Date in Logs!!!!!

CZFan · March 6, 2018, 2:55pm

Mikrotik, will the date in the logs be corrected???

In the logs, logs from previous days seems to have the date, but no date in logs for the current day.

I tried to log a IP Abuse for possible VoIP fraud and sent the owners of the IP range a text file with extract from my logs, but the freaken date is not on there!!

How will this hold up in a court of LAW?

16:36:11 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:11 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:12 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:14 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:18 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:22 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:26 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:30 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:34 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:38 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585 
16:36:42 firewall,info forward: in:ether1 out:bridge1, src-mac 44:4c:a8:ba:00:1d, proto UDP, 163.172.205.176:47283->192.168.168.6:5060, NAT 163.172.205.176:47283->(<WAN Address>:5060->192.168.168.6:5060), 
len 585

pe1chl · March 6, 2018, 3:20pm

It is much better (certainly in cases like this) to log to an external syslog server, synchronized to NTP time.
The date/time will be added by the syslog server in the format and accuracy you configure.

td32 · March 6, 2018, 3:38pm

its just a simple fix, there is no need for a third part solution only for this.

CZFan · March 6, 2018, 3:46pm

@pe2chi, thx and yes, I get / know that.

It is just a bit annoying to have to put on systems and more systems for something as simple

CZFan · March 6, 2018, 3:47pm

Please share?

pe1chl · March 6, 2018, 4:06pm

Well of course it would be easy to edit the exported log with a reasonably powerful text editor (everyone has their preference, I use vi/vim)
and insert today’s date at the start of all the lines that have only the time. When it is a recurring task one could use a script with tools
like sed to do that.

But really, an external syslog server with longtime storage of the logs is much better than exporting the memory logs of a router.
It can be as simple as a Raspberry Pi with a modified syslogd config (to keep the logs from the MikroTik separate and use more reasonable timestamp format)

CZFan · March 6, 2018, 5:37pm

I don’t think editing a file once extracting from log will stand up in court of law, so suppose next best option will be a syslog server.

I’ll spin up a VM for that

pe1chl · March 6, 2018, 6:23pm

Any logfile presented as evidence can very easily be fabricated, so you only need to hope that the court does not understand that.
Similar to printed e-mails presented as evidence.

so suppose next best option will be a syslog server.

I’ll spin up a VM for that

That is always a wise thing to do when you are in a situation where you may need to provide logfiles.
Logs stored on a separate server will survive reboots and flooding with lots of irrelevant info.
They may also be of assistance when debugging nasty problems.
I always configure an external syslog server…