Logging to disk & log formats

slimprize · October 21, 2013, 3:39pm

Hi all,

I need to integrate My Mikrotik router with Ossec at http://www.ossec.net. Has anyone already done this? I want to collect all the logs that my router generates. What is the best way to do this? I have a home setup so I was thinking of logging everything to an external drive.
I have a Rd 751G-2HnD router.

RouterOS version 6.4.

In addition, is there a place where the Mikrotik loggig format is described? I saw something in the wiki where the format was date, categories and then the event. Is this a standard format? Does the router follow the bsd syslog rfc 3164?
Pranav

me1100 · January 20, 2016, 3:19pm

Did you ever come up with something?

slimprize · January 20, 2016, 4:53pm

Hi,

No. I do remember logging to syslog while I had that setup working.
My current set of actions is as follows.

Flags: X - disabled, I - invalid, * - default

TOPICS ACTION PREFIX

0 * info memory
1 * error memory
2 * warning memory
3 * critical echo
4 critical disk
5 firewall disk
6 firewall memory
7 e-mail memory
8 !async remote

me1100 · February 10, 2016, 8:09pm

What I ended up doing is adding a “mikrotik” prefix to messages I send to “remote” and created a custom decoder that searches for “mikrotik:” in the message. From there I created other child decoders to interpret login (good and bad) attempts and corresponding rules.

Decoder:

<decoder name="mikrotik"> 
  <prematch>mikrotik:</prematch>
</decoder>

<decoder name="mikrotik-successful-login"> 
  <parent>mikrotik</parent>
  <prematch>^system,info,account mikrotik: user </prematch>
  <regex offset="after_prematch">^(\S+) logged in from (\S+) via (\S+)</regex>
  <order>user,srcip,extra_data</order>
</decoder> 

<decoder name="mikrotik-failed-login"> 
  <parent>mikrotik</parent>
  <prematch>^system,error,critical mikrotik: login failure for user </prematch>
  <regex offset="after_prematch">^(\S+) from (\S+) via (\S+)</regex>
  <order>user,srcip,extra_data</order>
</decoder>

Rules:

<group name="local,syslog,">

  <rule id="102000" level="2">
    <decoded_as>mikrotik</decoded_as>
    <description>Unknown mikrotik message</description>
    <options>alert_by_email</options>
  </rule>

  <rule id="102001" level="0">
    <description>ignore debug messages</description>
    <if_sid>102000</if_sid>
    <match>^,debug </match>
  </rule>

  <rule id="102002" level="0">
    <description>ignore dns resolving messages</description>
    <if_sid>1002</if_sid>
    <decoded_as>mikrotik</decoded_as>
    <match>QUERY 'no error'</match>
  </rule>

  <rule id="102003" level="7">
    <description>report mikrotik successful login</description>
    <decoded_as>mikrotik</decoded_as>
    <match>logged in from</match>
    <group>authentication_success,</group>
  </rule>

  <rule id="102004" level="7">
    <description>report mikrotik authentication failure.</description>
    <decoded_as>mikrotik</decoded_as>
    <match>login failure for user</match>
    <group>authentication_failed,</group>
  </rule>
  ...
</group>

Now I need to figure out ossec active response – I’m going to see if I can create a script/program to add IP addresses to an IP firewall address list to simulate something like fail2ban.

slimprize · February 10, 2016, 11:59pm

Hi,
Thanks for this idea. I no longer have ossec installed but I may bring it up again. How did you add the prefix to Mikrotik’s syslog messages?

me1100 · February 11, 2016, 2:14pm

That’s simple: For the topics that you send to your remote system, there is a prefix setting:

/system logging
add action=remote prefix=mikrotik topics=!debug

slimprize · February 11, 2016, 4:35pm

Many thanks. Time I setup another syslog server.