Hi there.
I’m starting with traffic loging and I’m searching best solution for it.
Now I’ve got two ideas:
Idea one:

On retail customer router (quite fast x86 with 4 ethernets) make something like that:
/ip firewall filter add action=log chain=forward comment="" dst-address-list=customers connection-state=new disabled=no log-prefix=log-retail
It’s quite easy way but there is one thing that I have no solution for.
In my x86 there is one DOM disk with ROS license on it and one 200 GB hdd.
I was trying to make active storage for loging on hdd but I can’t – all the time logs goes to DOM flash disk.
What is the way to tell ROS where it should store log file ?
Of course I know that there is easy way to tell ROS to send logs to remote system but I think (am I right) that this way costs much more CPU usage then writing headers locally on hard drive.
Idea two:
Make this same but not on customers router but on new one machine with one Ethernet adapter connected to the switch with mirrored port and just sniff. In this case I will not worry about router’s CPU cause all of logging will make another machine. But can I sniff traffic with ROS ? Or I’ll have to setup a new linux box for promiscuous mode ?


Thanks for your answers.

+++
Due the Chupaka's prompt answer is: use netflow from MT and any netflow.
But main questions still has no answer - how to tell ROS to write log on another drive then main.

I think, you cannot use additional drives for storing your logs... for now =)

anyway, RouterOS is at first network OS, so sending your logs to syslog server is preffered way, and in most cases it costs less than writing to the disk, I believe. and again, netflow export is better than logging of firewall rule =)