I want to let my MT devices send their logs to a central destination.
I am already using Graylog, so I did set up a syslog input on Graylog and configured it as destination for the MT-devices.
But:
If I use “BSD syslog” on my MT routers, I do not see the messages.
If I do not use “BSD syslog”, i can see the messages as unformatted string: firewall,info output: in:(unknown 0) out:ether1, proto 4, 10.49.0.17->10.10.239.5, len 40
Are you using Graylog? Did you setup a working set of extractors, or how did you solve this?
I posted something similar in the graylog forms would you be able to check my post there and see if what you are experiencing is similar.
I have also heard version 3.1.x of grayolg is handling these logs correctly. I am spooling up a VM to test this later today.
I tried this a while back and found that when you use the BSD option, something very strange to do with timezones happen. My device was set to UTC+2, which would cause the log entries to appear in Graylog two hours after the fact. Extremely confusing until I found out what was going on.
I don’t know if it’s an issue with the time zone on the Graylog server or something else. I suspect that should you use a timezone UTC<0 you will never see the messages.
I’ve got the same problem and figure out why.
Mikrotik device is sending syslog with RFC-3164 which contain a timestamp without timezone infomation. If you didnot configure the graylog server or mikrotik device properly, the log from Mikrotik device will show up in graylog server in a incorrect time.
I’ve configure my mikrotik device and graylog server using the same timezone, and it’s working fine now.
Another year later, is greylog a reliable syslog solution for MikroTik Hardware?
I set up graylog recently, and I think it works fine - but as with all types of logging to Graylog, be prepared to put some work into getting the formatting right. Some of my devices need timezone / UTC conversion, but once you set this up once as a pipeline, you can add it to any devices that need it with one or two clicks. I would probably want another pipeline to parse the log message and properly
seperate out the topics from the message content.
here is an example log message:
system,info,account user admin logged in from 192.168.100.109 via ssh
I set up my Graylog using docker compose: https://github.com/Graylog2/docker-compose
pretty much was able to use the standard open-core setup without needing to change much. Make sure you have enough memory or it will crash.
Keep in mind, Graylog will set itself up in UTC, and the default admin user will also be set up in UTC. You will need to create a new user, and set that user to your local timezone to make sure your logs show the correct times. Even then, I sometimes need a pipeline on certain log sources to adust the timezone.
You will need to create syslog input for TCP and one for UDP, I can’t remember which Mikrotik uses, there is no mention in the winbox log configuration UI. Default port in Graylog is 5140 but you can change it in the docker compose yaml.
I have created separate ‘Streams’ and ‘Indices’ for each of my various log sources. This is a) so I can have different retention settings per log source, and B) so I can run different processing pipelines on the different log sources.
On the Mikrotik itself:
I just set the address and port (address must be an IP, apparently syslog does not work with FQDN).
BSD syslog is unchecked. I believe that setting changes the log format from RFC-5424 to RFC-3164 standard, but I wish Mikrotik would spell that out explictly.
For the mikrotiks I have set up a little pipeline to separate out the ‘topic’ field from the ‘message’ field.
rule "function sort_Mikrotik"
when
has_field(field: "message")
then
let topics = split("\\s+",to_string($message.message),2);
set_field("topics", topics[0]);
set_field("message", topics[1]);
end
Also - here is the timezone adjuster pipeline - Note I do not need this on my mikrtotik, but you might need it if you use the BSD-syslog option, and its a very common problem.
rule "function correct timestamps"
when
has_field(field: "timestamp")
then
let log_timestamp = $message.timestamp;
let timestamp = $message.timestamp;
let strlength = length(to_string(timestamp));
let newlength = strlength - 1;
let mid_date = substring( to_string(timestamp), 0, newlength);
let mid_date2 = concat(
first: mid_date,second: "-07:00");
//2023-03-26 05:03:19.970
let new_date = parse_date( value: to_string(mid_date2),
pattern: "yyyy-MM-dd'T'HH:mm:ss.SSSZ", locale: "en-US", timezone:"America/Vancouver");
set_field("timestamp", new_date);
set_field("OG_timestamp", timestamp);
end
