Remote logging does not work

RouterOS General
1

Hello!

It’s a second day of my struggle with /system/logging, I want to send logs directly to a Graylog server that is in other network in datacentre. I’ve tried types CEF, BSD syslog, both TCP and UDP, nothing arrives, even the iptables packet counter on the allowed rule does not tick on the remote server.

/system logging action
add cef-event-delimiter="\
    \n" name=graylog remote=xxx.xxx.xxx.xxx
remote-log-format=cef remote-port=5144
syslog-facility=syslog target=remote
/system logging
add action=graylog
topics=info,firewall,system,error,warning,wireguard

I tried to send a UDP packet from my machine in the same network as Mikrotik, it arrives correctly in Graylog and the packet counter in iptables increases.

echo "Test syslog message from workstation at $(date +%FT%T%Z)" | nc -u -w1 xxx.xxx.xxx.xxx 5144

As a workaround, I’ve tried to run a container with elastic/filebeat on my machine to receive logs from Mikrotik and forward to Graylog: sending manually echo something | nc -u -w1 172.27.80.14 5144 does work, but I’m getting nothing from Mikrotik.

/system logging action
add name=filebeatRaspberry
remote=172.27.80.14 remote-log-format=syslog
remote-port=5144 syslog-facility=syslog
target=remote
/system logging
add action=filebeatRaspberry
topics=info,firewall,system,error,warning,wireguard,account

Does anyone use this feature? Maybe a bug in ROS?

Logs of course do appear in memory of ROS and should be sent.

I’ve tried /tool fetch with POST, I only get “remote disconnected while in http exchange”. The TLS/SSL cert is valid at Graylog side, no auth is configured, maybe I’m using it wrong, or I shoudn’t use POST mode, I don’t know.

On the other site B, I launched the same filebeat container in a different network and another machine with different Mikrotik. Configured everything the same as on site A, started tcpdump on 5144/udp, sent a packet manually with echo and netcat, tcpdump shows it. Configured Mikrotik, produced some logs, nothing in Graylog nor in tcpdump. Also tried disabling all other rules in /system/logging, still nothing in Graylog nor tcpdump.

/system logging action
add name=filebeat remote=192.168.0.1
remote-port=5144 target=remote
/system logging
add action=filebeat
topics=error,info,warning,system,account

Here’s tcpdump output with successful transmission of the message using shell’s echo and netcat.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 23:30:23.453536 IP 127.0.0.1.40987 > 127.0.0.1.5144: UDP, length 59 23:30:23.453656 IP 172.18.0.1.52237 > 172.18.0.2.5144: UDP, length 59 23:30:23.453665 IP 172.18.0.1.52237 > 172.18.0.2.5144: UDP, length 59

^ no packets from the Mikrotik IP address

Site A: ROS 7.18.2, P/N RB4011iGS+5HacQ2HnD

Site B: ROS 7.20.4, P/N RB2011UiAS-2HnD

Any valuable input is highly appreciated.

2

Just some thoughts:

Can you see outgoing log packets on you mikrotik device using sniffer

/too/sniffer/quick port=your sysylog port

Do you need to apply a src-address to log packets?

3

Thanks for your response.
My friend figured it out.

The thing is that I was not clearly understood how “rule” items work. I these rules will get triggered only when all selected topics match with “AND” logical operator. That means there will be no such log entry that will have all selected topics “error,info,warning,system,account” For each topic I’m interested in, I have to create separate rule and use the same action.

I hope that information will help somebody else in future :slight_smile:

Cheers