Community discussions

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Using Splunk to analyse MikroTik logs

This software has been updated. 2.0 found here:
viewtopic.php?f=2&t=137338

If you like the perfect tool for analyze MikroTik logs, look at Splunk.
For up to 500MB of log pr day, its absolutely free

Here is a simple install tutorial:
-----------------------------------------
Download and install Splunk (Windows or Linux(recomended))

Change to free license group. Very important to do before 30 day of use. !!!!!!!!!!!!!!!!!!!!
Settings->licensing->Change license group->Free licnse->Save

Open Windows Firewall for UDP on Windows
Start->type "adv"->Select:Widows Firewall with Advanced Security->Sect Inbound rules->Right Click "Inbound Rules">New Rule-Port-Next->UDP->Specific local ports->514->Next->Next->Next->Name "syslog"

Allow UDP 514 (syslog)
Setting->Datainputs->Add new (behind the UDP)->Port 514->Next->Sourcetype type syslog and select syslog->Next-Submit

Install "SNMP"
At launch page click the gear near the Apps
Brows more apps->in search field-> SNMP Modular Input->Install->use your user/password (from splunk.com)

Download the ZIP file
Extract it with all its folders and copy them to %Splunk home%/etc/app
MikroTik_1.1.zip
NB!! files in folder splunk/etc/apps/MikroTik/bin needs to be executable. Do this:
chmod +x *.sh
On your Mikrotik
Send Sylog from your Mikrotik to Splunk
System->Logging->Action->Add New->Name (your server name)->Type:Remote->Remote Address:ip your syslog->Ok
add name=Server_Name remote=192.168.1.x target=remote
To get all logs except debug (normal ok)
System->Logging->Rules->Add new->Enable:v->Topics:!debug->Prefix:MikroTik->action:your syslog server->Ok
It is very important to name the prefix like this "MikroTik" and not "mikrotik" or some other. It will break all.

Edit: This gets all logs from dhcp and hotspot, incluing debug, pluss it gets info logs from all other modules, except snmp that I do not need.
add action=remote prefix=MikroTik topics=dhcp
add action=remote prefix=MikroTik topics=!debug
Then you can start select what to log.
You should at least log this rule "defconf: drop all not coming from LAN"
IP->Firewall->selec:defconf: drop all not coming from LAN->Log:v->Log Prefix:FW_Drop_all_from_WAN
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1 log=yes log-prefix=FW_Drop_all_from_WAN
To make the Splunk work you need to name the roules, so Splunk knows where it come from.
Start Firewall rules with "FW_", Nat rules with "NAT_" etc. Do not use space in name.
Example on logging Nat session to my web server:
add action=netmap chain=dstnat comment="Web -> Server" dst-port=80 in-interface=ether1 log=yes log-prefix=NAT_Web_Server protocol=tcp to-addresses=192.168.1.58 to-ports=80
Get data from MikroTik with SSH (does only work with Linux Splunk version)
https://wiki.mikrotik.com/wiki/Use_SSH_ ... key_login)
Add the private key to the folder: MikroTik\bin
Change script in MikroTik\bin to use correct key and IP (your MikroTik)

To get accounting data, you need to enable it on the MikroTik router
Web Gui
IP-> Accounting -> Enable Accounting -> mark - Apply
I have set threshold to 2560 (not sure what is default)

MikroTik Firewall data usage (MikroTik Traffic) (in Mikrotik/defaul/data/ui/views/mikrotik_firewall_data_usage.xml
Edit all lines with:
search ip="10.10.10.0/24"
to your inside IP

Script to get DHCP pool information. Important that it use the same name as below:
DHCP-Pool-information
# List stats for IP -> Pool
# v1.1
# https://forum.mikrotik.com/viewtopic.php?t=40467
# criticalthreshold = output pool display in red if pool used is above this %
# warnthreshold = output pool display in gold if pool used is above this %

:local criticalthreshold 90
:local warnthreshold 80
:local hostname [/system identity get name]

# Internal processing below...
# ----------------------------------
/ip pool {
:local poolname
:local pooladdresses
:local poolused
:local poolpercent
:local minaddress
:local maxaddress
:local findindex
:local tmpint
:local maxindex
:local line

