168.1.14 1.3.6.1.2.1.2.2.1.7 IF-MIB::ifAdminStatus.1 = INTEGER: up(1) IF-MIB::ifAdminStatus.2 = INTEGER: up(1) IF-MIB::ifAdminStatus.3 = INTEGER: up(1) IF-MIB::ifAdminStatus.4 = INTEGER: ...

Jotne

but this computer is the only one in the router's network, I connect to it via RDP. Since this is your computer, reinstall it. You do not now what other problems you will get with it, since its already are infected. To reach inn to your network wit RDP, you should use VPN from your external device....

Jotne

viewtopic.php?p=890747#p890747

Jotne

You need to open all port you like to use in port knocking on the front router to reach your MikroTik router.

Jotne

From this page: https://help.mikrotik.com/docs/display/ROS/ZeroTier MikroTik has added ZeroTier to RouterOS v7.x as a separate package for the ARM/ARM64 architecture. (only) So look at this page: https://mikrotik.com/products/matrix And you see RB3011 ARM 32bit RB2011 MIPSBE And you need to download...

Jotne

Is it not in a more standard format? It would help if you post more real example. Not sure if there is a quick fix. You can loop trough one and one character in the string, test if its a number, if yes, save it and start a counter. If then 10 number are found one after one, then this is the phone nu...

Jotne

Please stay on topic. Deleting offtopic now

OK, but what is the answer to my question. You do say that every new change log do show all added stuff since main release. My post clearly that what is sad, does not add up.

Jotne

Nothing is added twice. BETA releases always include ALL changes since last non-BETA. This is how it's always been. The reason is that when 7.4 will be released, it will have all changes from last stable Not true at all. How do you then explain that change log for beta2 is much larger than beta4 an...

Jotne

Demo2 does work, but asks me to change password.

If you like to try RouterOS, just download an ISO file and install it to an PC or VmWare. Or what many other does, download EVE-NG and install RoterOS there. (all free)
Then you can test and learn it.

Jotne

Why there is not a long-term on v7? if i upgraded my router from 6.48.6 long term to 7.3.1, Is there any problem that effect user-manger and hotspot It will be ready when its ready. What you can do is to test the 7.3.1 on a equal router as you have and see if all function works as expected, then yo...

Jotne

NB. If you upgrade Splunk to 9.0, you will get some warnings. I have locked at them, and there are no big error.
It will be fixed in next version of MikroTik app for Splunk

Jotne

You do not need two script. Use same script for both up/down and then use the status variable to see if its up/down as I already posted above: https://forum.mikrotik.com/viewtopic.php?p=888800#p888800 Any reason for using global variable in the script? Use local variable if you do not intend to stor...

Jotne

See example where host and other variable are used to use same script for up/down logging here:
viewtopic.php?p=888800#p888800

Jotne

The logging format problem hs been an issue for many many years and Mirkotik are not willing to fix it. Look at this thread form 2014, nothing has change for 7 years?????? https://forum.mikrotik.com/viewtopic.php?t=85015 MT do recommend store the logs on to an syslog server. I now this worsk, since ...

Jotne

A quick search:
viewtopic.php?t=77628

Jotne

Perhaps you did not know what I mean when a user uses the Internet via a username and password by the netshareapp program on his phone that redistributes the Internet. I can do the same with any router. Use wifi and connect it to your network. Add one or more PC on the inside of the router. Use pc ...

Jotne

How can you prevent that I do use my user name and password on a router (mikrotik) that is setup with NAT. You will then se only one mac and there can many user behind that mac.

Jotne

I do use same script for both up and down in netwatch.
viewtopic.php?p=888800#p888800

You can just change :log to telegram

Jotne

True.

But if you use Winbox from internet, hacker can do as well. (due to bug)
So use VPN if you need remote admin.

Jotne

I do agree that it may be wrong. Updated to this:

caps,(?:info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\/]+)\/\S+\((?<dBm>\d+)dBm

Jotne

You should never use internal ID in script. They changes all the time.

Some like this should do.

:local health [/system health get [find name="psu2-voltage"]]

Jotne

You are correct. Found this.

