I had a smaller set of firewall logging rules that let me know when there were behaviors that should catch my eye. Logs are forwarded to a remote syslog server and it has some rules that will fire off warning emails when certain phrases are detected in the logs. This all worked wonderfully until…
We started working with a security vendor who is providing proactive monitoring of our systems. This includes adding a “log new connection” rule into the mikrotik and sending those records to them via syslog. As you can imagine… that is a LOT of log records. My problem is now my “signal” (the handful of custom logging rules I wrote) are now lost in the noise (millions of new connection log entries).
Ideally, I’d be able to do something like this:
- Configure custom/“high priority” logging rules so that they would log at a level higher than “info”
- Configure separate logging actions for firewall !info
I think #2 is not a problem, but I don’t see a way to pass --log-level to the filter rules.
Another approach would be if there was content based filtering that could be applied in the logging rules (example: different log action if “new connection” found in the entry then if it is not).
Both of these approaches can be done in Linux, but I don’t see anything in the mikrotik documentation that indicates there is an implementation.
Any suggestions?