I have lots of logging going to syslog, so I know how that part works.
My question is: How to send output from a script to syslog?
Example:
I would like a script to show the dynamic nat and send that to my external syslog server.
/ip firewall nat print dynamic
try this:
:log info message=[/ip firewall nat print dynamic as-value ]
it will log the rules line-by-line in an easy to parse format (AV-pairs are delimited by semicolon ‘;’)
Thanks.
Its very close, but I do get some difference in the output.
Here is from the syslog
script,info MikroTik: orrent (TCP);dst-address=92.220.197.134;dst-port=28816;in-interface=ether1-Wan;protocol=tcp;to-addresses=10.10.10.32;to-ports=28816;.id=*1a9c;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uTorrent (UDP);dst-address=92.220.197.134;dst-port=28816;in-
script,info MikroTik: .id=*1a57;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: Teredo;dst-address=92.220.197.134;dst-port=49290;in-interface=ether1-Wan;protocol=udp;to-addresses=10.10.10.32;to-ports=49290;.id=*1a9b;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uT
Here is the output on the router.
/ip firewall nat print dynamic
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; upnp 10.10.10.32: Teredo
chain=dstnat action=dst-nat to-addresses=10.10.10.32 to-ports=49290 protocol=udp
dst-address=92.220.197.134 in-interface=ether1-Wan dst-port=49290
1 D ;;; upnp 10.10.10.32: uTorrent (TCP)
chain=dstnat action=dst-nat to-addresses=10.10.10.32 to-ports=28816 protocol=tcp
dst-address=92.220.197.134 in-interface=ether1-Wan dst-port=28816
2 D ;;; upnp 10.10.10.32: uTorrent (UDP)
chain=dstnat action=dst-nat to-addresses=10.10.10.32 to-ports=28816 protocol=udp
dst-address=92.220.197.134 in-interface=ether1-Wan dst-port=28816
In the syslog, it only shows two line, not 3.
In line 1, it shows orrent, not uTorrent. Seems that the missing uT is found at the end of line 2
I guess it is the Splunk that wraps things wrong, so the lines get wrongly indexed.
Is there a way to tell MikroTik to send a newline between each output line?
Best would be that output to syslog is 100% equal the one in the console.
Each line needs to be send as one and one line, so output above should be 3 lines.
You see the lines split, as the result of “print as-value” shows all entries in one string, and MikroTik splits the logged strings to 256-byte elements (256 bytes is the max length of what it can log).
To send separate log for each line, try:
:foreach logline in=[/ip firewall nat find dynamic=yes] do={:log info message="$[/ip firewall nat print as-value from=$logline]"}
Perfect.
Output in Splunk now looks like this (3 separate lines):
script,info MikroTik: .nextid=*ffffffff;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uTorrent (UDP);dst-address=92.220.197.134;dst-port=28816;in-interface=ether1-Wan;protocol=udp;to-addresses=10.10.10.32;to-ports=28816
script,info MikroTik: .nextid=*1b04;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uTorrent (TCP);dst-address=92.220.197.134;dst-port=28816;in-interface=ether1-Wan;protocol=tcp;to-addresses=10.10.10.32;to-ports=28816
script,info MikroTik: .nextid=*1b03;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: Teredo;dst-address=92.220.197.134;dst-port=49290;in-interface=ether1-Wan;protocol=udp;to-addresses=10.10.10.32;to-ports=49290
Could you also be so kind to show how I could do the same with:
/ip accounting snapshot print
I tried this, but it only showed up local:
:foreach logline in=[/ip accounting snapshot print] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
This does not give any output:
foreach logline in=[/ip accounting snapshot find dynamic=yes] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
Problem solved.
This give me what I want
foreach logline in=[/ip accounting snapshot find] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
If you do not specify anything behind find, it takes all lines.
It even comes in better format for Splunk to handle.
This is how it shows up in console (SSH/Winbox/Web)
# SRC-ADDRESS DST-ADDRESS PACKETS BYTES SRC-USER DST-USER
0 193.212.207.247 10.10.10.32 41 47011
1 37.247.52.130 10.10.10.32 31 32623
2 10.10.10.32 193.212.207.247 33 3077
3 31.13.72.8 10.10.10.128 4 349
This is how it looks like in the Splunk view.
script,info MikroTik: .id=*56;bytes=291;dst-address=10.10.10.80;packets=6;src-address=109.74.9.62
script,info MikroTik: .id=*55;bytes=612;dst-address=10.10.10.128;packets=7;src-address=31.13.72.38
script,info MikroTik: .id=*54;bytes=99891;dst-address=31.13.72.49;packets=706;src-address=10.10.10.241
script,info MikroTik: .id=*53;bytes=285;dst-address=31.13.72.32;packets=5;src-address=10.10.10.128
script,info MikroTik: .id=*52;bytes=1131;dst-address=10.10.10.128;packets=9;src-address=162.125.18.133
script,info MikroTik: .id=*51;bytes=1077;dst-address=10.10.10.50;packets=14;src-address=125.209.235.182
Since all filed has a name, I do not need any regex or other stuff to extract the data.
Scripting is not my best side 
I do get what I want from:
foreach logline in=[/ip accounting snapshot find] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
But I want to add some more to each line, so I did try to add the text test in front of the log line:
foreach logline in=[/ip accounting snapshot find] do={:log info message="test $[/ip accounting snapshot print as-value from=$logline]"}
foreach logline in=[/ip accounting snapshot find] do={:log info message="test"."$[/ip accounting snapshot print as-value from=$logline]"}
: local line
:foreach logline in=[/ip accounting snapshot find] do={
:set line ("test")
:set line ($line . "$[/ip accounting snapshot print as-value from=$logline]")
:log info message="$line"}
None of them is printing anything, just blank lines on last example