What's new in 6.34 (2016-Jan-29 10:25):

*) mipsle - architecture support dropped (last fully supported version 6.32.x);

Its time to upgrade some hardware.

Jotne

You should upgrade to latest long term release. Older version has a flaw that make hacker can take control of your router.

Jotne

Do you say that the reges is not correct? When I test regex: caps,(?:info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\(]+)\((?<dBm>\d+)dBm On this data caps,info MikroTik: AP 2 - 5GHz: selected channel 5680/20-eeCe/ac/DP(27dBm)...

Jotne

What is ASK? as in "I ask you some"
Maybe edit the thread with some better subject.

Jotne

Test it on another router with default config. If you do not have another router to test on, download and install EVE NG and make a virtual router there. It 100% free.

Jotne

As I posted above:

 /system logging export verbose

Jotne

Problem is that OP does not see anything in the log :) Buts a smart log ide rextended: :log info $cnt; :set cnt ($cnt + 1) But if this hits loop and hops, it will not match line number so can be some hard to track back to where it stopped. I tried to replace the :log info to :put and put all the scr...

Jotne

This may just be port tester. You can block IP trying to get inn if there are x number of failed attempts. (Solution found in this forum) I do use it. You can block all IP trying to use a port that is not open on your router, for example for 24 hours. This stops port scanners as soon as it hits firs...

Jotne

The problem is that it does not work at all in scenarios where the stored password is leaked. E.g. someone puts it in their RouterOS config and posts a /export show-sensitive somewhere by mistake, or there is some bug in some device (can be anything, not just a MikroTik router) that allows reading ...

Jotne

Then you have changed some log settings. I do get logs while running the script on 6.49.1 05:38:20 script,info Test if DNS exist, if not, the script stop with error 05:38:20 script,info Test passed 05:38:26 script,info DynuDDNS: dont need changes 05:38:41 script,info Test if DNS exist, if not, the s...

Jotne

Ask MT, they encourage the version should match as best practice. Either way, does it make sense to have firmware version 3.1 but ROS 7.3? It very very rarely contains fixes for already released products and that is why we do not believe that it is worth forcing this upgrade and making a ROS upgrad...

Jotne

Add all your lines between { } and change all :log info to :put The cut and past script to terminal to se what is going on. You will then get output in the terminal window instead in the logs. Some times I do add :put "1" :put "2" etc inn between lines to see what the path the sc...

Jotne

I do agree in that, but it would be better that firmware and RouterOS was just one thing, if it was to always upgrade both.

Jotne

Firmware version should always match RouterOS version, too many “admins” run on firmware version 3.1 and ROS v7 and complain about problems. Why? Do you have a change list for all the firmware version so you know what has been updated, and you can see that its needed? PS to any auto upgrade or upgr...

Jotne

viewtopic.php?p=937944#p937944

Jotne

I have not tested the script, but cleaned ut up: Removed not needed ; at end of some lines. Added TAB to make it easier to read. Change global to local variable. If you do not need to store the variable for later use or use it in other script, use local Removed " at end of script. It may break ...

Jotne

@Jotne: open a ticket as it's not a version-specific issue.

Have already done some years ago, and was told that they will look at it on a later release.
Posted a new support request. #[SUP-84077]

Jotne

Now with the new beta, please use some time to get the logging more uniform. Prefix mess: https://forum.mikrotik.com/viewtopic.php?t=124291 Timestamp should be in ISO 8601 format, not jun/02/2022 Events that may log more than one line should have the same ID. Example IPSec login. If many users logs ...

Jotne

I made a script for logging WireGuard using NetWatch, see here:

viewtopic.php?p=888800#p888800

Jotne

Its not an issue, its an feature request.

Jotne

Hi,
are there events which can be used to trigger scripts other than scheduled triggers?

Netwatch can also trigger scripts.
But in your case DHCP script are the path to take.

Jotne

All updated. But could you post a log line that this will match on? EXTRACT-mikrotik_caps-man_frequency = caps,(info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\(]+)\((?<dBm>\d+)dBm I do not have/use capsman, so any help is app...

Jotne

I was trying to avoid asking for a public static IP (because I thought I could work around it) but that might be the answer after all. You do not need a static IP, just a public ip, not the one see in your router 100.65.x.x that is private. If this is an larger ISP, I guess he will not help you and...

