NB logging large amount of Accouning, DNS or firewall rules quickly eats up license, so I do recommend to turn off Accouning/DNS logging to start with.
How to turn off DNS logging ? When I disable Accounting function , log server still receive the dns request .
Thanks.
DNS logs comes from the Router log, so to stop it change from:
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp
to
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns
Splunk versino : 8.2.4
License Type :Free license group
Volume used today 3 MB (0.524% of quota)
Mikrotik schedule : 5 minutes
When I login in the Mikrotik logs on Splunk , running search mikrotik on splunk ,There is no log record in splunk server.
After I restart Splunk service on web . splunk server will received the log from RB4011.
I need manually estart Splunk service after splunk server running 15 minutes everyday.
Why splunk need do that ? Is there something wrong with splunk server?How can i check the splunk server is running normally?
Thanks
Mine never needs to be restarted.
Have one version where Splunk listen on port 514 (not recommended as it needs to be root)
Other version have rsyslog server as input and Splunk reads rsyslog logs.
Both running fine.’
Do you pass any firewall on the way from MikroTik to the Splunk server?
What do you run Splunk on? Linux (recommend Ubuntu) on a dedicated (pri 1) server or vmware (pri 2) are the best options.
Avoid using Splunk on Windows.
Port 514 and port 8000
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:((“splunkd”,pid=364916,fd=57))
tcp LISTEN 0 128 0.0.0.0:8000 0.0.0.0:* users:((“splunkd”,pid=364916,fd=138))
Status: active
To Action From
22/tcp ALLOW Anywhere
514 ALLOW Server IP address
8000/tcp ALLOW Anywhere
8090/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
8000/tcp (v6) ALLOW Anywhere (v6)
8090/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)
Splunk run on the Ubuntu 20.04 server version which was build on ESXi 6.7.0.
Should work.
Only comment is that you should not run splunk as root user, and use rsyslog to listen on port 514.
My Splunk is also running for some years now. Only goes down when I apply Splunk updates of some sort. Rock solid!
I’m running on Ubuntu 18.0.4.5 LTS
I suggest you start digging in the LOG-directory of you Splunk.
/opt/splunk/var/log
From there you have folders “watchdog” and “splunk”
You could investigate watchdog.log and in the spluink-folder many logfile reside like health.log , splunkd.log , web_access.log etc,etc
Splunk-specific troubleshooting might be slightly outside the scope of this forum 
The Splunk community-forums are a better place for that.
Thanks for help Jotne and jvanhambelgium.
After I reinstall the Splunk server, all the things works well .
But Some graph in APP didn’t work.
i can get the graph for Mikrotik CAPsMAN Wifi Connection and “Mikrotik CAPsMAN Number of Clients pr AP” , but there is no graph for"Mikrotik CAPsMAN Channel Usage"
I also setup the “:local CAPsMANN true” but did no work.
Did i miss some configration on Mikrotik script?
Our customer always want to know which client PC or mobile phone take maximum flow in specified time range ,with destination IP and protocol.
How can I the traffice flow graph in app?
If I could define the application data type , maybe the traffic flow grapy would be more visualble.
Thanks.
Some times MT do change stuff, so it does not work. Since I do not have capsman, I need some help to debug it.
Can you post a list of log line here?
Example output of:
index=* "caps,info"
hi
I added MikroTik logs 3.5 in my Splunk & done all configuration
in search tab in main splunk i can see my log from my mikrotik with host=“192.168.XX.XX” command
but in app “MikroTik logs 3.5” I can not see any information or log
does this app listen on port:514??
Did you see the debug section 2h-2?
2h) Debugging
- See if any data are coming inn to splunk at all.
index=*
- Test if data has correct tag “MikroTik” (Capital M & T)
index=* | table _time sourcetype _raw
Follow this section 100%
2b) Then select what modules to log.
Splunk can listen on port 514, but not recommended since it need to run as root.
Use Rsyslog to listen on 514.
Just follow to tutorial step by step.
hi again
I have see the log but i wnat to see the log in your dashboard “Miktotik loge 3.5”
thanks for your answer
I receive log from Mikrtotik in search , with command line index=* , but, I donot have any data in “Miktotik loge 3.5”
this item is ok “Test if data has correct tag “MikroTik” (Capital M & T)”
if possible i can send you a photo
Can you post some line output of
index=* | fillnull value="-" | table _time index sourcetype _raw
That do contains some data from router?
