How do if wrong user add to address lists?
For example, have this in log
login failure for user xyz from x.x.x.x via api
I would like the IP address to automatically go to the address lists if the user uses it.
This address lists have in Firewall rule where drop.
Wrong question, you are asking in terms of config.
State the requirement in terms of a device or user without mentioning config.
Then the right tools can be applied.
There are dozens of posts on this, you can find them in the forum.
Example one below, but you will have to slightly adapt, since you are seeking for a message like “login failure for user”
Such script will have to be scheduled to run eg. every 5 minutes and it will parse the logs of the last 5 minutes (adjustable) and add the IP-address to a list.
http://forum.mikrotik.com/t/script-to-add-ip-of-failed-ipsec-login-to-block-list/130788/1
I change winbox port but not off api service because I didn’t even know there was such a thing.
I was wondering how they can still log in.
Your questions and requirements are not clear!
Please let us know what you want users/devices to be able to do, and what they should not be able to do without any talk of the config.
If it helps draw a network diagram