#  :put ("IP Pool Statistics")
#  :put ("------------------")

# Iterate through IP Pools
:foreach p in=[find] do={

:set poolname [get $p name] :set pooladdresses 0 :set poolused 0 :set line "" :set line ("pool=" .$poolname)

#   Iterate through current pool's IP ranges
:foreach r in=[:toarray [get $p range]] do={ # Get min and max addresses :set findindex [:find [:tostr$r] "-"]
:if ([:len $findindex] > 0) do={ :set minaddress [:pick [:tostr$r] 0 $findindex] :set maxaddress [:pick [:tostr$r] ($findindex + 1) [:len [:tostr$r]]]
} else={
:set minaddress [:tostr $r] :set maxaddress [:tostr$r]
}

#       Convert to array of octets (replace '.' with ',')
:for x from=0 to=([:len [:tostr $minaddress]] - 1) do={ :if ([:pick [:tostr$minaddress] $x ($x + 1)] = ".") do={
:set minaddress ([:pick [:tostr $minaddress] 0$x] . "," . \
[:pick [:tostr $minaddress] ($x + 1) [:len [:tostr $minaddress]]]) } } :for x from=0 to=([:len [:tostr$maxaddress]] - 1) do={
:if ([:pick [:tostr $maxaddress]$x ($x + 1)] = ".") do={ :set maxaddress ([:pick [:tostr$maxaddress] 0 $x] . "," . \ [:pick [:tostr$maxaddress] ($x + 1) [:len [:tostr$maxaddress]]]) }
}

#      Calculate available addresses for current range
:if ([:len [:toarray $minaddress]] = [:len [:toarray$maxaddress]]) do={
:set maxindex ([:len [:toarray $minaddress]] - 1) :for x from=$maxindex to=0 step=-1 do={
#             Calculate 256^($maxindex -$x)
:set tmpint 1
:if (($maxindex -$x) > 0) do={
:for y from=1 to=($maxindex -$x) do={ :set tmpint (256 * $tmpint) } } :set tmpint ($tmpint * ([:tonum [:pick [:toarray $maxaddress]$x]] - \
[:tonum [:pick [:toarray $minaddress]$x]]) )
:set pooladdresses ($pooladdresses +$tmpint)
#         for x
}

#      if len array $minaddress =$maxaddress
}

#      Add current range to total pool's available addresses
:set pooladdresses ($pooladdresses + 1) # foreach r } # Now, we have the available address for all ranges in this pool # Get the number of used addresses for this pool :set poolused [:len [used find pool=[:tostr$poolname]]]
:set poolpercent (($poolused * 100) /$pooladdresses)

#   Output information
:set line ([:tostr $line] . " used=" .$poolused . " total=" . $pooladdresses) :set line ([:tostr$line] . " percent=" . $poolpercent . " hostname=" .$hostname)

