Disabling info about ssh logging

urbinek · September 3, 2017, 12:57pm

hello there!

I am using ssh access to manage address lists via linux scripts, everything works fine whoever in MikroTik logs i’ve got A LOT of lines where script was logged in.

Is there any way to ignore any login attempts with key or from specyfic IP?

14:14:24 ssh,info publickey accepted for user: admin-ssh 
14:14:24 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:14:24 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:14:30 ssh,info publickey accepted for user: admin-ssh 
14:14:30 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:14:30 system,info address list entry added by admin-ssh 
14:14:30 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:14:36 ssh,info publickey accepted for user: admin-ssh 
14:14:36 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:14:36 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:14:43 ssh,info publickey accepted for user: admin-ssh 
14:14:43 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:14:43 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:14:49 ssh,info publickey accepted for user: admin-ssh 
14:14:49 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:14:49 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:14:56 ssh,info publickey accepted for user: admin-ssh 
14:14:56 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:14:56 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:15:03 ssh,info publickey accepted for user: admin-ssh 
14:15:03 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:15:03 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:15:10 ssh,info publickey accepted for user: admin-ssh 
14:15:10 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:15:10 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:15:16 ssh,info publickey accepted for user: admin-ssh 
14:15:16 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:15:16 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:15:24 ssh,info publickey accepted for user: admin-ssh 
14:15:24 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:15:24 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
14:15:30 ssh,info publickey accepted for user: admin-ssh 
14:15:30 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:15:30 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

 /system logging print 
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                                 ACTION                                                                 PREFIX    
 0  * info                                                                   memory                                                                           
 1  * error                                                                  memory                                                                           
 2  * warning                                                                memory                                                                           
 3  * critical                                                               echo                                                                             
 4 X  debug                                                                  remote                                                                           
 5 X  ipsec                                                                  memory                                                                           
 6    error                                                                  remote                                                                           
 7    critical                                                               remote                                                                           
 8    ipsec                                                                  remote                                                                           
 9    system                                                                 remote

strods · September 4, 2017, 12:39pm

Change this configuration “system” to “system,!account”. Now all system topic messages should be logged except if they contain “account” topic.

urbinek · September 4, 2017, 12:51pm

I think i wasn’t clear about what i want to achieve!

I wan to

14:52:37 ssh,info publickey accepted for user: admin-ssh 
14:52:37 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
14:52:37 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

disappear from /log

strods · September 4, 2017, 12:58pm

Run:
“/system logging set [find where topics=system] topics=system,!account” to disable:
14:52:37 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh
14:52:37 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

“/system logging set [find where topics=info] topics=info,!ssh” to disable:
14:52:37 ssh,info publickey accepted for user: admin-ssh

urbinek · September 4, 2017, 1:07pm

still not working as i wanted

/system logging set [find where topics=system] topics=system,!account
/system logging set [find where topics=info] topics=info,!ssh

> /system logging print
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                            ACTION                                                            PREFIX    
 0  * info                                                              memory                                                                      
 1  * error                                                             memory                                                                      
 2  * warning                                                           memory                                                                      
 3  * critical                                                          echo                                                                        
 4    error                                                             remote                                                                      
 5    critical                                                          remote                                                                      
 6    ipsec                                                             remote                                                                      
 7    system                                                            remote                                                                      
 8    system                                                            memory

> /system logging export
/system logging action
set 3 remote=192.168.88.250 src-address=192.168.88.1 syslog-facility=syslog
/system logging
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=ipsec
add action=remote topics=system
add topics=system

tail of /log print

15:04:40 ssh,info publickey accepted for user: admin-ssh 
15:04:40 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
15:04:40 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh 
15:04:49 ssh,info publickey accepted for user: admin-ssh 
15:04:49 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
15:04:49 system,info address list entry added by admin-ssh 
15:04:49 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

strods · September 4, 2017, 1:12pm

Forgot about “”:
/system logging set [find where topics=“system”] topics=“system,!account”
/system logging set [find where topics=“info”] topics=“info,!ssh”

urbinek · September 4, 2017, 1:22pm

still same

> /system logging export                                                   
/system logging action
set 3 remote=192.168.88.250 src-address=192.168.88.1 syslog-facility=syslog
/system logging
set 0 topics=info,!ssh
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=ipsec
add action=remote topics=system,!account
add topics=system,!accoun

> /system logging print                                            
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                            ACTION                                                            PREFIX    
 0  * info                                                              memory                                                                      
      !ssh                                                             
 1  * error                                                             memory                                                                      
 2  * warning                                                           memory                                                                      
 3  * critical                                                          echo                                                                        
 4    error                                                             remote                                                                      
 5    critical                                                          remote                                                                      
 6    ipsec                                                             remote                                                                      
 7    system                                                            remote                                                                      
      !account                                                         
 8    system                                                            memory

tailf of /log/print

15:20:14 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
15:20:14 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

strods · September 4, 2017, 1:28pm

You did make changes on topic which is logged to remote logging server not on the memory.

