Monitor-logs-send-mail-alert (Wiki script)

RouterOS Scripting
1

Hi,
Anyone using this script like documented in the Wiki ?

https://wiki.mikrotik.com/wiki/Monitor_logs,_send_email_alert_/_run_script

I’m running 6.47.x and wanted to try the script because it would be good to get some notification for example if a port-knock sequence was performed etc.
So I’ve copy-pasted the script, adapted some variables as per Wiki and scheduled it (every 5 min)

Altough it works, it always mails me the same line of logging and does not provide me the logging-lines I want to see.

BEGIN SETUP

:local scheduleName “Log-Keyword-Parser”
:local emailAddress “mymail@mydomain”
:local startBuf [:toarray [/log find message~“logged in” || message~“login failure” || message~“changed” || message~“IP4-IN-PORTKNOCK”]]
:local removeThese {“telnet”;“whatever string you want”}

END SETUP

As you see, I’ve added/extended the “startBuf” to include a tagline that is present when Portknock-stuff happens. The “tilde” char means “contains” I guess ??? Because there is characters behind the “PORTKNOCK” string but I think it should include that. The Wiki stated I could extende the filter to capture more messages of interest.
When I SSH into my box and issue a print command with such "where message~“logged in” || message~“login failure” || message~“changed” || message~“IP4-IN-PORTKNOCK” I get multiple lines of output, so syntax-wise it seems OK.

The reason I want to perform it via script is because I use a free-license of SPLUNK (Enterprise) so notification-alerts are not possible ;-( Otherwise I would have fires alerting via my Splunk platform.

So yeah, not really sure why it’s not mailing me more info then each time the line containing “changed” keyword.
The script “updates” the script and updates the date-time stamp in there, hence each time the line in the log stating “script has changed” so that is expected.

2

Hmm, ok, it seems to work now. I’ve reduced the timer to run it every 1 minute. Perhaps there is limitation of logging-entry that you can into the array. I do have other scripts running that also generate output in the logging…I might exceed 4096 bytes or something for the local/global variables limit.

3

You could try my script Forward log messages via notification, guess it is more advanced compared to what can be found in the wiki. For example it can notify via e-mail, matrix and telegram, it does not write to the config on every invocation, it tries to avoid notification floods, …)

By default it forwards everything with severity warning and up, but can be configured. Something like this in configuration should meet your needs:

:global LogForwardInclude "account";
:global LogForwardIncludeMessage "(changed|IP4-IN-PORTKNOCK)";
4

this for me do not have any sense:

:local startBuf [:toarray [/log find message~“logged in” || message~“login failure”]]
:local removeThese {“telnet”;“whatever string you want”}

is better set only what I need and STOP like:
:local startBuf [/log find where message~“IP4-IN-PORTKNOCK”]
and the results everytime is an array and is useless re-convert it

or if must excluded something, for some reason, must be like:
:local startBuf [/log find where message~“IP4-IN-PORTKNOCK” and (!(message~“TIMEOUT-IP4-IN-PORTKNOCK”)) ]

or multiple choice for both

:local startBuf [/log find where message~“(IP4-IN-PORTKNOCK|also this|this|and this)” and (!(message~“(TIMEOUT-IP4-IN-PORTKNOCK|also neither this|neither tis|and neither this)”)) ]