Do you run as this:
Splunk as root and port 514 open to Splunk
or
Splunk as non root, Splunk getting data from rsyslog that listen in 514
excuse me I confuse a lot
what do you mean by “slunk as root”??
I used Splunk 8.2 on windows server 2022 and my MikroTik Router is CCR1036 , V6.48.6
if possible , I will send you picture!!
I have my MikroTik log in my splunk but I want to see my log in your dashboard “MikroTik log 3.5”
You did not post output of my command above. With that I can see if logs looks like what I expect.
I did forget to ask on what platform you do run Splunk.
Some of my first information in my first post:
Installation
- On your PC Works on Windows and Linux, but use Linux (clearly the best choice and also used in all post here)
It should work, but I may not be able to help with windows version on the same lever as on Linux (recommended)
Linux has normal user and root user.
If you only have one server, I would suggest to install VmWare Workstation, then setup a Linux server (example Ubuntu 20.04)
Follow all steps in post above to get Splunk installed.
New version with Netwatch logging is not the way. See this post in this thread on how it works:
http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-4-0-graphing-everything/153043/3
Hello everyone!
First of all thanks for this excellent tool @Jotne, I love it!
I have a little problem, I’m unable to get my CHR to visualize on my dashboard. All my other Mikrotik devices are showing correct except CHR. I have 2 CHR - 1 is 6.49.4 and the other is 7.1.3
My Splunk is recieving data, I can search for 10.0.0.56 and 10.0.0.57 and i have data, but I dont see it on the Dashboard
Here is export of my configurations in case you want and have time to help.
CHRv7.1.3:
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=72 remote=10.0.0.72 src-address=10.0.0.57 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
/ipv6 settings
set disable-ipv6=yes
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge1
/system hardware
set allow-x86-64=yes
/system identity
set name=CHRv7_x86_64
/system logging
add action=72 prefix=MikroTik topics=!debug,!packet,!snmp
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.1
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/07/2022 start-time=19:08:47
/system script
add dont-require-permissions=no name=Data_to_Splunk_using_Syslog owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="# Collect information from Mikrotik RouterOS\r\
\n# Jotne 2021\r\
\n:log info message=\"script=version ver=4.8\"\r\
\n# ----------------------------------\r\
\n\r\
\n\r\
\n# What data to collect. Set to false to skip the section \r\
\n# ----------------------------------\r\
\n:local SystemResource true\r\
\n:local SystemInformation true\r\
\n:local SystemHealth true\r\
\n:local TrafficData true\r\
\n:local AccuntData true\r\
\n:local uPnP true\r\
\n:local Wireless false\r\
\n:local AddressLists true\r\
\n:local DHCP true\r\
\n:local Neighbor true\r\
\n:local InterfaceData true\r\
\n:local CmdHistory true\r\
\n:local CAPsMANN false\r\
\n\r\
\n\r\
\n# Collect system resource\r\
\n# ----------------------------------\r\
\n:if (\$SystemResource) do={\r\
\n\t/system resource\r\
\n\t:local cpuload [get cpu-load]\r\
\n\t:local freemem ([get free-memory]/1048576)\r\
\n\t:local totmem ([get total-memory]/1048576)\r\
\n\t:local freehddspace ([get free-hdd-space]/1048576)\r\
\n\t:local totalhddspace ([get total-hdd-space]/1048576)\r\
\n\t:local up [get uptime]\r\