Jotne

Where do rmelin router come inn to play. Does it have 8291 port that you can access? You have confirmed that ISP does not block 8291 in their net. For test you can open port 8291, but should not be done for some in production. Use VPN. And I do hope you do not use 7.3rc1 in production as vell, Its n...

Jotne

@OP
Rmelin router is an router you test instead of Mikrotik?

Do you have an public IP on your router?
See output of:

/ip address print

To test if a port is open the easy way, you can go to:
https://canyouseeme.org/
and type in the port you are testing. Should respond with a green Success

Jotne

Good catch Sob @anav I guess it 6.47 100.64.0.0/10 100.64.0.0–100.127.255.255 #IP 4194304 Private network Shared address space[5] for communications between a service provider and its subscribers when using a carrier-grade NAT. With this IP (100.65.46.11) you are behind NAT out of your control, so y...

Jotne

DO NOT OPEN ADMIN INTRAFACE FROM INTERNET. EVEN FOR TEST Use VPN to administrate your device from remote location. If VPN can not be used, follow this list to make connection some more secure. 1. Use another port than default. 2. Use port knocking. This prevents someone from seeing open ports. 3. U...

Jotne

This we do as well, but you need 100% control of all clients connected to your net to do that. That would exclude all home net.

Jotne

Not possible.
User can just use DoH or VPN and bypass everything.

Jotne

If MikroTik ask me about only one feature to fix, then I answer in first place LOGGING. IPSec or wireless or vpn's have one very old problem. Please add some uniq id to each peer in IPSec, mac in wireless, id in vpn... because when I have e.g. 40x IPSec tunnel mode then understand what log line is ...

Jotne

No its not a simple delete commands for the logs. You can set the log size to 0 and back to 1000 to clean it. But you can store log id in your script and the and every time scripts run, only examine logs form the store id to the last id in the log. Since scripting and logging are limited in RouterOS...

Jotne

Please MikroTik, do not rename threads and post RC in its own thread as before. This just makes a messy thread. RC was always its own thread: 7.2rc7 https://forum.mikrotik.com/viewtopic.php?t=184585 6.49rc https://forum.mikrotik.com/viewtopic.php?t=178853 6.48rc https://forum.mikrotik.com/viewtopic....

Jotne

It could be today or this week itself.

Or not.

Why speculate. It comes when it comes.

Jotne

Maybe a moderator should make a own Cake thread and move all Cake post over there.

Jotne

I don’t see changelog for v40 Change log for v40 is in this thread: https://forum.mikrotik.com/viewtopic.php?p=932950#p932950 But change log for .33 mention in the thread is missing. (you can see it over here: https://mikrotik.com/download/changelogs/testing-release-tree) Edit Alfer closer inspecti...

Jotne

What do you see that I do not see?
I see only v34, v37 and v40

Jotne

i made a script that do log up/down message using netwatch, that can be used to monitor various thing. Eks WireGuard.
viewtopic.php?p=888800#p888800

Jotne

Likely the problem is that a complete overhaul of the logging system would make some people (who have invested time in handling the mess as it is) angry...

One of them is me, since I have to rewrite the Splunk Mikrotik logging.
But its worth it.

Jotne

You could also use one Bridge with multiple VLAN instead if multiple Bridges.

Jotne

Sure, but I agree with OP that it doesn't seem very professional with screens full of red warnings that every connection is unsafe.

Are OP logged inn to your router (winbox/web) and have the log window open all time?
I would say that Winbox/web are for configuration and searching for problems.

Jotne

ppp,error,critical: 217.67.*.*: Encryption got out of sync - disabling At what severity level is this message? Error or Critical From Syslog Severity level https://en.wikipedia.org/wiki/Syslog 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Informational 7 Debug Please Mikrotik fix the ...

Jotne

Is this some you have in production, or some you like to setup? Can you post the config?

Jotne

PS no need to make two post about the same. You can do many quote in one post.

Still does not understand what is your goal is. Is the some in production, or just for test?
Make a design drawing.

Jotne

How many interfaces do you have since you need more than 200 interface lists?

Jotne

You must still be misreading the issue, as issues presented here is not about your personal problems and solutions, rather errors and flaws in the RouterOS implementation. 1. OP han not replayed back saying anything about what is wrong and what is correct. 2. From the title " Feature Request &...

Jotne

When API logs inn, there will be written some to the logs. Internal logs has a limit, so it will be filled up by repeating stuff. Example on my router. log.png This does not give any problem for me, since I do send all logs to an external syslog/splunk server. There I can filter out what I do like t...

Jotne

Have you tried:

/ip firewall connection remove [find where dst-address~"your_public_ip_on_interface_xxx"]

Here you can specify what outside IP you like the connection be cleared for.

Jotne

This scripts will write a file every minute to the flash drive. Would that shorten the flash life? I would suggest you do monitor the router using an external program like splunk. Here you can see many routers uptime and when they restarted. This is my garage router. You can see uptime for 17 days a...

Jotne

I am getting the voltage this way. /system health :put [get [find where name=voltage] value] Its more inline with the rest of my scripting. After som testing, it seems that value-name are not needed if you specify what you need after the data id. Differences: This works :put [get [find where name=vo...

Jotne

And in English that would be? Using google translate hello friends of the group, has it happened to someone that they have updated a RouterBOARD 750G r3 to version 6.49.6 and it stops saving configurations, that is, when it is turned off or restarted, it returns the last changes after the update. so...

Jotne

viewtopic.php?t=148397

Jotne

You can use an external log server. There you can easily filter out what you do not want.

Jotne

I was looking for ways to rename files on RouterOS. Why? I like to modify my backup script, so that it only sends backup/export files if file size are change. Testing for size is simple, so after backup is send, I will rename export to old_export file. Next run test size and if different send new ex...

Jotne

Are you doing that on the router it self?

Jotne

This way is better, more readable

I was looking for how to compare two files if possible, and only take new backup and send it if different from previous backup.
checksum if possible or size.

Jotne

This is why I always backup all my routers with both backup file and export config. But its interesting that there are programs to unpack the backup file, never seen that before. By converting the backup file, the OP my see why he can not reach or how to reach the router after backup file is restored.

Jotne

I do reply to this old post, since it may help other. Problem is that file name can not contain / So to get it to work, this character has to be removed or replaced to some like this { :local id [/system identity get name] :local time [/system clock get time] :local date [/system clock get date] :lo...

Jotne

Remove the router, setup a linux pc where you change ssh port from 22 to 1212. Connect it to your IPS and test it you can reach that from internet.
If yes, some is wrong with RouterOS config, if no, ISP problems.

Jotne

Then splunk does not see the file.

/opt/splunk/etc/system/local/inputs.conf

It can be a permission settings, if its there.
If I do run Splunk a non-root user, f.eks as a splunk user, I make sure all files under /opt/splunk has same rights.

Jotne

In folder (in linux)

/opt/splunk/bin

run

./splunk btool inputs list | grep udp

You should see:

[monitor:///data/syslog/udp/.../*.log]
[udp]

Jotne

Then you have skipped this part in rsyslog setup: To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/inputs.conf [monitor:///data/syslog/udp/.../*.log] sourcetype = rsyslog host_segment=4 [monitor:///data/syslog/tcp/.../*.log] sourcetype = rsyslog host_segment=4 NB Splunk...

Jotne

It seems that rsyslog data looks fine. But to get the firewall data in firewall dashboard correctly, you should name the rule as in section. 2c In splunk go to this setting: Settings->Data Input->Files & Directories Do you see a line starting with? /data/syslog/udp/.../*.log This command index=*...

Jotne

Whats inn those files? paste some lines. See section 3b Debuging

If syslog folder has data, it could be one of two.
Not using MikroTik tag (Capital M and capital T)
Splunk not reading data.

What do search for

index=*

give

Jotne

Not an answer to your question, but [*] never open opp 8192 from internet to admin your router. You asking for problems. add action=accept chain=input dst-port=8291 protocol=tcp See this post: https://forum.mikrotik.com/viewtopic.php?p=870631#p870631 set winbox address=192.168.1.0/24 This helps some...

Jotne

100 email to support@mikrotik.com would be better.

