Mikrotik Remote Syslog

RouterOS General
1

hello all,

having a bit of a problem logging firewall rules from a MT router.

I have a linux server running syslog to catch the firewall logs from the MT and I am getting the logs but they are being written to /var/log/messages. How do I set it up to log to a different file. Here is a sample of my syslog.conf file.

# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*                                                 /dev/console

# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none            /var/log/messages

# The authpriv file has restricted access.
authpriv.*                                              /var/log/secure

# Log all the mail messages in one place.
mail.*                                                  /var/log/maillog

# Log cron stuff
cron.*                                                  /var/log/cron

# Everybody gets emergency messages
*.emerg                                                 *

# Save news errors of level crit and higher in a special file.
uucp,news.crit                                          /var/log/spooler

# Save boot messages also to boot.log
local7.*                                                /var/log/boot.log

I have tried a bunch of different configurations to no avail.

Any help would be greatly appreciated.

Dan

2

Fixed the problem. For future refernence for people in the same situation I was in, if you want to log with linux and syslog, in the /etc/syslog.conf file you need the following:

*.info;mail.none;authpriv.none;cron.none;user.none              /var/log/messages

This line should be already in the config file but you need to add the “;user.none” to the end of it.
This stops the logging from mikrotik from showing up in the /var/log/messages file.

Then add this line anywhere below the line above.

user.*  "path to file you want logs to go into"

Don’t forget to open the udp port that syslog listen to(default 514) if you are running a firewall(which you should be), and lock down only the ip’s that you want to connect to this port. There is no security and it would allow a malicious person to fill up your log files with crap.

I will be working on a perl script to keep the log file to a decent size and possilby be working on a php page to view this information if I can’t find one that works well.

Ill keep updating this thread for people interested as I have more to offer.

Dan[/code]