\n\t:local sector [get write-sect-total]\r\
\n\t:log info message=\"script=resource free_memory=\$freemem MB total_mem\
ory=\$totmem MB free_hdd_space=\$freehddspace MB total_hdd_space=\$totalhd\
dspace MB cpu_load=\$cpuload uptime=\$up write-sect-total=\$sector\"\r\
\n}\r\
\n\r\
\n\r\
\n# Make some part only run every hours\r\
\n# ----------------------------------\r\
\n:global Hour\r\
\n:local run false\r\
\n:local hour [:pick [/system clock get time] 0 2]\r\
\n:if (\$Hour != \$hour) do={\r\
\n\t:global Hour \$hour\r\
\n\t:set run true\r\
\n}\r\
\n\r\
\n\r\
\n# Get NTP status\r\
\n# ----------------------------------\r\
\n:local ntpstatus \"\"\r\
\n:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [\
:tonum [:pick [/system resource get version] 0 1]] > 6) do={\r\
\n :set ntpstatus [/system ntp client get status]\r\
\n} else={\r\
\n :if ([:typeof [/system ntp client get last-update-from]] = \"nil\") \
do={\r\
\n :set ntpstatus \"using-local-clock\"\r\
\n } else={\r\
\n :set ntpstatus \"synchronized\"\r\
\n }\r\
\n}\r\
\n:log info message=\"script=ntp status=\$ntpstatus\" \r\
\n\r\
\n\r\
\n# Get interface traffic data for all interface\r\
\n# ----------------------------------\r\
\n:if (\$TrafficData) do={\r\
\n\t:foreach id in=[/interface find] do={\r\
\n\t\t:local output \"\$[/interface print stats as-value where .id=\$id]\"\
\r\
\n\t\t:set ( \"\$output\"->\"script\" ) \"if_traffic\"\r\
\n\t\t:log info message=\"\$output\"\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Get traffic data v2 (Kid Control)\r\
\n# ----------------------------------\r\
\n:if (\$AccuntData) do={\r\
\n\t:foreach logline in=[/ip kid-control device find] do={\r\
\n\t\t:local output \"\$[/ip kid-control device get \$logline]\"\r\
\n\t\t:set ( \"\$output\"->\"script\" ) \"kids\"\r\
\n\t\t:log info message=\"\$output\"\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Finding dynmaic lines used in uPnP\r\
\n# ----------------------------------\r\
\n:if (\$uPnP) do={\r\
\n\t:foreach logline in=[/ip firewall nat find where dynamic=yes and comme\
nt~\"^upnp \"] do={\r\
\n\t\t:local output \"\$[/ip firewall nat print as-value from=\$logline]\"\
\r\
\n\t\t:set ( \"\$output\"->\"script\" ) \"upnp\"\r\
\n\t\t:log info message=\"\$output\" \r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Collect system information\r\
\n# ----------------------------------\r\
\n:local model na\r\
\n:local serial na\r\
\n:local ffirmware na\r\
\n:local cfirmware na\r\
\n:local ufirmware na\r\
\n:if (\$SystemInformation and \$run) do={\r\
\n\t:local version ([/system resource get version])\r\
\n\t:local board ([/system resource get board-name])\r\
\n\t:if (\$board!=\"CHR\") do={\r\
\n\t\t/system routerboard\r\
\n\t\t:set model ([get model])\r\
\n\t\t:set serial ([get serial-number])\r\
\n\t\t:set ffirmware ([get factory-firmware])\r\
\n\t\t:set cfirmware ([get current-firmware])\r\
\n\t\t:set ufirmware ([get upgrade-firmware])\r\
\n\t}\r\
\n\t:local identity ([/system identity get name])\r\
\n\t:log info message=\"script=sysinfo version=\\\"\$version\\\" board-nam\
e=\\\"\$board\\\" model=\\\"\$model\\\" serial=\$serial identity=\\\"\$ide\
ntity\\\" factory-firmware=\\\"\$ffirmware\\\" current-firmware=\\\"\$cfir\
mware\\\" upgrade-firmware=\\\"\$ufirmware\\\"\"\r\
\n}\r\
\n\r\
\n\r\
\n# Collect system health\r\
\n# ----------------------------------\r\
\n:if (\$SystemHealth) do={\r\
\n\t:do {\r\
\n\t\t# New version\r\
\n\t\t:foreach id in=[/system health find] do={\r\
