SysLog

Sayrax · June 23, 2020, 2:50pm

Good day! There is a small network. One broadcast domain without vlan. There is a log collector. but Mikrotik intensely refuses to send him. There is no firewall on the collector
Actions:

/system logging action print
name="rsyslog" target=remote remote=192.168.50.5 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

Rules:

topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote

LogCollector on Centos 7(x64)
/etc/rsyslog.d/server.conf

# UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

Used tсpdump but it is empty.
Version RouterOS 6.47. in earlier versions the same.

WeWiNet · June 23, 2020, 6:09pm

You need to add into firewall on “output” chain an ACCEPT for traffic to your IP of syslog server …

Sayrax · June 23, 2020, 7:50pm

Thank. But the OUTPUT table. This refers to outgoing traffic from the server. In this case, syslog.
In Syslog server empty firewall and default policy is ACCEPT
From Mikrotik to LAN default policy ACCEPT without any rules.

Sayrax · June 23, 2020, 7:52pm

When I test with telnet. Connecting to the syslog port (514). the server answers me. even makes an entry in the event log. And also on tcpdump the incoming traffic is visible

eworm · June 23, 2020, 8:04pm

A message has to contain all topics to match. That’s an impossible combination, even info and error are exclusive to each other. Try this:

/system logging
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=critical

Sayrax · June 23, 2020, 8:12pm

Rules:
topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote
A message has to contain all topics to match. That’s an impossible combination, even info and error are exclusive to each other. Try this:
/system logging
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=critical

Thank you so much. Works.

probably worth writing in support. since this is a bug

eworm · June 23, 2020, 8:17pm

No, this is not a bug. Why do you think so?

Sayrax · June 23, 2020, 8:34pm

I see no reason for each topic to write a rule. If for example I have two remote syslog servers.

eworm · June 23, 2020, 9:27pm

As said before a message has to match all topics given in a rule. So you can use something like this…

/system logging add action=remote topics=info,dhcp

… to match all messages that have topic info and dhcp.

But there is no message that has topics error and info at the same time. So a rule like this will never match.

Well, you could try something like this for a single rule…

/system logging add action=remote topics=!debug