Using Splunk to analyse MikroTik logs

Jotne · October 30, 2017, 8:09pm

Post #1 updated with a tutorial on how to get it working.

caradoc · October 30, 2017, 10:52pm

Nice. I think you need to talk to xoff about getting this published through the Splunk Appbase.

karlisi · December 8, 2017, 8:21am

Took little test yesterday. Great tool for log analysis. One big problem for free licence, no email alerts

Jotne · December 8, 2017, 8:38am

I agree with you.
There is a workaround. You can request a 6 month Developer licence.
Its free, and you get full function for 6 month.
10GB/day
Alert
+++
But its only for 6 month…

vanduf · December 20, 2017, 11:07am

Where´s the “Mikrotik.zip” file? The attachment does not exist anymore. Could you sent it again?

Jotne · December 20, 2017, 6:09pm

I have added the file, so it should work now.
Why it stopped work, I do not now.

Tawfiq · March 25, 2018, 11:22am

wow !! you did a great job. I’ve implemented it. Firewall data usage is not working for me. You mentioned to use the private key. which one is the private key? all i can see only id_dsa and id_dsa.pub

sindy · March 25, 2018, 7:17pm

The ****

.pub

stands for public which you place to the servers to which you want to log in without entering a password.
So you normally generate the pair of private and public key at the client machine in the ****

~/.ssh/

directory of the user from which you are going to log in to the server, and copy only the

.pub

file to the server (the Mikrotik in this case). As @Jotne says to copy the private key to Mikrotik/bin on the Splunk machine, that would be the

id_dsa

file without

.pub

suffix.

Tawfiq · March 27, 2018, 6:52am

Yeah thanks. But even so Mikrotik asks for a password. So I found a different way to do it. Everything is working fine except the DNS logs. Was working since i made changes i think, and DNS logs are not getting in.

Jotne · March 27, 2018, 7:46am

DNS logs comes for Syslog, so if you get other sylog data, you should also get DNS.
What is your logging settings?

I have two settings in my remote syslog settings.

add action=remote prefix=MikroTik topics=dhcp
add action=remote prefix=MikroTik topics=!debug,!snmp

First line sends all DHCP message, including debug message.

Second line sends all message that are not debug nor SNMP.
I do not need the SNMP, nor the debug message from other modules.
This gives me logs from other modules like DNS,Firewall, System, upnp, Interface etc

PS, I am working on a new version that gives log information for booth wireless and hotspot.
Since hotspot only shows message for logout as default, you should also get debug message from they as well and do like this:

add action=remote prefix=MikroTik topics=dhcp,hotspot
add action=remote prefix=MikroTik topics=!debug,!snmp

MikroTikFan · April 2, 2018, 12:31pm

@Jotne
I like your solution and examples in Splunk . I think that I followed your instruction, but I still have in Mikrotik App

“No results found.”

Can you please help me to find what I’m doing wrong ?

Thanks in advance.

nfletcher2:

Sure I will do.

Setup where the logging should go:
System->Logging->Action->remote
Type:Remote
Remote Address: your Splunk or other logging servers IP
Remote port: 514 (default)

Then you setup what to log.
System->Loging-Rules->Add new
Enabled x
Topics: ! ups (see the not. So I log all but not ups. This is a tric to get all)
Prefix: MikroTik (I set this so that all i tagget MiktroTik in the syslog)
Action: Remote (Send to syslog server)

You can also add logging of firewall.
Eksample last rule that block all that is not allowed:
10 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=yes log-prefix=“rule_10”
Her I have set log=yes and log-prefix=“rule_10”
I give all log rule and nat rule different number. Then its easy to see in Splunk what rule that block the data.

I have also added a module for Splunk so that it can read SNMP.

Jotne · April 2, 2018, 12:51pm

Splunk should recieve data if Mikrotik is correctly setup, even if the Mikrotik app is not installed.

What is important.

