Page 1 of 1

Display packets logged by a firewall rule

Posted: Mon Aug 26, 2013 2:03 pm
by PapaSmurf
I have a firewall rule which action=log and prefix is set up as DROPPED PACKETS. I can see some traffic on those rule in Winbox corresponding tab. When I issue log print command I can see only several records like these:
02:00:23 system,error,critical ERROR: login failure for user admin from 192.168.0.136 via ssh
How can I display those logged messages?
Thanks!

Re: Display packets logged by a firewall rule

Posted: Mon Aug 26, 2013 11:17 pm
by ivtts
you may check that for topic info in "System->Logging" action memory is set(that is by default).
If you have too many messages about "login failure", you may also set quantity of logged rows in memory ("System->Logging" and then "Actions", select memory and set value for "Lines")(don't set very big value, it may fill router memory).

If you assured that there is traffic for this rule, then you may try this:
in "System->Logging" add record for topic firewall and select action memory or disk. If were selected action disk than log messages will be stored in file log.0.txt (these files stored in router, you can see it in menu "Files").
If also no messages, undo these actions (to *.log files no hold disk space).

Also, you can configure your mikrotik to send log messages on syslog server (and also set action syslog for wanted topics) (e.g. composed of The Dude).

Re: Display packets logged by a firewall rule

Posted: Tue Aug 27, 2013 10:05 am
by PapaSmurf
Thanks for the reply. Is there a way to filter logs by their prefix? e.g. log print where prefix="DROPED PACKETS" ???

Re: Display packets logged by a firewall rule

Posted: Wed Aug 28, 2013 1:10 pm
by janisk
usually if i expect log te be quite verbose or i have to log 2 verbose things at the same time i do the following:

1. add logging action, like
/system logging action add name=dhcp target=memory memory-lines=1000
2. add topic to log that stuff
/system logging add action=dhcp topics=dhcp disabled=no
3. see log
/log print where buffer=dhcp
or in wibox choose that in upper right corner what buffer you want to see

or just use winbox and filter feature.