Jotne

You should never open Winbox directly from outside, your router will be hacked...
.

winbox.png

See this link:
viewtopic.php?p=870631#p870631

Jotne

5. How to read report?
can you do? http://your.router.ip/xxxx

Jotne

Updated section 1f, to make clear your can not use UDP/514 in Splunk if Splunk is not run as root. You then need external rsyslog server.

Jotne

Ahh, If you use rsyslog, it uses UDP port 514, so you can not add it to Splunk. Only one app can use one given port. And since you need to be root to use port 514 (<1024), the app needs to run as root. And since its not recommended to run Splunk as root, I let rsyslog get the data by it listen to po...

Jotne

Do you mean that you should connect an USB mouse and when you use the Mouse, it should move the cursor on a remote machine.
This is possible, but not with Mikrotik.
There are hardware that can do that or software that can be used to emulate USB.

Jotne

Did try to send you an email, but did not get delivered, so did try one more just now. I do use Ubuntu and there all rsyslog are installed as default in folder /etc/rsyslog.d/ and as user root. In the config there are settings that points to where to store syslog data, udp.conf that points to folder...

Jotne

add action=accept chain=input comment="Remote access to Mikrotik Igor" dst-port=8291 protocol=tcp See my reply here: https://forum.mikrotik.com/viewtopic.php?p=870631#p870631 /ip firewall filter add action=accept chain=input comment="Remote access to Mikrotik Igor" dst-port=8291...

Jotne

7.3beta40 is available, why is it buried in this thread.

This is how beta are posted. Look at older beta threads and you will find all beta version in just one thread for each main version.

Jotne

Remember this is just one beta version. MT do read this forum and they see user reaction to what they do. So no need 100 post about the same.

Jotne

Just remove check mark from "Use Peer DNS" in DHCP client config on RouterOS like here:
.

dns.png

Jotne

Splunk can do all you ask about and more. Nearly unlimited possibility. It do cost allot of money if you put it inn to a large scale company, but may be the best and most flexible solution out there. For your IP address list, you can hav tem in a csv file that Splunk uses. This fil can be updated au...

Jotne

Its clearly a bug. On 7.x I do see the bridge port in Winbox but not at

/ip arp print detail

nor

:put [/ip arp get *1]

Send an email to support@mikrotik.com and report it as bug.

Jotne

1. Can a report be generated for the individual device? Yes 2. Can the script log the address list so I can perform an audit on affected IPs. Yes 3. I dont understand your naming convention...are you referring to the comment given to the rules? Yes its the naming of filter/nat rules to make it easi...

Jotne

Can you not setup a Router in VM with at least 2 interface. It will then be simpler to separate download/upload and simpler to make queues to limit the bandwidth etc.

Jotne

Here you go:

{
/ppp secret
:foreach id in=[find where profile="Profile-A"] do={
	set $id profile="Profile-B"
}
}

Jotne

Here is output of my settings /ip/kid-control> export # may/11/2022 22:25:17 by RouterOS 7.2.3 # software id = E4B6-AAAA # # model = RouterBOARD 750G r3 # serial number = xxxxx /ip kid-control add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d To see the actual da...

Jotne

I am really AGAINST DoH in General and DoT instead would please me. DoH should only be used in countries where the people are oppressed and can't have free gathering of information in an other way. After https was introduced, DNS was the most easy way for ISP to log what you do. I am living in a fr...

Jotne

I would have no problem to make this app better and working together :) Yes its the same app that has been around since at least 2017. My level of programming skill is not at a high level, but know some and also working with splunk as a main work. We have 50+ Splunk server and 1+ TB a day from 3k+ s...

Jotne

Small bug found that will come in 3.7 if you do use rsyslog. Quick fix to get it to work. Change this part of props.conf from [rsyslog] TRUNCATE = 10000 TRANSFORMS-dns = remove_dns_query,remove_dns_answer TRANSFORMS-force_mikrotik = force_mikrotik_st,force_mikrotik_ix To [rsyslog] TRUNCATE = 10000 T...

Jotne

If you can post the config of the router, it would help some to investigate.

Jotne

When something needs to be run on both versions, don't use syntax compatible only with v7

:local Version [/system/resource get version]
->
:local Version [resource get version]

Good catch, updated.