Make sure your device sends syslog messages.

add name=Server_Name remote=192.168.1.x target=remote
add action=remote prefix=MikroTik topics=dhcp,hotspot
add action=remote prefix=MikroTik topics=!debug,!snmp

This should sends at least information on changes and some other logs.

Make sure no fw blocks the data entering your server.
Enable Splunk to receive the sylog

Then a search like this should give you data.

http://your-server:8000/en-GB/app/search/search?q=search%20*

MikroTikFan · April 2, 2018, 3:29pm

Sure, that’s all is working.
I see this data in splunk stream and I can browse them.

The problem is that on Mikrotik Application there is nothing.
Same problem like before : “No results found.”
Zrzut ekranu 2018-04-02 o 17.35.32.png

Jotne · April 2, 2018, 3:51pm

Go to search and write * to do a general search.
Past some line here, so I do see how it looks like.

You may not have tagged rules with MikroTik (NB upper M and upper T)

prefix=MikroTik

MikroTikFan · April 2, 2018, 4:22pm

Thanks!
Yes, “Mikrotik” vs. “MikroTik” - works, with following :

MikroTik DNS Live usage
MikroTik DNS request
MikroTik Firewall

but is not working with following:

MikroTik Volt/Temperature
MikroTik Live attack - I have to add name to rule “FW_Drop_all_from_WAN”
MikroTik Web Proxy - but currently I’m not using proxy
MikroTik DHCP request - where to add debug messages?
Mikrotik DHCP pool information - how to run ?
MikroTik remote connection - like VPN ?
MikroTik Firewall data usage - SSH ? (how to run this?)
MikroTik uPnP - SSH (how to run this?)

Can you please advise me how to run this ?

Jotne · April 2, 2018, 5:17pm

Lots of the stuff you are missing some rules.
That is some my fault, that data i depended rules, that need names.

Click on the magnifier glass under the graph and se where data is coming from.

Live logs need a rule with correct name, look at search. (third line)

sourcetype=mikrotik
          module=firewall
          rule=FW_Drop_all_from_WAN
          | search dest_port=*
          | lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host
          | iplocation src_ip
          | eval City=if(isnull(City) OR City="", "Unknown", City)
           ,src_host=if(isnull(src_host) OR src_host="", src_ip, src_host)
           ,info=src_host."-".City."-".Country."-".dest_port.":".protocol
           | geostats globallimit=0 count by info

Live log need this as the last FW rules.

add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix=FW_Drop_all_from_WAN

Volt/Temperature
source=“snmp://MikroTik-info”
Needs SNMP working. (Splunk asks using SNMP to get data)

DHCP request
Seems that some has change in MikroTik logging, so remove logging rules ans change to

add action=remote prefix=MikroTik topics=!debug,!snmp

DHCP pool information
Need SNMP to work

MikroTik Remote connection.
This should show VPN, but some has change in the logging.
Remove “severity=info” from the section “3. VPN logged in ok”

SSH is explained in the frist post.

Get data from MikroTik with SSH (does only work with Linux Splunk version)
https://wiki.mikrotik.com/wiki/Use_SSH_ … key_login)
Add the private key to the folder: MikroTik\bin
Change script in MikroTik\bin to use correct key and IP

diegoM · April 30, 2018, 8:52am

Hi Jotne,

Can you please update the links to download, really it doesn´t work, and congratullations for this great job!!

Jotne · May 1, 2018, 4:43pm

Link in first post works fine.

AnupamPradhan · May 23, 2018, 2:14am

@Jotne,

Can you please help me setup log analyze for hotspot user.

http://forum.mikrotik.com/t/how-to-capture-hotspot-user-log/119573/1

philamonster · May 25, 2018, 9:41pm

First, thank you for all the work you have done.

All views are working with the exception of DHCP pool info. mikrotik_dhcp_pool_information.sh seems to be calling a script that simply doesn’t exist on my MikroTik device:

/system script run DHCP-Pool-information

As per your reply above, SNMP is working as I get volt/temp info after editing defaults/inputs.conf to match my device. I don’t see any info in first post about adding the above script to RouterOS. Where might I get that code?