time in where clause

Sajad2010 · June 24, 2022, 12:04am

Hi
I want use a command same as this:

log print where time > [ 1 hour ago ]

Show logs generated 1 hour ago… how can use 1 hour ago in time clause
Thanks.

nichky · June 24, 2022, 1:29am

that would be good question. Let me check i’ll get back to u

Jotne · June 24, 2022, 6:21am

A quick search:
http://forum.mikrotik.com/t/how-to-get-log-records-for-last-5-mins/70398/1

rextended · June 24, 2022, 2:29pm

Use Splunk

I just discovered that are 4 different type of string date/time inside log, not only 3 as I suppose…
when exactly midnight and zero seconds, the time is completly omitted…

fragtion · June 24, 2022, 2:37pm

Here’s a snippet of what I’m using in my fail2ban script, which runs once a minute and checks logs for failed attempts in last minute. All of this extra logic seems necessary because otherwise logs could also return events which took place before ntp sync took place on a previous day.. Maybe something in here proves to be helpful for / can be adapted accordingly to your needs (or maybe someone can improve the script even more, lol)

#define How many failed login attempts from same address triggers temporary ban
:local maxtried "10"

#define How long ban should last (1d: one day, 30m: 30 minutes)
:local bantime "15m"

#define Excluded IP
:local excludeip "1.2.3.4"

#default Rules check and build
:if ([:len [/ip fi fi find comment=fail2ban]]=0) do={/ip fi fi add chain=input src-address-list=ban action=drop comment=fail2ban}

#program Routine
:local timenow [/system clock get time]
:local timeoffset ($timenow - 1m)
/log
:foreach i in=[find message~"login failure"] do={
  :local msgtime [get $i time]
  :if (([:len $msgtime] = 8) && ($msgtime > $timeoffset)) do={
    :local msg [get $i message]
    :local theip [:pick $msg ([:find $msg "from "]+5) [:find $msg " via"]]
    :if ($theip != $excludeip) do={
    :local timesban [:len [/ip fi addr find list=ban address=$theip]]
    :if ($timesban = 0) do={
      :local times [:len [/ip fi addr find list=login_failure address=$theip]]
      :if ($times = 0) do={/ip fi addr add list=login_failure address=$theip timeout=30s comment=1} else={:local thecm [:tonum ([/ip fi addr get [find list=login_failure address=$theip] comment] + 1)];:if ($thecm > $maxtried) do={[/ip fi addr add list=ban timeout=$bantime address=$theip]} else={/ip fi addr set [find list=login_failure address=$theip] comment=$thecm}}
      }
    }
  }
}

Jotne · June 25, 2022, 7:44am

The logging format problem hs been an issue for many many years and Mirkotik are not willing to fix it.
Look at this thread form 2014, nothing has change for 7 years???
http://forum.mikrotik.com/t/time-log-format/77147/1
MT do recommend store the logs on to an syslog server. I now this worsk, since I do have made the Splunk app for Mikrotik (that uses Syslog)
But MT should log data in a standard format, not the 4 different format it does today, that makes it hard to make script based on log time.