[6.42.1] DHCP does not send log to remote syslog

Jotne · May 6, 2018, 10:00am

I do use Splunk to analyse Miktrotik log for long time.
But for som reason, not sure since when, the DHCP does not send log remote.
DNS/Firewall/UPnP etc sends log remote.

I can see log from all the other module remote, but not DHCP.

If I just set DHCP to log to memory, it looks OK

11:46:53 dhcp,debug,packet DHCP-vlan1-Home sending offer with id 3081862081 to 10.10.10.128 
11:46:53 dhcp,debug,packet     ciaddr = 0.0.0.0 
11:46:53 dhcp,debug,packet     yiaddr = 10.10.10.128 
11:46:53 dhcp,debug,packet     siaddr = 10.10.10.1 
11:46:53 dhcp,debug,packet     chaddr = 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet     Msg-Type = offer 
11:46:53 dhcp,debug,packet     Server-Id = 10.10.10.1 
11:46:53 dhcp,debug,packet     Address-Time = 31536000 
11:46:53 dhcp,debug,packet     Subnet-Mask = 255.255.255.0 
11:46:53 dhcp,debug,packet     Router = 10.10.10.1 
11:46:53 dhcp,debug,packet     Domain-Server = 10.10.10.1 
11:46:53 dhcp,debug,packet DHCP-vlan1-Home received request with id 3081862081 from 0.0.0.0 
11:46:53 dhcp,debug,packet     ciaddr = 0.0.0.0 
11:46:53 dhcp,debug,packet     chaddr = 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet     Msg-Type = request 
11:46:53 dhcp,debug,packet     Client-Id = 01-10-0B-A9-1E-5D-DC 
11:46:53 dhcp,debug,packet     Address-Request = 10.10.10.128 
11:46:53 dhcp,debug,packet     Server-Id = 10.10.10.1 
11:46:53 dhcp,debug,packet     Host-Name = "HE131451-Isabel" 
11:46:53 dhcp,debug,packet     Client-FQDN = 00-00-00-48-45-31-33-31-34-35-31-2D-49-73-61-62-65-6C 
11:46:53 dhcp,debug,packet     Class-Id = "MSFT 5.0" 
11:46:53 dhcp,debug,packet     Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,Router-Discovery,Static-Route,Vendor-Specific,NETBIOS-Name-Server,NETBIOS-Node-Type,NETBIOS-Scope,Classless-Route,MS-Classless-R
oute,Auto-Proxy-Config 
11:46:53 dhcp,info DHCP-vlan1-Home assigned 10.10.10.128 to 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet DHCP-vlan1-Home sending ack with id 3081862081 to 10.10.10.128 
11:46:53 dhcp,debug,packet     ciaddr = 0.0.0.0 
11:46:53 dhcp,debug,packet     yiaddr = 10.10.10.128 
11:46:53 dhcp,debug,packet     siaddr = 10.10.10.1 
11:46:53 dhcp,debug,packet     chaddr = 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet     Msg-Type = ack 
11:46:53 dhcp,debug,packet     Server-Id = 10.10.10.1 
11:46:53 dhcp,debug,packet     Address-Time = 31536000 
11:46:53 dhcp,debug,packet     Subnet-Mask = 255.255.255.0 
11:46:53 dhcp,debug,packet     Router = 10.10.10.1 
11:46:53 dhcp,debug,packet     Domain-Server = 10.10.10.1

If I change to remote, no DHCP info is logged to remote server.

To test, log to memory, then change to remote syslog and compare result.

dynek · May 8, 2018, 6:13am

I just tested it on 6.42.1 (remote for dhcp) and I do see logs coming in (syslog)

Chupaka · May 8, 2018, 7:38am

where’s your Logging config?

Zetera · May 8, 2018, 10:47pm

Hey Chupaka. I would really appreciate your help on a script I was trying to run. I made a topic in the script topic for the forums. Please help!

Jotne · May 9, 2018, 7:32pm

Ok

Think I found that some has change in the logging.
Here is what I like to get.

All from DCHP and Hotspot (including Debug)
All the rest that is not Debug

So these worked before: (Varg is my remote server)

 4    topics=dhcp,hotspot prefix="MikroTik" action=Varg
 5    topics=!debug prefix="MikroTik" action=Varg

It is this tat gives the problems: topics=dhcp,hotspot

These solves the problem:

 4    topics=dhcp prefix="MikroTik" action=Varg 
 5    topics=hotspot prefix="MikroTik" action=Varg 
 6    topics=!debug prefix="MikroTik" action=Varg

How is this related to my post?

Jotne · May 10, 2018, 5:43am

Here is why I need the DHCP debug and not just the info field.