\n\t\t\t:local health \"\$[/system health get \$id]\"\r\
\n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
\n\t\t\t:log info message=\"\$health\"\r\
\n\t\t}\r\
\n\t} on-error={\r\
\n\t\t# Old version\r\
\n\t\t:if (!([/system health get]~\"(state=disabled|^\\\$)\")) do={\r\
\n\t\t\t:local health \"\$[/system health get]\"\r\
\n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
\n\t\t\t:log info message=\"\$health\"\r\
\n\t\t}\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Sends wireless client data to log server \r\
\n# ----------------------------------\r\
\n:if (\$Wireless && [:len [/int find where type=wlan]]>0) do={\r\
\n\t/interface wireless registration-table\r\
\n\t:foreach i in=[find] do={\r\
\n\t\t:log info message=\".id=\$i;ap=\$([get \$i ap]);interface=\$([get \$\
i interface]);mac-address=\$([get \$i mac-address]);signal-strength=\$([ge\
t \$i signal-strength]);tx-rate=\$([get \$i tx-rate]);uptime=\$([get \$i u\
ptime]);script=wifi\"\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Count IP in address-lists\r\
\n#----------------------------------\r\
\n:if (\$AddressLists) do={\r\
\n\t:local array [ :toarray \"\" ]\r\
\n\t:local addrcntdyn [:toarray \"\"] \r\
\n\t:local addrcntstat [:toarray \"\"] \r\
\n\t:local test\r\
\n\t:foreach id in=[/ip firewall address-list find] do={\r\
\n\t\t:local rec [/ip firewall address-list get \$id]\r\
\n\t\t:local listname (\$rec->\"list\")\r\
\n\t\t:local listdynamic (\$rec->\"dynamic\")\r\
\n\t\t:if (!(\$array ~ \$listname)) do={ :set array (\$array , \$listname)\
\_}\r\
\n\t\t:if (\$listdynamic = true) do={\r\
\n\t\t\t:set (\$addrcntdyn->\$listname) (\$addrcntdyn->\$listname+1)\r\
\n\t\t} else={\r\
\n\t\t\t:set (\$addrcntstat->\$listname) (\$addrcntstat->\$listname+1)}\r\
\n\t}\r\
\n\t:foreach k in=\$array do={\r\
\n\t\t:log info message=(\"script=address_lists list=\$k dynamic=\".((\$ad\
drcntdyn->\$k)+0).\" static=\".((\$addrcntstat->\$k)+0))}\r\
\n}\r\
\n\r\
\n\r\
\n# Get MNDP (CDP) Neighbors\r\
\n# ----------------------------------\r\
\n:if (\$Neighbor and \$run) do={\r\
\n\t:foreach neighborID in=[/ip neighbor find] do={\r\
\n\t\t:local nb [/ip neighbor get \$neighborID]\r\
\n\t\t:local id [:pick (\"\$nb\"->\".id\") 1 99]\r\
\n\t\t:foreach key,value in=\$nb do={\r\
\n\t\t\t:local newline [:find \$value \"\\n\"]\r\
\n\t\t\t:if ([\$newline]>0) do={\r\
\n\t\t\t\t:set value [:pick \$value 0 \$newline]\r\
\n\t\t\t}\r\
\n\t\t\t:log info message=\"script=neighbor nid=\$id \$key=\\\"\$value\\\"\
\"\r\
\n\t\t}\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Collect DHCP Pool information\r\
\n# ----------------------------------\r\
\n:if (\$DHCP and \$run) do={\r\
\n\t/ip pool {\r\
\n\t\t:local poolname\r\
\n\t\t:local pooladdresses\r\
\n\t\t:local poolused\r\
\n\t\t:local minaddress\r\
\n\t\t:local maxaddress\r\
\n\t\t:local findindex\r\
\n\r\
\n# Iterate through IP Pools\r\
\n\t\t:foreach pool in=[find] do={\r\
\n\t\t\t:set poolname [get \$pool name]\r\
\n\t\t\t:set pooladdresses 0\r\
\n\t\t\t:set poolused 0\r\
\n\r\
\n# Iterate through current pool's IP ranges\r\
\n\t\t\t:foreach range in=[:toarray [get \$pool range]] do={\r\
\n\r\
\n# Get min and max addresses\r\
\n\t\t\t\t:set findindex [:find [:tostr \$range] \"-\"]\r\
\n\t\t\t\t:if ([:len \$findindex] > 0) do={\r\
\n\t\t\t\t\t:set minaddress [:pick [:tostr \$range] 0 \$findindex]\r\
\n\t\t\t\t\t:set maxaddress [:pick [:tostr \$range] (\$findindex + 1) [:le\
n [:tostr \$range]]]\r\
\n\t\t\t\t} else={\r\
\n\t\t\t\t\t:set minaddress [:tostr \$range]\r\
