Exclude 1 MAC address from logging

Josephny · September 19, 2024, 8:21am

I have 1 iOt device (a fuel oil tank level monitor) that (I believe by design) connects and disconnects intentionally on a regular and frequent basis.

My log fills up with connection and dhcp assignment messages.

I like to keep logging these those types of events, but I would like to ignore this one specific client’s connection and dhcp messages.

Is this possible?

Here is a sample from the log:
Screenshot 2024-09-19 041709.png
Here is the export from /system/logging:

/system logging action
add name=logserver remote=192.168.0.112 remote-port=51400 target=remote
/system logging
set 0 disabled=yes
add topics=event
add topics=account
add topics=firewall
add disabled=yes topics=interface
add disabled=yes topics=ssh
add disabled=yes topics=wireguard
add topics=watchdog
add disabled=yes topics=wireless
add action=logserver prefix="serial=HE80xxxx MikroTik" topics=hotspot
add action=logserver prefix="serial=HE80xxxxx MikroTik" topics=\
    !debug,!packet,!snmp
add topics=info,!script

Josephny · September 21, 2024, 5:53am

Is this not possible?

sindy · September 21, 2024, 6:23am

It is indeed not possible to filter the messages on their way to be logged by contents, nor to tell the processes generating them (dhcp, wireless in your case) to filter them by some parameters of the object being processed. You can only filter them when watching the log.

Josephny · September 21, 2024, 7:08am

Thank you.

bpwl · September 21, 2024, 5:47pm

Or send your log to syslog [action=remote] (you can add a Prefix also)
(eg DUDE has syslog functionality and Syslog Rules that filter on source and Regexp content)
(this filtered syslog content can be logged as log topic “dude”)

Josephny · September 21, 2024, 5:58pm

I’ve played with the Dude, and I have Splunk set up, but I continue to find value at looking at the log in Winbox. Neither of those solutions fully replace evening the information gathering slash monitoring that is available “manually” via Winbox.

bpwl · September 21, 2024, 8:32pm

You don’t need DUDE client to setup and look at DUDE. You do this in Winbox (or even webfig)
DUDE menu en Syslog Rules setup for DUDE are also in Winbox
Just as the LOG is in Winbox, including it’s filters when displaying.

Josephny · September 21, 2024, 10:11pm

Wow! That’s wonderful! I need to try Dude again.

Thank you.
Screenshot 2024-09-21 180926.png

Josephny · September 22, 2024, 9:16am

Having a hard time getting Dude’s syslog filtering (using Syslog Rules) to work.

Using /system/logging, without an entry that includes certain topics with an action of DUDELOG, the only entries in the dude log are dude-generated entries such as “syslog: Service ssh on 192.168.2.5 is now down (timeout)”

But, when I include an entry in /system/logging such as “Topics: info” “Action: dudelog” then all info topic events show up in the dude log, regardless of a syslog rule such as the regexp “drop” fule shown:
.
Screenshot 2024-09-22 051451.png
.

What am I doing wrong?

bpwl · September 22, 2024, 3:28pm

Did you send anything to the syslog server (DUDE) ? Seems like you did not
DUDE set to active? (well actually we do not use any other element of DUDE, only it’s syslog function)

Topic DUDE in the Sytem Logging rules should show the loggings sent to the syslog server
(typical action for sending loggings is called “Remote” (sending to port 514) at the sender device)

The dudelog action is only for putting the syslog gathered information in a separate buffer.
It’s writing the dudelog buffer. If you add other topics, like local info, to the dudelog buffer they will also be there without passing the syslog filter.
You can select what buffer is shown in Logging: eg dudelog, memory, all … selection in that upper right field, now set as “dudelog”
Use buffer selection “All” for combining buffer dudelog and buffer memory in the LOg display

This port 514 must be allowed to receive (use chain input) by the firewall (is typical allowed for interfaces that are member of the LAN-interfacelist) on the DUDE running RoS device
Then after the firewall it passes the syslog filter: a combination of sender IP address and RegExp (IP and RegExp can be empty, and can be negated.)
Sending to your own could be done via 127.0.0.1 IP address (Input to this IP is not allowed in the firewall by default!)

So again:

topic has no filters, action can be memory or remote (and other)
remote will send to syslog server (DUDE)
syslog server has filters (syslog rules) and result is topic Dude
topic dude can have some action, like memory or here split in a separate buffer dudelog
logs can be in separate buffers according to System Logging action setting, at least with the “disk type” action. Name of the task is name of the buffer
disk? Is “files”. In Ros7 can be disk in RAM also (tmpfs) (This avoids burning too much to flash.)

