Feature Request: firewall: besides remote IP:port log optionally also its hostname

mutluit · July 10, 2020, 1:44pm

The current format of logging is as follows (“R1” and “TEST” are user specified strings):

Jul 10 15:15:02 192.168.xxx.xxx firewall,info R1: TEST forward: in:ether2 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.xxx.xxx:56620->137.xxx.xxx.xxx:443, len 52

It would be very useful to have a new setting for optionally also logging the DNS hostname belonging to the remote IP, ie. like this:

Jul 10 15:15:02 192.168.xxx.xxx firewall,info R1: TEST forward: in:ether2 out:ether1, src-mac xx:xx:xx:xx:xx:xx, proto TCP (SYN), 192.168.xxx.xxx:56620->137.xxx.xxx.xxx:443(> www.example.com> ), len 52

jvanhambelgium · July 10, 2020, 2:12pm

I’m not sure if this should be done on the Mikrotik itself. Again wasting valuable cpu-cycles on this.
If you have a large(r) infrastructure I don’t think you are going to look at the logs through Winbox or Webfig but you are going to push these logs into something else (eg. Splunk) or some custom SYSLOG solution.
A “DNS lookup” action/enrichment is then a very simple action.

mutluit · July 10, 2020, 4:48pm

I’m using rsyslog, yes, could do it on the rsyslog server by writing a small program.