\n\t\t\t\t\t:set maxaddress [:tostr \$range]\r\
\n\t\t\t\t}\r\
\n\r\
\n# Calculate number of ip in one range\r\
\n\t\t\t\t:set pooladdresses (\$maxaddress - \$minaddress)\r\
\n\r\
\n# /foreach range\r\
\n\t\t\t}\r\
\n\r\
\n# Test if pools is used in DHCP or VPN and show leases used\r\
\n\t\t\t:local dname [/ip dhcp-server find where address-pool=\$poolname]\
\r\
\n\t\t\t:if ([:len \$dname] = 0) do={\r\
\n# No DHCP server found, assume VPN\r\
\n\t\t\t\t:set poolused [:len [used find pool=[:tostr \$poolname]]]\r\
\n\t\t\t} else={\r\
\n# DHCP server found, count leases\r\
\n\t\t\t\t:local dname [/ip dhcp-server get [find where address-pool=\$poo\
lname] name]\r\
\n\t\t\t\t:set poolused [:len [/ip dhcp-server lease find where server=\$d\
name]]}\r\
\n\r\
\n# Send data\r\
\n\t\t\t:log info message=(\"script=pool pool=\$poolname used=\$poolused t\
otal=\$pooladdresses\")\r\
\n\r\
\n# /foreach pool\r\
\n\t\t}\r\
\n# /ip pool\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Get detailed command history RouterOS >= v7\r\
\n# ----------------------------------\r\
\n:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and \$CmdHi\
story) do={\r\
\n\t:global cmd\r\
\n\t:local f 0\r\
\n\t:foreach i in=[/system history find] do={\r\
\n\t\t:if (\$i = \$cmd) do={ :set f 1 }\r\
\n\t\t:if (\$f != 1) do={\r\
\n\t\t\t:log info message=\"StartCMD\"\r\
\n\t\t\t:log info message=[/system history get \$i]\r\
\n\t\t\t:log info message=\"EndCMD\"\r\
\n\t\t}\r\
\n\t}\r\
\n\t:global cmd [:pick [/system history find] 0]\r\
\n}\r\
\n\r\
\n\r\
\n# Test if CAPsMANN is installed, if yes, run capsmann script.\r\
\n# ----------------------------------\r\
\n:if ( ([:len [/interface find where type=\"cap\"]] > 0) and \$CAPsMANN) \
do={ /system script run capsman }\r\
\n\r\
\n\r\
\n# End Script"
/tool romon
set enabled=yes
CHRv6.49.4
/interface bridge
add name=bridge1 protocol-mode=none
/system logging action
add name=72 remote=10.0.0.72 src-address=10.0.0.56 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=bridge1
/system clock manual
set time-zone=+02:00
/system identity
set name=CHR_x86_64
/system logging
add action=72 disabled=yes prefix=MikroTik topics=critical
add action=72 disabled=yes prefix=MikroTik topics=account
add action=72 disabled=yes prefix=MikroTik topics=health
add action=72 disabled=yes prefix=MikroTik topics=interface
add action=72 disabled=yes prefix=MikroTik topics=info
add action=72 prefix=MikroTik topics=!debug,!packet,!snmp
/system note
set note="\r\
\n _____ _ _ _____ __ _ _ \r\
\n / ____| | | | __ \\ / /| || | \r\
\n | | | |__| | |__) | / /_| || |_ \r\
\n | | | __ | _ / | '_ \\__ _|\r\
\n | |____| | | | | \\ \\ | (_) | | | \r\
\n \\_____|_| |_|_| \\_\\ \\___/ |_| \r\
\n ______ \r\
\n |______| \r\
\n"
/system ntp client
set enabled=yes primary-ntp=10.0.0.1 secondary-ntp=10.0.200.0
/system ntp server
set enabled=yes
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/03/2022 start-time=14:56:37
/system script
add dont-require-permissions=no name=Data_to_Splunk_using_Syslog owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="# Collect information from Mikrotik RouterOS\r\
\n# Jotne 2021\r\
\n:log info message=\"script=version ver=4.8\"\r\
\n# ----------------------------------\r\
\n\r\
\n\r\
\n# What data to collect. Set to false to skip the section \r\
\n# ----------------------------------\r\
\n:local SystemResource true\r\
\n:local SystemInformation true\r\
\n:local SystemHealth true\r\
\n:local TrafficData true\r\
