remote logging with rsyslog

RouterOS Beginner Basics
1

hi

for some time i have been strugling with remote loging in syslog. i have made it to a level that i can sort messages in rsyslog to separate files. problem is with failed logins.

this is my /system logging export

/system logging action
set memory memory-lines=300 memory-stop-on-full=no name=memory target=memory
set disk disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote bsd-syslog=yes name=remote remote=x:514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
add bsd-syslog=yes name=authremotefailed remote=x:514 src-address=0.0.0.0 syslog-facility=auth syslog-severity=error target=remote
add bsd-syslog=yes name=authremoteok remote=x:514 src-address=0.0.0.0 syslog-facility=auth syslog-severity=info target=remote
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
add action=authremoteok disabled=no prefix=--ACCOUNT-- topics=account
add action=remote disabled=no prefix="" topics=radius
add action=remote disabled=no prefix="" topics=backup
add action=remote disabled=no prefix=--WIRELESS-- topics=wireless,!debug,!info
add action=remote disabled=no prefix=--SYSTEM-- topics=system
add action=remote disabled=no prefix="" topics=ppp
add action=remote disabled=no prefix="" topics=pppoe
add action=remote disabled=no prefix="" topics=firewall
add action=remote disabled=no prefix="" topics=script
add action=authremotefailed disabled=no prefix=--ACCOUNT-- topics=system,error,critical

in rsyslog i sort messages by prefix. --ACCOUNT-- goes to account.log --SYSTEM goes to system.log etc. everything else goes to reszta.log. problem is when someone fails to log. message is duplicated and sent to account.log (becouse of prefix) and to system.log.

how to resolve problem ?
how to understand topics in mirotik logging ?
if i specify a single add line that have topics “system,error,critical” and action remote does it mean that i will log messages only containing system,error,critical or any variation of it ? like i get message with error and it will be sent to remote syslog.

2

Sorry, I can not answer your question.

But I thought as you have some experience with syslog and ROS, that you might help me :slight_smile:
http://forum.mikrotik.com/t/remote-logging-with-rsyslog/43809/1

I get ACCOUNT, WIRELESS, SYSTEM etc instead of hostname…
Any ideas?

3

i might know what is your problem.
this is my whole rsyslog.conf

#  /etc/rsyslog.conf	Configuration file for rsyslog v3.
#
#			For more information see 
#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html


#################
#### MODULES ####
#################

$ModLoad imuxsock # provides support for local system logging
#$ModLoad imklog   # provides kernel logging support (previously done by rklogd) 
#$ModLoad immark  # provides --MARK-- message capability

# provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 516

# provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
# wywalanie duplikatow
#$RepeatedMsgReduction on
#$RepeatedMsgContainsOrigionalMsg on
###########################
#### GLOBAL DIRECTIVES ####
###########################

#
# Use traditional timestamp format.
# To enable high precision timestamps, comment out the following line.
#
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$template internetiaformat,"%timegenerated::fulltime% %timereported% %fromhost-ip% %hostname% %SYSLOGFACILITY-text% %SYSLOGSEVERITY-text% %syslogtag%%msg%\n"

$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755

#$AllowedSender UDP, 172.16.0.0/16
$template dynamicfile,"/var/log/remote/%$YEAR%/%$MONTH%/mikrotik/reszta.log" 
$template mtwireless,"/var/log/remote/%$YEAR%/%$MONTH%/mikrotik/wireless.log" 
$template mtsystem,"/var/log/remote/%$YEAR%/%$MONTH%/mikrotik/system.log" 
$template mtaccount,"/var/log/remote/%$YEAR%/%$MONTH%/mikrotik/account.log" 
$template obcydhcp,"/var/log/remote/%$YEAR%/%$MONTH%/mikrotik/obcydhcp.log" 

:syslogtag,contains,"--OBCY-DHCP--" ?obcydhcp;internetiaformat
:syslogtag,contains,"--OBCY-DHCP--" ~
:syslogtag,contains,"--WIRELESS--" ?mtwireless;internetiaformat
:syslogtag,contains,"--WIRELESS--" ~
:syslogtag,contains,"--SYSTEM--" ?mtsystem;internetiaformat
:syslogtag,contains,"--SYSTEM--" ~
:syslogtag,contains,"--ACCOUNT--" ?mtaccount;internetiaformat
:syslogtag,contains,"--ACCOUNT--" ~
:fromhost,!contains,"syslog" ?dynamicfile;internetiaformat
:fromhost,!contains,"syslog" ~
*.* /var/log/localhost.log

as you notice this line

$template internetiaformat,"%timegenerated::fulltime% %timereported% %fromhost-ip% %hostname% %SYSLOGFACILITY-text% %SYSLOGSEVERITY-text% %syslogtag%%msg%\n"

i suggest for you to try this template
$template sqlformat,“%timegenerated::fulltime% %hostname% %syslogtag%%msg%”

try to log messages into files first and see what happens.
upgrade to latest version. i alway do that.

i have noticed that %syslogtag%%msg% is verry important. having them one after another.
for future take a look into this
http://wiki.rsyslog.com/index.php/EximAmalgamatedLog
it has multiple advanced rsyslog options. i found it while helping you :slight_smile: