Logging hits on filter rule

lctn · May 9, 2011, 7:20pm

We had to put in the following rules to block outbound port 25 traffic, except the mail from our LAN mail server. I need to log the IPs of workstations that are triggering the deny rule. How would I go about that?

Rules:
1 ;;; Allow email from our approved SMTP senders list regardless of destination
chain=forward action=accept protocol=tcp
src-address-list=APPROVED_SMTP_SERVERS dst-port=25

2 ;;; Allow email from our approved SMTP senders list regardless of destination
chain=forward action=accept protocol=tcp
dst-address-list=APPROVED_SMTP_SERVERS dst-port=25

3 ;;; Drop traffic to invalid SMTP servers
chain=forward action=drop protocol=tcp dst-port=25

fewi · May 9, 2011, 7:32pm

/ip firewall filter
add chain=forward action=drop protocol=tcp dst-port=25 place-before=3

Add a rule just before the drop rule that mimicks the drop rule, but has an action of ‘log’. If you want set a log prefix to easily find the logged items. See http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties for details.