\n:local AccuntData true\r\
\n:local uPnP true\r\
\n:local Wireless false\r\
\n:local AddressLists true\r\
\n:local DHCP true\r\
\n:local Neighbor true\r\
\n:local InterfaceData true\r\
\n:local CmdHistory true\r\
\n:local CAPsMANN false\r\
\n\r\
\n\r\
\n# Collect system resource\r\
\n# ----------------------------------\r\
\n:if (\$SystemResource) do={\r\
\n\t/system resource\r\
\n\t:local cpuload [get cpu-load]\r\
\n\t:local freemem ([get free-memory]/1048576)\r\
\n\t:local totmem ([get total-memory]/1048576)\r\
\n\t:local freehddspace ([get free-hdd-space]/1048576)\r\
\n\t:local totalhddspace ([get total-hdd-space]/1048576)\r\
\n\t:local up [get uptime]\r\
\n\t:local sector [get write-sect-total]\r\
\n\t:log info message=\"script=resource free_memory=\$freemem MB total_mem\
ory=\$totmem MB free_hdd_space=\$freehddspace MB total_hdd_space=\$totalhd\
dspace MB cpu_load=\$cpuload uptime=\$up write-sect-total=\$sector\"\r\
\n}\r\
\n\r\
\n\r\
\n# Make some part only run every hours\r\
\n# ----------------------------------\r\
\n:global Hour\r\
\n:local run false\r\
\n:local hour [:pick [/system clock get time] 0 2]\r\
\n:if (\$Hour != \$hour) do={\r\
\n\t:global Hour \$hour\r\
\n\t:set run true\r\
\n}\r\
\n\r\
\n\r\
\n# Get NTP status\r\
\n# ----------------------------------\r\
\n:local ntpstatus \"\"\r\
\n:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [\
:tonum [:pick [/system resource get version] 0 1]] > 6) do={\r\
\n :set ntpstatus [/system ntp client get status]\r\
\n} else={\r\
\n :if ([:typeof [/system ntp client get last-update-from]] = \"nil\") \
do={\r\
\n :set ntpstatus \"using-local-clock\"\r\
\n } else={\r\
\n :set ntpstatus \"synchronized\"\r\
\n }\r\
\n}\r\
\n:log info message=\"script=ntp status=\$ntpstatus\" \r\
\n\r\
\n\r\
\n# Get interface traffic data for all interface\r\
\n# ----------------------------------\r\
\n:if (\$TrafficData) do={\r\
\n\t:foreach id in=[/interface find] do={\r\
\n\t\t:local output \"\$[/interface print stats as-value where .id=\$id]\"\
\r\
\n\t\t:set ( \"\$output\"->\"script\" ) \"if_traffic\"\r\
\n\t\t:log info message=\"\$output\"\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Get traffic data v2 (Kid Control)\r\
\n# ----------------------------------\r\
\n:if (\$AccuntData) do={\r\
\n\t:foreach logline in=[/ip kid-control device find] do={\r\
\n\t\t:local output \"\$[/ip kid-control device get \$logline]\"\r\
\n\t\t:set ( \"\$output\"->\"script\" ) \"kids\"\r\
\n\t\t:log info message=\"\$output\"\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Finding dynmaic lines used in uPnP\r\
\n# ----------------------------------\r\
\n:if (\$uPnP) do={\r\
\n\t:foreach logline in=[/ip firewall nat find where dynamic=yes and comme\
nt~\"^upnp \"] do={\r\
\n\t\t:local output \"\$[/ip firewall nat print as-value from=\$logline]\"\
\r\
\n\t\t:set ( \"\$output\"->\"script\" ) \"upnp\"\r\
\n\t\t:log info message=\"\$output\" \r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Collect system information\r\
\n# ----------------------------------\r\
\n:local model na\r\
\n:local serial na\r\
\n:local ffirmware na\r\
\n:local cfirmware na\r\
\n:local ufirmware na\r\
\n:if (\$SystemInformation and \$run) do={\r\
\n\t:local version ([/system resource get version])\r\
\n\t:local board ([/system resource get board-name])\r\
\n\t:if (\$board!=\"CHR\") do={\r\
\n\t\t/system routerboard\r\
\n\t\t:set model ([get model])\r\
\n\t\t:set serial ([get serial-number])\r\
\n\t\t:set ffirmware ([get factory-firmware])\r\
