Dude syslog from 16 MT devices

RouterOS General
1

I am finally at a place where monitoring the log outputs of 16 different MT devices across 8 different physical locations is reasonably efficient.

The specific problem I was having is that I am also using Splunk with @jotne scripts that create a lot of log entries every 5 minutes and did not want to see them in the log.

For anyone interested, or struggling with logging, here is my set up.

  1. Install and enable The Dude. in my case, on an ax3 at 192.168.0.13. IP is irrelevant except that each 192.168.X.0/24 is a different one of the 8 locations, all connected via Wireguard.

    \
  2. Each MT device has the following log action and rule set up. I also have a rule to log topics=info,!script to memory to view the “info” log entries locally on each machine without seeing the “script” log entries
/system logging action
set 3 bsd-syslog=no name=remote remote=192.168.0.13 remote-port=514 \
    src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto \
    syslog-time-format=bsd-syslog target=remote


/system logging
add action=remote disabled=no prefix="192.168.30.1 " topics=info

The prefix identifies in the log entries the local MT device. In my case, this is helpful because some of the MT devices get identified by their Wireguard interface IP (10.10.100.x) and some by their 192.168.x address).

On the Dude server is where the cool stuff happens.

Under SETTINGS | SYSLOG I set up a series of rules. The order is important (similar to firewall rules), so remember that the rules will be processed in order. For example, if you have the “accept” all rule at the top (position #1) then, effectively, no other rule will be processed.

One of the rules drops all log entries with the word “script” in them.

The regexp expression I used is:

.script.

Note the periods at the beginning and end. I believe they indicate that anything can come before and after the word script in the log entry.

The action is dent to drop.

I also have other rules before the “script” rule that accept some log entries that do include the word script.

For example, I have other scripts that create log entries like a backup ftp, and a dyndns update.

I used rules like:

.dyndns. accept

.uploaded rsc backup. accept

I also have accept rules for .netwatch. and .wireless.

I also have drop rules for .dhcp. and .handshake for peer did not.

I am far far far from an expert at ROS, so if anyone wants to correct or clarify, please feel free.

Many thanks to @amm0 and @bpwl for their generous help!

Here is a sample of the log as viewed from The Dude client:

,Oct/01 19:35:16,"syslog: 10.10.100.30: netwatch,info 192.168.30.1 : event up [ 8.8.4.4-JRS-small ]"
,Oct/01 19:35:18,"syslog: 10.10.100.30: e-mail,info 192.168.30.1 : sent <76hAPax3 DOWN to 8.8.4.4> to: joseph@xxxx.com "
,Oct/01 19:38:30,"syslog: 10.10.100.30: script,info 192.168.30.1 : .id=*37;action=Netwatch config changed;by=admin;policy=write;redo=/tool netwatch set ""8.8.4.4-JRS-small"" comment=8.8.4.4-JRS-small \
"
,Oct/01 19:38:30,"syslog: 10.10.100.30: script,info 192.168.30.1 : ;time=2024-10-01 19:35:13;trace=winbox-3.40/tcp-msg(winbox):admin@192.168.2.153;undo=/tool netwatch set ""8.8.4.4-JRS-small"" comment=8.8.4.4-JRS-small \
"
,Oct/01 19:38:30,"syslog: 10.10.100.30: script,info 192.168.30.1 : .id=*36;action=Netwatch config changed;by=admin;policy=write;redo=/tool netwatch set ""8.8.4.4-JRS-small"" comment=8.8.4.4-JRS-small \
"
,Oct/01 19:38:30,"syslog: 10.10.100.30: script,info 192.168.30.1 : ;time=2024-10-01 19:35:12;trace=winbox-3.40/tcp-msg(winbox):admin@192.168.2.153;undo=/tool netwatch set ""8.8.4.4-JRS-small"" comment=8.8.4.4-JRS-small \
"
,Oct/01 19:39:19,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -74"
,Oct/01 19:39:20,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -74"
,Oct/01 19:39:54,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -74"
,Oct/01 19:39:55,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -76"
,Oct/01 20:03:16,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -75"
,Oct/01 20:03:18,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -76"
,Oct/01 20:04:50,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 7C:4B:26:5D:06:BE@wifi1 disconnected, connection lost, signal strength -75"
,Oct/01 20:04:51,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 7C:4B:26:5D:06:BE@wifi1 connected, signal strength -67"
,Oct/01 20:50:55,"syslog: 192.168.2.5: interface,info 192.168.2.5 : ether3 link down"
,Oct/01 20:50:57,"syslog: 192.168.2.5: interface,info 192.168.2.5 : ether3 link up (speed 10M, half duplex)"
,Oct/01 20:51:50,"syslog: 192.168.2.5: interface,info 192.168.2.5 : ether3 link down"
,Oct/01 20:51:54,"syslog: 192.168.2.5: interface,info 192.168.2.5 : ether3 link up (speed 100M, full duplex)"
,Oct/01 21:32:51,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -75"
,Oct/01 21:33:08,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -78"
,Oct/01 21:38:14,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -75"
,Oct/01 21:38:51,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -77"
,Oct/01 21:39:11,"syslog: 192.168.0.11: script,info 192.168.0.11 : Uploaded rsc backup to 192.168.2.22 as 355hEX_2024-10-01"
,Oct/01 21:47:02,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 7C:4B:26:5D:06:BE@wifi1 disconnected, connection lost, signal strength -79"
,Oct/01 22:33:30,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -74"
,Oct/01 22:33:46,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -75"
,Oct/01 22:34:33,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -74"
,Oct/01 22:34:48,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -74"
,Oct/01 22:35:27,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -77"
,Oct/01 22:35:43,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -73"
,Oct/01 22:36:39,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -75"
,Oct/01 22:36:55,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -76"
,Oct/01 22:37:14,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -75"
,Oct/01 22:37:30,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -77"
,Oct/01 22:38:00,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -77"
,Oct/01 22:38:15,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -74"
,Oct/01 22:39:31,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -74"
,Oct/01 22:39:47,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -77"
,Oct/01 22:40:31,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -79"
,Oct/01 22:40:47,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -77"
,Oct/01 22:41:22,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -74"
,Oct/01 22:41:38,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -76"
,Oct/01 22:42:02,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -76"
,Oct/01 22:42:18,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -76"
,Oct/01 22:42:43,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -75"
,Oct/01 22:42:58,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -72"
,Oct/01 22:43:28,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -76"
,Oct/01 22:43:44,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -77"
,Oct/01 22:44:16,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -78"
,Oct/01 22:44:31,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -69"
,Oct/01 22:44:54,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -77"
,Oct/01 22:45:10,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -74"
,Oct/01 22:45:38,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -76"
,Oct/01 22:45:54,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -76"
,Oct/01 22:46:37,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -76"
,Oct/01 22:46:53,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -77"
,Oct/01 23:42:25,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -75"
,Oct/01 23:42:26,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -76"
,Oct/01 23:45:55,"syslog: 127.0.0.1: netwatch,info 192.168.0.13: event down [ Netwatch-192.168.30.2-Splunk ]"
,Oct/01 23:45:55,"syslog: 127.0.0.1: script,info 192.168.0.13: script=netwatch watch_host=192.168.30.2 comment=""Netwatch-192.168.30.2-Splunk"" status=down interval=00:00:20 since=""2024-10-01 23:45:55"""
,Oct/01 23:46:00,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -76"
,Oct/01 23:46:01,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -78"
,Oct/01 23:46:12,"syslog: 127.0.0.1: netwatch,info 192.168.0.13: event up [ Netwatch-192.168.30.2-Splunk ]"
,Oct/01 23:46:12,"syslog: 127.0.0.1: script,info 192.168.0.13: script=netwatch watch_host=192.168.30.2 comment=""Netwatch-192.168.30.2-Splunk"" status=up interval=00:00:20 since=""2024-10-01 23:46:12"""
,01:59:48,"syslog: 10.10.100.30: script,info 192.168.30.1 : Uploaded rsc backup to 192.168.2.22 as 76hAPax3_2024-10-02"
,02:00:02,"syslog: 10.10.100.30: script,info 192.168.30.1 : UpdateDynDNS: No dyndns update needed"
,02:00:03,"syslog: 192.168.0.11: script,info 192.168.0.11 : UpdateDynDNS: No dyndns update needed"
,02:00:03,"syslog: 10.10.100.70: script,info 192.168.70.1 : UpdateDynDNS: No dyndns update needed"
,02:00:05,"syslog: 10.10.100.60: script,info 192.168.1.2 : UpdateDynDNS: No dyndns update needed"
,02:00:08,"syslog: 10.10.100.40: script,info 192.168.40.1 : UpdateDynDNS: No dyndns update needed"
,02:00:12,"syslog: 10.10.100.1: script,info 192.168.2.2 : UpdateDynDNS: No dyndns update needed"
,03:44:32,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -77"
,03:44:48,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -78"
,03:56:26,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 disconnected, connection lost, signal strength -75"
,03:56:27,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 2C:6F:C9:5F:BC:EB@2point4 connected, signal strength -76"
,04:24:38,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 reconnecting, signal strength -73"
,04:24:54,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 00:04:20:F9:31:D2@wifi2 connected, signal strength -73"
,04:47:40,"syslog: 10.10.100.1: script,info 192.168.2.2 : Uploaded rsc backup to 192.168.2.22 as 212RB5009_2024-10-02"
,05:00:24,"syslog: 192.168.2.5: wireless,info 192.168.2.5 : 7C:4B:26:5D:06:BE@wifi1 connected, signal strength -68"
,05:39:19,"syslog: 10.10.100.30: system,info,account 192.168.30.1 : user admin logged in from 192.168.2.153 via winbox"