Jotne

Script updated to v1.4 Now also sends router version information in the subject. Faster to see when router was upgraded. # # Created Jotne 2022 v1.4 # # 1.4 Added Router OS version # 1.3r Revised by REX # 1.3 / 1.2 try to fix v6/v7 compability # 1.1 added "show-sensitive" # 1.0 initial rel...

Jotne

It is confirmed that the ISP is blocking NTP protocol and they will not do anything to solve it. I have to do it from my side.

Did you ask your ISP if they have an NTP server you can use?

Jotne

Is that the full config ?

Can not be. Missing DHCP/Bridge/interface config +++

Jotne

Splunk to analyze MikroTik Routers :)
viewtopic.php?t=179960

Signature does not show up in all post. Not sure why.

Jotne

File is find in section 1g) in the first post. And I did forget to upload 3.6 when I had written that it was upgraded. Fixed now.

Jotne

Upgraded the router with memory leak in 7.1.5 as shown here: viewtopic.php?p=922854#p922854
After one day running 7.2.3 it seems to not have memory problem with same config (just upgrade).

Jotne

Use google ans search for mikrotik vpn.
MikroTik do support a big variety of VPN so select the type that fits your need. (Stay away for PPTP VPN)

Jotne

Take care when setting up remote access to the router over internet. VPN is the best option. Se my post here:

viewtopic.php?t=177280

Jotne

My car GSP gives a red warning sign with the speed limit when I drive passed the speed limit. I have then some option. 1. Drive slower 2. Ignore warning 3. Turn of GPS 4. Request the producer to remove the warming. 5. Use another GPS without warning 6. ? Same for OP. He gets several post here on wha...

Jotne

If you can live with the non secure PPTP, you should have no problem with a RED comment in Winbox.

You can use an external tool to look at the VPN connection like my Splunk for MikroTik.
Dere you can setup what you like to see or not to see.

Jotne

The OP wrote the above line in his first message. Since then, almost everyone is trying to convince him to use anything else than PPTP. Am I missing anything? You miss comment like this: Ship each site a pre-configured hEX or similar to terminate a proper VPN tunnel. For instance, a site-to-site Wi...

Jotne

viewtopic.php?t=179960

Jotne

From what version?

Jotne

Can you post the output of with oid of the line giving correct result?

Jotne

Version 7.1.6 would be the next in long-term branch... But this is off topic, we should stop here. Off topic, but I was very surprised when I did see that 7.1.5 thread was closed in favor for 7.2.1. So is 7.2.1 same as 7.1.6? Normal MT keeps a version over a longer periode. When its stable for some...

Jotne

Time to start upgrading older hardware.

Jotne

Upgraded to 3.6 # 3.6 (05.05.2022) # NB Delete old app (copy custom made config) before install v3.6 # Change data to store in Mikrotik index, instead of default index # Change how rsyslog handles data. Did fail if there was more than one type of input # Updeted script in "MikroTik DHCP to Sta...

Jotne

Cleaned up the script some. Removed ; from half of the script. Not needed at end of line. Only when multiple commands are on same line. Open up the do= commands to better see the loops. Added tabs to better see the loops. :log info "Automated Backup Started" :delay 2s :log info "Creat...

Jotne

Hi Jotne,I'm new to the forum and to splunk, I have my lab upstairs with an ubuntu server with rsyslog and a mikrotik rb3011/6.42.9v router, the logs arrive in my rsyslog, but I can't see them in splunk. I would appreciate any help. Do this search give any Mikrotik data? index=* You have followed t...

Jotne

@siscom try some search like this.

index=* sourcetype=mikrotik  eventtype IN (*tp_connection_from,*tp_user_logged_in,ppp_authentication_failed,l2tp_user_logged_out)

or

index=* sourcetype=mikrotik  ppp

Without seeing what you get its not easy,

Jotne

Do you see the logs in splunk?

index=*

Can you post some example line?

Jotne

You also need WifiWave 2 packets for it briks.

Jotne

Missing ping number seems to only bee seen with count=2. Try count=3 This looks like a bug and MT should fix it. [jotne@RB951-2] > :put [:ping 8.8.8.8 count=2] Columns: SEQ, HOST, SIZE, TTL, TIME SEQ HOST SIZE TTL TIME 0 8.8.8.8 56 53 17ms540us 1 8.8.8.8 56 53 17ms770us [jotne@RB951-2] > :put [:ping...