This is what is logged as info:

dhcp,info MikroTik: DHCP-vlan1-Home deassigned 10.10.10.134 from 84:A4:66:52:A1:FE
dhcp,info MikroTik: DHCP-vlan1-Home deassigned 10.10.10.132 from D0:E7:82:D6:71:B5
dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.116 to 70:70:0D:5C:91:FA

Here is how it looks like when getting debug and using Splunk to do som DNS lookup as well

_time			Host_Name			src_host		chaddr			yiaddr		Address_Request	Class_Id
2018-05-10 07:21:29	H****944			pc-he163944-**-wifi	E4:A4:71:04:7F:8B	10.10.10.129	10.10.10.129	MSFT 5.0
2018-05-10 07:19:53	Chromecast			dev-chromecast-**	D0:E7:82:D6:71:B5	10.10.10.132	10.10.10.132	dhcpcd-5.2.10:Linux-3.8.13+:armv7l:MV88DE3108
2018-05-10 05:02:42	HUAWEI_Mate_10_Pro-5c515a	tlf-huawaip10-**	BC:3D:85:2F:71:32	10.10.10.202	10.10.10.202	HUAWEI:android:BLA
2018-05-10 01:39:04	HE131451-I****			pc-he131451-i****	10:0B:A9:1E:5D:DC	10.10.10.128	10.10.10.128	MSFT 5.0

Host_Name is the name the DHCP server sees from the client.
src_host is an lookup at the DNS server
So If I could get the Host_Name just using info, it would be nice.
Eks

dhcp,info MikroTik: DHCP-vlan1-Home deassigned 10.10.10.132 from D0:E7:82:D6:71:B5 host dev-chromecast-**

Jotne · May 10, 2018, 5:58am

Also it would be nice if MicroTik remove the extra spaces in the log, so it goes from this:

dhcp,debug,packet MikroTik: DHCP-vlan1-Home received request with id 3988783859 from 0.0.0.0
dhcp,debug,packet MikroTik:     secs = 1
dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
dhcp,debug,packet MikroTik:     chaddr = D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type = request
dhcp,debug,packet MikroTik:     Address-Request = 10.10.10.132
dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
dhcp,debug,packet MikroTik:     Max-DHCP-Message-Size = 1500
dhcp,debug,packet MikroTik:     Class-Id = "dhcpcd-5.2.10:Linux-3.8.13+:armv7l:MV88DE3108"
dhcp,debug,packet MikroTik:     Host-Name = "Chromecast"
dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Static-Route,Router,Domain-Server,Domain-Name,Broadcast-Address,Address-Time,Renewal-Time,Rebinding-Time
dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.132 to D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik: DHCP-vlan1-Home sending ack with id 3988783859 to 10.10.10.132
dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
dhcp,debug,packet MikroTik:     yiaddr = 10.10.10.132
dhcp,debug,packet MikroTik:     siaddr = 10.10.10.1
dhcp,debug,packet MikroTik:     chaddr = D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type = ack
dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
dhcp,debug,packet MikroTik:     Address-Time = 31536000
dhcp,debug,packet MikroTik:     Subnet-Mask = 255.255.255.0
dhcp,debug,packet MikroTik:     Router = 10.10.10.1
dhcp,debug,packet MikroTik:     Domain-Server = 10.10.10.1

To this:

dhcp,debug,packet MikroTik: DHCP-vlan1-Home received request with id 3988783859 from 0.0.0.0
dhcp,debug,packet MikroTik:     secs=1
dhcp,debug,packet MikroTik:     ciaddr=0.0.0.0
dhcp,debug,packet MikroTik:     chaddr=D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type=request
dhcp,debug,packet MikroTik:     Address-Request=10.10.10.132
dhcp,debug,packet MikroTik:     Server-Id=10.10.10.1
dhcp,debug,packet MikroTik:     Max-DHCP-Message-Size=1500
dhcp,debug,packet MikroTik:     Class-Id="dhcpcd-5.2.10:Linux-3.8.13+:armv7l:MV88DE3108"
dhcp,debug,packet MikroTik:     Host-Name="Chromecast"
dhcp,debug,packet MikroTik:     Parameter-List=Subnet-Mask,Static-Route,Router,Domain-Server,Domain-Name,Broadcast-Address,Address-Time,Renewal-Time,Rebinding-Time
dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.132 to D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik: DHCP-vlan1-Home sending ack with id 3988783859 to 10.10.10.132
dhcp,debug,packet MikroTik:     ciaddr=0.0.0.0
dhcp,debug,packet MikroTik:     yiaddr=10.10.10.132
dhcp,debug,packet MikroTik:     siaddr=10.10.10.1
dhcp,debug,packet MikroTik:     chaddr=D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type=ack
dhcp,debug,packet MikroTik:     Server-Id=10.10.10.1
dhcp,debug,packet MikroTik:     Address-Time=31536000
dhcp,debug,packet MikroTik:     Subnet-Mask=255.255.255.0
dhcp,debug,packet MikroTik:     Router=10.10.10.1
dhcp,debug,packet MikroTik:     Domain-Server=10.10.10.1

Then Splunk would extract all the fields automatically.