/system logging set [find where topics=“system” && action=“memory”] topics=system,!account,!info
/system logging set [find where topics=“info” && action=“memory”] topics=info,!ssh

urbinek · September 4, 2017, 1:34pm

still nope

> /system logging print                                                                           
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                            ACTION                                                            PREFIX    
 0  * info                                                              memory                                                                      
      !ssh                                                             
 1  * error                                                             memory                                                                      
 2  * warning                                                           memory                                                                      
 3  * critical                                                          echo                                                                        
 4    error                                                             remote                                                                      
 5    critical                                                          remote                                                                      
 6    ipsec                                                             remote                                                                      
 7    system                                                            remote                                                                      
      !account                                                         
 8    system                                                            memory                                                                      
      !account

> /system logging export                                                                          
/system logging action
set 3 remote=192.168.88.250 src-address=192.168.88.1 syslog-facility=syslog
/system logging
set 0 topics=info,!ssh
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=ipsec
add action=remote topics=system,!account
add topics=system,!account

tailf of /log print

15:32:27 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
15:32:27 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

strods · September 4, 2017, 1:37pm

You did not apply whole changes:
/system logging set [find where topics=“system,!account” && action=“memory”] topics=system,!account,!info

After that make sure that this:
8 system memory
!account

Looks like this:
8 system memory
!account
!info

urbinek · September 4, 2017, 1:42pm

I’ve modified it through winbox, still same

> /system logging print
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                            ACTION                                                            PREFIX    
 0  * info                                                              memory                                                                      
      !ssh                                                             
 1  * error                                                             memory                                                                      
 2  * warning                                                           memory                                                                      
 3  * critical                                                          echo                                                                        
 4    error                                                             remote                                                                      
 5    critical                                                          remote                                                                      
 6    ipsec                                                             remote                                                                      
 7    system                                                            remote                                                                      
      !account                                                         
      !info                                                         
 8    system                                                            memory                                                                      
      !account                                                         
      !info

> /system logging export
/system logging action
set 3 remote=192.168.88.250 src-address=192.168.88.1 syslog-facility=syslog
/system logging
set 0 topics=info,!ssh
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=ipsec
add action=remote topics=system,!account,!info
add topics=system,!account,!info

tail of /log print

15:39:14 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh 
15:39:14 system,info,account user admin-ssh logged out from 192.168.88.250 via ssh

WHOEVER it works for remote

strods · September 4, 2017, 1:48pm

Did not notice this before. Your logging rules are overlapping:
This one says to not log messages where topic is system + info + account:
8 system memory
!account
!info

But this one says to log info messages if they are not ssh related:
0 * info memory
!ssh

urbinek · September 4, 2017, 1:52pm

that part was not intentional, not sure why !ssh was there

anyway after removing it, it still doesnt help

urbinek · September 5, 2017, 10:14am

Okay… after upgrade it started o work!

[admin@urbinekGW_v3] > /system logging pr   
Flags: X - disabled, I - invalid, * - default 
 #    TOPICS                                                            ACTION                                                            PREFIX    
 0  * info                                                              memory                                                                      
 1  * error                                                             memory                                                                      
 2  * warning                                                           memory                                                                      
 3  * critical                                                          memory                                                                      
 4    error                                                             remote                                                                      
 5    critical                                                          remote                                                                      
 6    ipsec                                                             remote                                                                      
 7    system                                                            remote                                                                      
 8    system                                                            memory                                                                      
      !account                                                         
      !info

[admin@urbinekGW_v3] > /system logging ex
/system logging action
set 3 remote=192.168.88.250 src-address=192.168.88.1 syslog-facility=syslog
/system logging
set 3 action=memory
add action=remote topics=error
add action=remote topics=critical
add action=remote topics=ipsec
add action=remote topics=system
add topics=system,!account,!info

urbinek · September 5, 2017, 10:25am

AAAAAAAAAAAAAnd after reboot it stopped, still got logs in /log

strods · September 6, 2017, 5:18am

Please do the following when you want to get rid of specific logs:

Take a look at log entry topics:
15:39:14 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh
Now look for all related topics under “/system logging menu”. For example:
“:foreach i in=([/system logging find ]) do={:put [/system logging get $i topics ]}”
info
error
warning
critical
caps
system
What do we see here? We see that info and system is related to our logs which we want to hide. So we need to add “!system,!account” to info topic and we have to add “!info,!account” to system topic. In the end result must be like this:
“:foreach i in=([/system logging find ]) do={:put [/system logging get $i topics ]}”
info;!account;!system
error
warning
critical
caps
system;!info;!account

urbinek · October 9, 2017, 1:48pm

Awesome, key word was “any”

I assumet that log once treated would be ignored.

baragoon · October 10, 2017, 5:44am

strods:

Please do the following when you want to get rid of specific logs:

Take a look at log entry topics:
15:39:14 system,info,account user admin-ssh logged in from 192.168.88.250 via ssh

Now look for all related topics under “/system logging menu”. For example:
“:foreach i in=([/system logging find ]) do={:put [/system logging get $i topics ]}”
info
error
warning
critical
caps
system

What do we see here? We see that info and system is related to our logs which we want to hide. So we need to add “!system,!account” to info topic and we have to add “!info,!account” to system topic. In the end result must be like this:
“:foreach i in=([/system logging find ]) do={:put [/system logging get $i topics ]}”
info;!account;!system
error
warning
critical
caps
system;!info;!account

Hi! Maybe you have solution for disabling these annoying messages?

oct/04/2017 07:38:12 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/05/2017 07:55:43 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/06/2017 07:50:12 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/06/2017 12:28:46 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/09/2017 07:45:04 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/09/2017 13:08:45 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/10/2017 07:12:35 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping
oct/10/2017 08:01:55 ovpn,debug,error,,,,,,,,,l2tp,info,,debug,,,critical,,,,,,,,,,,,,warning duplicate packet, dropping

baragoon · October 11, 2017, 9:05am

and as usual question about ovpn-server and “warning duplicate packet, dropping” remains without answer…

baragoon · October 13, 2017, 11:48am

bump