Jotne

Its very sily to say that I have to read forum before upgrade to stable version...when is new firmware distributed by official upgrade from HAP AC3, the firmware must be checked for this device. How anyone could explain how Mikrotik is testing new stable version when it bricks all HAP AC3????? Its ...

Jotne

Put it in the signature part of your user account ;)

Does not help if owner of Mikrotik Routers does not bother to read the forum.

Jotne

Argh the wiviwave2 package make my hAPAC3 bootloop forever...

Did you read this forum before upgrade?
Did you read the post above before you posted this post.
This is just repeating what is already known.

Jotne

I am really angry, as it took me literally 5-6 hours to setup and test...even with linux and dump switch in between did not work with netinstall I do not see why all is upset. Yes, its not good that software do breaks the router. Many users posts and ask for auto upgrade of routers, and this is why...

Jotne

all other disadvantages...

Can you give some example on that.
I know that if you posting config, you should not post serial, since it can be used to find your IP. Not a very big problem if you have secured your router well.

Jotne

As I write above.

:put [/ip cloud get public-address]

Jotne

Convert this:

:put [/system/resource/get uptime]
5w4d12:38:02

to what?

Jotne

add chain=input comment="allow Winbox" in-interface=ether1-gateway port=8291 protocol=tcp DO NOT OPEN ADMIN INTRAFACE FROM INTERNET!!!!!! This is just asking for trouble. Use VPN to administrate your device from remote location. If VPN can not be used, follow this list to make connection ...

Jotne

Either way should be possible. I will look at it when I am back home.

Jotne

When going through bad login, its possible to compare the username against all local stored user name and if not found, then do log a message.

Jotne

I am not sure if the message that are logged are different if its wrong user or wrong password.
Test and se what log you get. If log are different, it should be easy to fix the script.
I am away from my mikrotik routes, so no testing (vacation in Brazil

)

Jotne

That was what normis just did write.

Jotne

Make sure you use VPN to access your router.
You should also upgrade to latest long time release 6.48.6
https://mikrotik.com/download

Jotne

I have been using GreyLog for a couple of years for Syslog management on my Tiks. Can someone help me understand when using Splunk with a Tik, what would be the advantage over GreyLog? GreyLog and Splunk are the two mayor log receiving system. One is 100% free, other is free up to 500MB log / day. ...

Jotne

What do you get when search for

index=*

Do you use rsyslog or are you running Splunk as root and listen on port 514?
See section
3b) Debugging

Jotne

Not necessarily.
Because DoH server can be blocked, and then fallback to standard DNS.

Since you can not see what's inside HTTPS packages, you can not know if its a web site or DoH traffic. And since any can setup a DoH or DoT server, there are no way you can block this.

Jotne

Jotne

I have not looked at 7.3beta, but my guess is that change log is the difference from 7.2 or 7.2.1

Jotne

Why not use netwatch function?
Its created for just this type of senarios.

Jotne

I hope that one day my network interface will work
version 6 works without problems

Not the same, but you can install VmWare and use CHR version of RouterOS.

Jotne

Changes since last rc (rc7) Find using compare duplicate cells in Excel. No new stuff added since rc7 List of all changes and when they was introduced in 7.2 train RC `7.2.0 rc5 *) api - accept "Content-Type" with specified charset; rc5 *) arm - fixed "auto" CPU frequency setting...

Jotne

They should have made a changelog relative to 7.2rc7 as well. That is some I do miss as well. If you look at Cisco, you have a tool where you can compare each version against each other and even select different hardware. Cisco Feature Navigator https://cfnng.cisco.com/ Not sure how much you can se...

Jotne

Read this post: https://forum.mikrotik.com/viewtopic.php?p=788771#p788771 Never, ever let the system auto upgrade without having a hold trigger. After new firmware comes out, wait 2-3 weeks and read all post to see if any serious bug arrive. Test new software on a local test router with same hardwar...

Jotne

Not sure where I get it from. May have seen it some place and start using it.

Search found 3684 matches