\n\t\t:set cfirmware ([get current-firmware])\r\
\n\t\t:set ufirmware ([get upgrade-firmware])\r\
\n\t}\r\
\n\t:local identity ([/system identity get name])\r\
\n\t:log info message=\"script=sysinfo version=\\\"\$version\\\" board-nam\
e=\\\"\$board\\\" model=\\\"\$model\\\" serial=\$serial identity=\\\"\$ide\
ntity\\\" factory-firmware=\\\"\$ffirmware\\\" current-firmware=\\\"\$cfir\
mware\\\" upgrade-firmware=\\\"\$ufirmware\\\"\"\r\
\n}\r\
\n\r\
\n\r\
\n# Collect system health\r\
\n# ----------------------------------\r\
\n:if (\$SystemHealth) do={\r\
\n\t:do {\r\
\n\t\t# New version\r\
\n\t\t:foreach id in=[/system health find] do={\r\
\n\t\t\t:local health \"\$[/system health get \$id]\"\r\
\n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
\n\t\t\t:log info message=\"\$health\"\r\
\n\t\t}\r\
\n\t} on-error={\r\
\n\t\t# Old version\r\
\n\t\t:if (!([/system health get]~\"(state=disabled|^\\\$)\")) do={\r\
\n\t\t\t:local health \"\$[/system health get]\"\r\
\n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
\n\t\t\t:log info message=\"\$health\"\r\
\n\t\t}\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Sends wireless client data to log server \r\
\n# ----------------------------------\r\
\n:if (\$Wireless && [:len [/int find where type=wlan]]>0) do={\r\
\n\t/interface wireless registration-table\r\
\n\t:foreach i in=[find] do={\r\
\n\t\t:log info message=\".id=\$i;ap=\$([get \$i ap]);interface=\$([get \$\
i interface]);mac-address=\$([get \$i mac-address]);signal-strength=\$([ge\
t \$i signal-strength]);tx-rate=\$([get \$i tx-rate]);uptime=\$([get \$i u\
ptime]);script=wifi\"\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Count IP in address-lists\r\
\n#----------------------------------\r\
\n:if (\$AddressLists) do={\r\
\n\t:local array [ :toarray \"\" ]\r\
\n\t:local addrcntdyn [:toarray \"\"] \r\
\n\t:local addrcntstat [:toarray \"\"] \r\
\n\t:local test\r\
\n\t:foreach id in=[/ip firewall address-list find] do={\r\
\n\t\t:local rec [/ip firewall address-list get \$id]\r\
\n\t\t:local listname (\$rec->\"list\")\r\
\n\t\t:local listdynamic (\$rec->\"dynamic\")\r\
\n\t\t:if (!(\$array ~ \$listname)) do={ :set array (\$array , \$listname)\
\_}\r\
\n\t\t:if (\$listdynamic = true) do={\r\
\n\t\t\t:set (\$addrcntdyn->\$listname) (\$addrcntdyn->\$listname+1)\r\
\n\t\t} else={\r\
\n\t\t\t:set (\$addrcntstat->\$listname) (\$addrcntstat->\$listname+1)}\r\
\n\t}\r\
\n\t:foreach k in=\$array do={\r\
\n\t\t:log info message=(\"script=address_lists list=\$k dynamic=\".((\$ad\
drcntdyn->\$k)+0).\" static=\".((\$addrcntstat->\$k)+0))}\r\
\n}\r\
\n\r\
\n\r\
\n# Get MNDP (CDP) Neighbors\r\
\n# ----------------------------------\r\
\n:if (\$Neighbor and \$run) do={\r\
\n\t:foreach neighborID in=[/ip neighbor find] do={\r\
\n\t\t:local nb [/ip neighbor get \$neighborID]\r\
\n\t\t:local id [:pick (\"\$nb\"->\".id\") 1 99]\r\
\n\t\t:foreach key,value in=\$nb do={\r\
\n\t\t\t:local newline [:find \$value \"\\n\"]\r\
\n\t\t\t:if ([\$newline]>0) do={\r\
\n\t\t\t\t:set value [:pick \$value 0 \$newline]\r\
\n\t\t\t}\r\
\n\t\t\t:log info message=\"script=neighbor nid=\$id \$key=\\\"\$value\\\"\
\"\r\
\n\t\t}\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Collect DHCP Pool information\r\
\n# ----------------------------------\r\
\n:if (\$DHCP and \$run) do={\r\
\n\t/ip pool {\r\
\n\t\t:local poolname\r\
\n\t\t:local pooladdresses\r\
\n\t\t:local poolused\r\
\n\t\t:local minaddress\r\
\n\t\t:local maxaddress\r\
