My latest adventure is that apparently there is no way to filter log Prefixes. This seems like an egregious oversight, so I suspect I’m missing something. Backing up to the beginning of things, I’m trying to control logging for specific network traffic. I want different files for each “segment” I am interested in. Here’s what I’ve set up :
-
Two address lists — IOT and TVS — with an address list of the appropriate devices in each. (I’ve set them up manually, but will probably move that into DHCP once I get a handle on things)
-
Two firewall rules (one for each list) that matches on three conditions : destination address isn’t in the LAN, source address list matches the expected (IOT or TVS), and connection state is “new” — the action is Accept, and I ticked the “log” checkbox, with a Prefix of the appropriate label (IOT or TVS)
-
Two Actions in System Logging — IOT and TVS — that each write to different files on disk
-
Two Rules in System Logging — IOT and TVS — that handle “firewall” topic, with the appropriate Prefix, and call the corresponding Action
What I expected to get was that the Prefix defined in System Logging would “filter” the log messages — logging only messages with Prefix e.g. “TVS”
What’s actually happening is every log message gets double-tagged : TVS and IOT, which makes both log files more or less identical, and thus completely useless for my needs. Upon rereading the documentation I see that both places I set Prefix say that it will be added to the log line, so it’s behaving exactly as described. But that’s not very useful to me.
So my question is … can I do this with Mikrotik in some way I haven’t explored yet, or should I give up this foolish idea and simply log everything to a remote server (maybe in a container) and filter with better tools there?
Thanks, once again, in advance!