Hi Guys,
I need to pickup the ip address from the Logs
Example Message resullt from the logs: <110.54.203.170>: user ppp1 authentication failed
~I only need the 110.54.203.170..
So far my code is.. I can’t get it successfully…
:if ($logEntryMessage~"failed") do={
:local attackip [:pick $logEntryMessage ([:find $logEntryMessage "<"] + 1 ) ([:find $logEntryMessage ">: " ])]
:log info ($attackip)
I’ve tested your code (setting $logEntryMessage to “<110.54.203.170>: user ppp1 authentication failed”) and seems ok to me… ¿Maybe $logEntryMessage doesn’t have that format?
You are handling the variables the wrong way.
Correct way are to declare the variable, set it and then print/log.
I always use wrap code with [] and cut paste code to terminal to test it. So this does work:
[
:local attackip
:local logEntryMessage "<110.54.203.170>: user ppp1 authentication failed"
:if ($logEntryMessage~"failed") do={
:set $attackip [:pick $logEntryMessage ([:find $logEntryMessage "<"] + 1 ) ([:find $logEntryMessage ">: " ])]
}
:put $attackip
]
See the manual from MT regarding variables: https://wiki.mikrotik.com/wiki/Manual:Scripting#Variables
But a much better approach are to use an external Syslog handler and with Splunk you can make nice graph out of this , like i have done. Look link in my signature for example.