\n\t\t:local findindex\r\
\n\r\
\n# Iterate through IP Pools\r\
\n\t\t:foreach pool in=[find] do={\r\
\n\t\t\t:set poolname [get \$pool name]\r\
\n\t\t\t:set pooladdresses 0\r\
\n\t\t\t:set poolused 0\r\
\n\r\
\n# Iterate through current pool's IP ranges\r\
\n\t\t\t:foreach range in=[:toarray [get \$pool range]] do={\r\
\n\r\
\n# Get min and max addresses\r\
\n\t\t\t\t:set findindex [:find [:tostr \$range] \"-\"]\r\
\n\t\t\t\t:if ([:len \$findindex] > 0) do={\r\
\n\t\t\t\t\t:set minaddress [:pick [:tostr \$range] 0 \$findindex]\r\
\n\t\t\t\t\t:set maxaddress [:pick [:tostr \$range] (\$findindex + 1) [:le\
n [:tostr \$range]]]\r\
\n\t\t\t\t} else={\r\
\n\t\t\t\t\t:set minaddress [:tostr \$range]\r\
\n\t\t\t\t\t:set maxaddress [:tostr \$range]\r\
\n\t\t\t\t}\r\
\n\r\
\n# Calculate number of ip in one range\r\
\n\t\t\t\t:set pooladdresses (\$maxaddress - \$minaddress)\r\
\n\r\
\n# /foreach range\r\
\n\t\t\t}\r\
\n\r\
\n# Test if pools is used in DHCP or VPN and show leases used\r\
\n\t\t\t:local dname [/ip dhcp-server find where address-pool=\$poolname]\
\r\
\n\t\t\t:if ([:len \$dname] = 0) do={\r\
\n# No DHCP server found, assume VPN\r\
\n\t\t\t\t:set poolused [:len [used find pool=[:tostr \$poolname]]]\r\
\n\t\t\t} else={\r\
\n# DHCP server found, count leases\r\
\n\t\t\t\t:local dname [/ip dhcp-server get [find where address-pool=\$poo\
lname] name]\r\
\n\t\t\t\t:set poolused [:len [/ip dhcp-server lease find where server=\$d\
name]]}\r\
\n\r\
\n# Send data\r\
\n\t\t\t:log info message=(\"script=pool pool=\$poolname used=\$poolused t\
otal=\$pooladdresses\")\r\
\n\r\
\n# /foreach pool\r\
\n\t\t}\r\
\n# /ip pool\r\
\n\t}\r\
\n}\r\
\n\r\
\n\r\
\n# Get detailed command history RouterOS >= v7\r\
\n# ----------------------------------\r\
\n:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and \$CmdHi\
story) do={\r\
\n\t:global cmd\r\
\n\t:local f 0\r\
\n\t:foreach i in=[/system history find] do={\r\
\n\t\t:if (\$i = \$cmd) do={ :set f 1 }\r\
\n\t\t:if (\$f != 1) do={\r\
\n\t\t\t:log info message=\"StartCMD\"\r\
\n\t\t\t:log info message=[/system history get \$i]\r\
\n\t\t\t:log info message=\"EndCMD\"\r\
\n\t\t}\r\
\n\t}\r\
\n\t:global cmd [:pick [/system history find] 0]\r\
\n}\r\
\n\r\
\n\r\
\n# Test if CAPsMANN is installed, if yes, run capsmann script.\r\
\n# ----------------------------------\r\
\n:if ( ([:len [/interface find where type=\"cap\"]] > 0) and \$CAPsMANN) \
do={ /system script run capsman }\r\
\n\r\
\n\r\
\n# End Script\r\
\n"
Thanks!
I’ve never used Splunk before but thought I would give it a try for home.
Under MikroTik Device Traffic (although I properly have kid-control enabled), the hostname is blank for all entries, even though I can see in kid-control devices the hostname is shown for some of those. Also instead of showing all IP addresses the device has, it only shows the first one in the list. Other than that most features seem to work.
I am using CAPsMAN as well but there is no data displayed there.
Let it run for least on day. Some script are just run every 24 hours.
Thanks a lot Jotne for your App for Splunk!
It´s my first installation of Splunk and your guide proved to be very helpful.
I first installed both on Ubuntu server running on a physical PC. I tried it for several days and in performed great.
Then I installed on same OS but running in a ProxmoxVE Virtual Machine; great performance also!
I will stick to the latter configuration.
Thanks again to you, and also to the other members who contributed to this topic.