Josephny · September 22, 2024, 7:59pm

Did you send anything to the syslog server (DUDE) ? Seems like you did not
DUDE set to active? (well actually we do not use any other element of DUDE, only it’s syslog function)

Topic DUDE in the Sytem Logging rules should show the loggings sent to the syslog server
(typical action for sending loggings is called “Remote” (sending to port 514) at the sender device)

The dudelog action is only for putting the syslog gathered information in a separate buffer.
It’s writing the dudelog buffer. If you add other topics, like local info, to the dudelog buffer they will also be there without passing the syslog filter.
You can select what buffer is shown in Logging: eg dudelog, memory, all … selection in that upper right field, now set as “dudelog”
Use buffer selection “All” for combining buffer dudelog and buffer memory in the LOg display

This port 514 must be allowed to receive (use chain input) by the firewall (is typical allowed for interfaces that are member of the LAN-interfacelist) on the DUDE running RoS device
Then after the firewall it passes the syslog filter: a combination of sender IP address and RegExp (IP and RegExp can be empty, and can be negated.)
Sending to your own could be done via 127.0.0.1 IP address (Input to this IP is not allowed in the firewall by default!)

So again:

topic has no filters, action can be memory or remote (and other)

remote will send to syslog server (DUDE)

syslog server has filters (syslog rules) and result is topic Dude

topic dude can have some action, like memory or here split in a separate buffer dudelog

logs can be in separate buffers according to System Logging action setting, at least with the “disk type” action. Name of the task is name of the buffer

disk? Is “files”. In Ros7 can be disk in RAM also (tmpfs) (This avoids burning too much to flash.)

I’m having a very hard time understanding this.

At this time, I am only trying to get certain log messages from the same device (and ax3) running the Dude server.

Dude is running.

With /system/logging set to send log items with topic “info” logs to the action “dudelog,” I see all such log entries in the ax3’s log (using the . That is, the System Rules are ignored when I change to the buffer “dudelog.”

How can I see only the filtered log entries?

bpwl · September 22, 2024, 9:05pm

Send the logs to DUDE with action “remote” as you do now send them to action “dudelog”, forget action dudelog, you don’t need it.
Make another log entry for the logs now with topic DUDE, and send that to memory buffer, with action “memory”

Topic "X" -> action "remote"
Syslog rules as filter on those X topic logs
Extra logging action for Topic "dude" -> action "memory"

Only logging for topic X , that passes the filter , will show up in the memory log

The whole dudelog construction is only if you want to have this in a separate log buffer.

Josephny · September 22, 2024, 10:47pm

Send the logs to DUDE with action “remote” as you do now send them to action “dudelog”, forget action dudelog, you don’t need it.
Make another log entry for the logs now with topic DUDE, and send that to memory buffer, with action “memory”
Topic "X" -> action "remote"
Syslog rules as filter on those X topic logs
Extra logging action for Topic "dude" -> action "memory"
Only logging for topic X , that passes the filter , will show up in the memory log

The whole dudelog construction is only if you want to have this in a separate log buffer.

I have no idea what a “dudelog construction” is or how a “separate log buffer” would be used.

I did what you wrote, as best I can, and this is what I have:

/system logging action
set 3 remote=192.168.0.13
add disk-file-count=900 disk-file-name=syslog_dude disk-lines-per-file=32000 \
    name=dudelog target=disk

/system logging
add action=dudelog topics=dude
add topics=dude

The local ax3 is 192.168.0.13

I have no clue what is going on now.

I have no clue how The Dude’s syslog server is involved in the logs or what, if anything, is being sent to it, or how to view it.

bpwl · September 23, 2024, 7:46am

forget action dudelog, you don’t need it.

Somebody else could maybe help.
I’m not going to write dedicated cookbook recipes, nor give exact and verified commands to copy/paste

With Mikrotik, you better understand what you are doing, or get stuck every time something changes

Expected you to do as I tried to explain before

Something like …

/system/logging
add action=remote topics=info
add action=memory topics=dude

line 1 sends log data to DUDE
line 2 sets DUDE’s filtered data in log’s memory buffer

Josephny · September 23, 2024, 11:49am

forget action dudelog, you don’t need it.

Somebody else could maybe help.
I’m not going to write dedicated cookbook recipes, nor give exact and verified commands to copy/paste

With Mikrotik, you better understand what you are doing, or get stuck every time something changes

Expected you to do as I tried to explain before

Something like …
/system/logging
add action=remote topics=info
add action=memory topics=dude
line 1 sends log data to DUDE
line 2 sets DUDE’s filtered data in log’s memory buffer

I understand, and that is what I’ve been trying to do, and appreciate your help greatly.