Remote Logging and Kiwi Syslog

RouterOS General
1

I have been try for 2 days now and can’t get the Mikrotik router to do remote logging in to Kiwi I even Reset configuration and tuned off the Windows firewalls and made sure all the ports settings are right. What am I missing. I have read this post and the settings look the same. http://forum.mikrotik.com/t/how-to-connect-configure-kiwi-syslog-with-mikrotik/110055/9

I can see in the Firewall connections it is sending out the data but not getting to Kiwi.

P.S. I have this in a testing environment now so I don’t mess up the production network I want to getting it working so I can put into production.

All help is welcome.

Thank you.
5.JPG
6.JPG
2.JPG
3.JPG
4.JPG
1.JPG

2

Can help you with this. But you can have a look at my post about setting up and using Splunk (instead of Kiwi syslog).
See link in my signature…

3

We already have a paid version Kiwi syslog running on are production network. Only downloaded the free version for the test network. We will just stay with kiwi for now.
Need to get the router to send log to it.

4

Try to setup an rsyslog server on an ubuntu server. Than see if that receive syslog data from your router data.
For me Kiwi is just an equivalent to rsyslog server.

What other write about Splunk/Kiwi

The SolarWinds Kiwi Syslog Server does what it’s supposed to do. It’s a bare-bones Syslog Server. If your company is just trying to fulfill security requirements or doesn’t need all the advanced features of a product such as Splunk, then Kiwi will work well and not break the bank. Using the tool is very straightforward as there aren’t a lot of options outside of just viewing logs.

5

I try install rsyslog but some of the commands lines on there website don’t work. So what next?

6

So you can not get rsyslog to work?
You can try to search for help on google.

rsyslog site:https://stackoverflow.com
7

We tried. Still running into problems trying to get rsyslog to work on Ubuntu I’m not going mess with rsyslog anymore.
Any ideas why we are not getting logs in kiwi?

P.S. So I tried a Syslog Generator on a different computer and kiwi does receive those logs so it’s got to be on the router side of things.

8

To setup rsyslog on Ubuntu.
http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-3-3-graphing-everything/121810/13
This work for sure on a clean Ubuntu.

Where do you run Kiwi? Ubuntu/Linux
Is there a local firewall it may block data.

To send a test message from Ubuntu to a syslog server

echo ‘<14>sourcehost message text’ | nc -v -u -w 0 127.0.0.1 514

It its a remote server, change 127.0.0.1 to ip of the receiver.

If this works from a remote server, then there is error on the Mikrotik setup or some between MT and Kiwi.

Is the MT and Kiwi on the same lan?

Post the output of:

/system logging export

This is the my setup using with Splunk.

/system logging action
add name=logserver remote=192.168.1.50 target=remote
/system logging
set 0 disabled=yes
add action=logserver prefix=MikroTik topics=dhcp
add action=logserver prefix=MikroTik topics=!debug,!packet
add action=logserver prefix=MikroTik topics=hotspot
9

Sorry for the late replay.

Kiwi is installed on windows 10 pro

and firewalls have been turned off.

kiwi is on the same network.

/system logging action
set 3 remote=192.168.88.254
/system logging
add action=remote topics=firewall
add action=remote topics=info
add action=remote topics=warning
add action=remote topics=error

10

It looks correct. Can you send from a Linux server to the Kiwi Syslog server as I mention above?

11

So I echo ‘<14>sourcehost message text’ | nc -v -u -w 0 192.168.88.254 514 and kiwi did receive the message. I did not see any logs in side the /data/syslog/tcp or /data/syslog/udp folders.

But kiwi is receiving the messages so its the MT side of things. What next?

12

What router do you have and what software version.

Try to remove all logging config and cut/paste this

/system logging action
add name=logserver remote=192.168.88.254 target=remote
/system logging
set 0 disabled=yes
add action=logserver topics=!ups

This should send all logs(including debug) (since I guess you do not have an UPS on the router) to logserver=192.168.88.254

13

I dont use kiwi, so Im not sure how their filtering works, but you have 192.168.88.1 setup as a source on kiwi, and your logging src-address for the mikrotik is default 0.0.0.0. While the log packet would have a source-ip of 192.168.88.1, kiwi may also be filtering based on the src-address of the log message.


pic.png

14

Software Version: 6.48.5

And I did set the Src Address to 192.168.88.1 but that did not work as well.

/system logging> print
Flags: X - disabled, I - invalid, * - default

TOPICS ACTION PREFIX

0 * info memory
1 * error memory
2 * warning memory
3 * critical echo

/system logging> remove numbers=0
failure: can not remove default rules

/system logging action> print
Flags: * - default
0 * name=“memory” target=memory memory-lines=1000 memory-stop-on-full=no
1 * name=“disk” target=disk disk-file-name=“flash/log” disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no
2 * name=“echo” target=echo remember=yes
3 * name=“remote” target=remote remote=192.168.88.254 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

/system logging action> remove numbers=3
failure: can not remove default actions

But I did add your code. And still nothing.
Here are the last things I have got form kiwi.

10-20-2021 13:23:58 User.Info 192.168.88.253 test message From Ubuntu
10-20-2021 13:15:32 Syslog.Debug 192.168.88.251 This is a test message generated by Kiwi SyslogGen
10-20-2021 13:14:21 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0001

15

Start over.

Set MT Router to default settings, connect it to Kiwi server on the same nett.
Add Syslog configuration test.

Then ad all other config.
Or test with an other MT router.

16

I have set the router back to default and tried a different MT router and get the same thing.

Also Tried

/system logging action
set 3 remote=192.168.88.254 src-address=192.168.88.1
/system logging
add action=remote topics=critical
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=firewall

/system logging action
set 3 bsd-syslog=yes remote=192.168.88.254 src-address=192.168.88.1 syslog-facility=syslog

/system logging action
set 3 bsd-syslog=yes remote=192.168.88.254 src-address=192.168.88.1 syslog-facility=local7

/system logging action
set 3 remote=192.168.88.254
/system logging
add action=remote topics=critical
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=firewall


and tested Kiwi again
10-25-2021 08:26:24 User.Info 192.168.88.253 test message From Ubuntu
10-25-2021 08:26:24 Local7.Debug 192.168.88.253 X
10-25-2021 08:26:24 Local7.Debug 192.168.88.253 X

17

Then I do not know what is wrong.
You can try my solution (in the singature) . Install ubuntu on a PC or WM maskine. Install Splunk and send log data there.

18

Its easy enough to do a packet capture and verify the device is sending the syslog packets. Im betting its an issue with your kiwi setup.

19

I do agree to the last comment. Config looks ok.

20

mikeeg02

I don’t think it a kiwi setup issue. I don’t think the router is send out syslog packets.

Here are the packet capture from the router but this is a file I saved to the router and then input into wireshark.
Router Capture1.JPG
I don’t know if those packet actually left the router sense no packet are coming to the kiwi computer from the router on port 514.

Here is the kiwi computer capture by wireshark.
Wireshark and the right and kiwi on the left.
Kiwi Capture1.JPG
IP address
Router :192.168.88.1
Kiwi: 192.168.88.254
Ubuntu: 192.168.88.252

There are no IP packet coming in from the router on port 514 but from Ubuntu there are.

Here is the setup
Router 1.JPG
Router 2.JPG
Kiwi 1.JPG
Kiwi 2.JPG