#   Set colored display for used thresholds
:if ( [:tonum $poolpercent] >$criticalthreshold ) do={
:log error ("IP Pool " . $poolname . " is " .$poolpercent . "% full")
:put ([:terminal style varname] . $line) } else={ :if ( [:tonum$poolpercent] > $warnthreshold ) do={ :log warning ("IP Pool " .$poolname . " is " . $poolpercent . "% full") :put ([:terminal style syntax-meta] .$line)
} else={
:put ([:terminal style none] . $line) } } # foreach p } # /ip pool } Gives a view of what the firewall does. Firewall analyzer.jpg I use this to see who is online. You can also create views to see the actual DNS request DNS Live view.jpg Shows all DHCP request DHCP requests.jpg You do not have the required permissions to view the files attached to this post. Last edited by Jotne on Sat Aug 04, 2018 9:32 pm, edited 15 times in total. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Here you see all the tries to log inn the the admin gui of the Mikrotik, as well using various tunnels. Remote access.jpg Who is hammering on your blocked firewall ports? Live atack.jpg Who is eating up your bandwith? Firewall data usage.jpg You do not have the required permissions to view the files attached to this post. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Temperature and voltage in the MikroTik. Volt-Temperature.jpg You do not have the required permissions to view the files attached to this post. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk dillagr just joined Posts: 20 Joined: Mon Dec 26, 2016 2:21 pm ### Re: Using Splunk to analyse MikroTik logs this is cool! could you share how/what you did on the mikrotik side for this to happen? ______ i blog at this url: http://www.pimp-my-rig.com | Win Free Bitcoins! Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Sure I will do. Setup where the logging should go: System->Logging->Action->remote Type:Remote Remote Address: your Splunk or other logging servers IP Remote port: 514 (default) Then you setup what to log. System->Loging-Rules->Add new Enabled x Topics: ! ups (see the not. So I log all but not ups. This is a tric to get all) Prefix: MikroTik (I set this so that all i tagget MiktroTik in the syslog) Action: Remote (Send to syslog server) You can also add logging of firewall. Eksample last rule that block all that is not allowed: 10 ;;; defconf: drop all from WAN chain=input action=drop in-interface=ether1 log=yes log-prefix="rule_10" Her I have set log=yes and log-prefix="rule_10" I give all log rule and nat rule different number. Then its easy to see in Splunk what rule that block the data. I have also added a module for Splunk so that it can read SNMP. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk dillagr just joined Posts: 20 Joined: Mon Dec 26, 2016 2:21 pm ### Re: Using Splunk to analyse MikroTik logs thanks! appreciate it. ______ i blog at this url: http://www.pimp-my-rig.com | Win Free Bitcoins! efaden Forum Guru Posts: 1711 Joined: Sat Mar 30, 2013 1:55 am Location: New York, USA ### Re: Using Splunk to analyse MikroTik logs Can you graph data usage by MAC address? Sent from my iPad using Tapatalk rextended Forum Guru Posts: 3953 Joined: Tue Feb 25, 2014 12:49 pm Location: Capalbio, Tuscany, Italy ### Re: Using Splunk to analyse MikroTik logs Topics: ! ups (see the not. So I log all but not ups. This is a tric to get all) If you disable "debug" instead of "ups" your log space is not wasted with unuseful "debug" information for not debugging. For logging all firewall must be one rule at the top chain=forward action=log (and if is needed to monitor router CPU traffic chain=input action=log and chain=output action=log) One RouterOS to rule them all. Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Can you graph data usage by MAC address? Yes. As long as its in the log message. Ex DHCP has MAC in their message. You can also make a CSV table in Splunk with IP/MAC/Hostname etc and do a lookup on the fly. If you disable "debug" instead of "ups" your log space is not wasted with unuseful "debug" information for not debugging. Good tip. I did also add !SNMP since SNMP request from Splunk flods my log. For logging all firewall must be one rule at the top chain=forward action=log (and if is needed to monitor router CPU traffic chain=input action=log and chain=output action=log) Will try it out. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk nikc Member Candidate Posts: 196 Joined: Wed Jul 13, 2016 6:05 pm ### Re: Using Splunk to analyse MikroTik logs would love some more info on the searches you have used to build the graphs etc here, they look great. Larsa Member Candidate Posts: 238 Joined: Sat Aug 29, 2015 7:40 pm ### Re: Using Splunk to analyse MikroTik logs would love some more info on the searches you have used to build the graphs etc here, they look great. A very brief MikroTik-Splunk wiki perhaps? Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Its not just as simple as post the search. Splunk is a complex tool, and you need to have some insight on how tings works. Best way to make it easy for other to use is to make an app of it. I have done som app before, but its time consuming. Example this dashboard that show live attack. <form> <label>MikroTik Live attack</label> <fieldset submitButton="false"> <input type="time" token="global_time"> <label>Time span</label> <default> <earliest>rt-5m</earliest> <latest>rt</latest> </default> </input> <input type="dropdown" token="port"> <label>Port</label> <choice value="*">Any</choice> <default>*</default> <fieldForLabel>info</fieldForLabel> <fieldForValue>dest_port</fieldForValue> <search> <query>sourcetype=mikrotik module=firewall chain=input rule=10 | top limit=0 dest_port | eval info=dest_port ." (".count.")" | sort - count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> </input> </fieldset> <row> <panel> <map> <search> <query>sourcetype=mikrotik module=firewall chain=input rule=10 dest_port=$port$| lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host | iplocation src_ip | eval City=if(isnull(City) OR City="", "Unknown", City) ,src_host=if(isnull(src_host) OR src_host="", src_ip, src_host) ,info=src_host."-".City."-".Country."-".dest_port.":".protocol | geostats globallimit=0 count by info</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">all</option> <option name="mapping.choroplethLayer.colorBins">5</option> <option name="mapping.choroplethLayer.colorMode">auto</option> <option name="mapping.choroplethLayer.maximumColor">0xDB5800</option> <option name="mapping.choroplethLayer.minimumColor">0x2F25BA</option> <option name="mapping.choroplethLayer.neutralPoint">0</option> <option name="mapping.choroplethLayer.shapeOpacity">0.75</option> <option name="mapping.choroplethLayer.showBorder">1</option> <option name="mapping.data.maxClusters">100</option> <option name="mapping.map.center">(0,0)</option> <option name="mapping.map.panning">1</option> <option name="mapping.map.scrollZoom">0</option> <option name="mapping.map.zoom">2</option> <option name="mapping.markerLayer.markerMaxSize">50</option> <option name="mapping.markerLayer.markerMinSize">10</option> <option name="mapping.markerLayer.markerOpacity">0.8</option> <option name="mapping.showTiles">1</option> <option name="mapping.tileLayer.maxZoom">7</option> <option name="mapping.tileLayer.minZoom">0</option> <option name="mapping.tileLayer.tileOpacity">1</option> <option name="mapping.type">marker</option> </map> </panel> </row> </form> It needs several extraction and trans coding. Like how to get modul type out. EXTRACT-mikrotik_modul_status = ^(?<module>[^\s,]+)(,|)(?<info1>.*?)(,|)(?<severity>(debug|info|warning|critical)|)(,(?<info2>(packet|account|state|calc|event))|\s) Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk pietroscherer Trainer Posts: 172 Joined: Thu Mar 05, 2015 3:05 pm Location: RS, Brazil Contact: ### Re: Using Splunk to analyse MikroTik logs Nice! https://www.graylog.org/ is an alternative, if you need more than 500 MB of logs per day. Pietro Scherer http://www.tchesolutions.com.br [ISPs Consulting and Training] http://www.routermage.com [Backup and Automation System] felix84 just joined Posts: 8 Joined: Thu Feb 09, 2017 4:13 pm ### Re: Using Splunk to analyse MikroTik logs If you like the perfect tool for analyze MikroTik logs, look at Splunk. For up to 500MB of log pr day, its absolutely free Wow! That screenshots are great. We need to log firewall activity and some security warnings. Is it possible to do on out of the box installation, or additional splunk tuning required? By this time we installed splunk, configured to listen on 514 port, also configured MikroTik to send logs, but its totally mess. I suppose, that i should create custom views or may be you can share your's or make some begginers guide. Thanks. Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Splunk is not easy to use out of the box. It needs to learn how the structure of the data that is entering the index. To make this to work, you need to tag all message with Mikrotik. System-Logging-Rules Edit the rule that sends syslog and in Prefix add MikroTik I will post some files that help you to get going. Create a folder so its like this: (your splunk default folder may be different) /opt/splunk/etc/apps/MikroTik/default Create this files: props.conf [source::tcp:514] TRANSFORMS-force_mikrotik = force_mikrotik [source::udp:514] TRANSFORMS-dns=remove_dns_query,remove_dns_answer TRANSFORMS-force_mikrotik = force_mikrotik [syslog] TRANSFORMS-force_mikrotik = force_mikrotik [mikrotik] SHOULD_LINEMERGE = false EXTRACT-mikrotik_ip_accounting = ^(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<dest_ip>\d+\.\d+\.\d+\.\d+)\s(?<byte>\d+)\s(?<packet>\d+) EXTRACT-mikrotik_modul_status = ^(?<module>[^\s,]+)(,|)(?<info1>.*?)(,|)(?<severity>(debug|info|warning|critical)|)(,(?<info2>(packet|account|state|calc|event))|\s) EXTRACT-mikrotik_ssh_user = ^ssh,debug .*(user|auth req):\s(?<user>\S+)\s EXTRACT-mikrotik_system_info = ^system,info,account .*user\s(?<user>\S+)\slogged in from\s(?<user_location>\S+)\svia\s(?<user_system>\S+) EXTRACT-mikrotik_system_action = ^system,info .*:\s(?<change>.*)\s(?<action>[\S]+)\sby\s(?<user>\S+) EXTRACT-mikrotik_firewall_info1 = ^firewall,info.*?(|rule_(?<rule>\d+))\s(?<chain>(srcnat|dstnat|input|output|forward)):\sin:(?<in_if>\S+)\sout:(?<out_if>\S+),\ssrc-mac\s(?<src_mac>\S+),\sproto\s(?<protocol>[^ ,]+)[^\d]+(?<src_ip>[^:]+):(?<src_port>[^-]+)->(?<dest_ip>[^:]+):(?<dest_port>[^,]+),\s(NAT.*|)len\s(?<length>\d+) EXTRACT-mikrotik_dns_src = dns,packet.*from\s(?<src_ip>[^:]+):(?<src_port>\d+) EXTRACT-mikrotik_dns_site = dns,packet.*question:\s(?<site1>[^:]+):(?<site_type>[^:]+):(?<site_direction>[^:]+) EXTRACT-mikrotik_dns_record_1 = dns.*query from\s(?<src_ip>[^:]+):\s#(?<ses_id>\d+)\s(?<site>\S+)\.\s(?<record_type>\S+) EXTRACT-mikrotik_dns_record_2 = dns,packet.*\s<(?<site2>[^:]+):(?<record_type>[^:]+):(?<record_id>[^=]+)=(?<record_info>[^>]+) EXTRACT-mikrotik_l2tp_src_ip = first L2TP UDP packet received from\s(?<src_ip>\S+) EXTRACT-mikrotik_pptp_src_ip = TCP connection established from\s(?<src_ip>\S+) EXTRACT-mikrotik_user_logged_in_1 = (?<user>\S+)\slogged in(,| from)\s(?<user_ip>\S+)(\svia\s(?<system>\S+)|) EXTRACT-mikrotik_user_logged_in_2 = login failure for user\s(?<user>\S+)\sfrom\s(?<user_ip>\S+)(\svia\s(?<system>\S+)|) transforms.conf [code][force_mikrotik] DEST_KEY = MetaData:Sourcetype REGEX = \sMikroTik:\s FORMAT = sourcetype::mikrotik eventtypes.conf [ssh_user_authorized] search = "ssh,debug * user: * authorized" [ssh_user_auth_req] search = "ssh,debug * auth req:" [dns_got_query] search = "dns,packet * got query from" [dns_query] search = "dns* query from*#" [dns_question] search = "dns,packet * question:" [dns_reply] search = "dns,packet * <*:*:*=*>" [dhcp_doman_server] search = "dhcp,debug,packet * Domain-Server =" [dhcp_received_request] search = "dhcp,debug,packet * DHCP-Inside received request with id" [l2tp_connection_from] search = "l2tp,info MikroTik: first L2TP UDP packet received from" [l2tp_user_logged_in] search = "l2tp,ppp,info,account* logged in," [pptp_connection_from] search = "pptp,info* TCP connection established from" [pptp_user_logged_in] search = "pptp,ppp,info,account* logged in," [adm_user_logged_in] search = "system,info,account* user * logged in from * via" [adm_user_login_failure] search = "system,error,critical* login failure for user * from * via"[/code] Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk felix84 just joined Posts: 8 Joined: Thu Feb 09, 2017 4:13 pm ### Re: Using Splunk to analyse MikroTik logs Thanks a lot for sharing!, its a good point to start using splunk with Mikrotik blacksun77 just joined Posts: 2 Joined: Fri Feb 10, 2017 10:45 am Location: heaven Contact: ### Re: Using Splunk to analyse MikroTik logs Can you graph data usage by MAC address? Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Yes, as long as Mikrotik sends out any information to the Splunk you can graph it. Here are some example on where mac is used. firewall,info MikroTik: rule_11 dstnat: in:ether2-master out:(none), src-mac d0:e7:82:d6:71:b5, proto UDP, 10.10.10.132:44407->8.8.8.8:53, len 60 firewall,info MikroTik: rule_99 input: in:ether1 out:(none), src-mac 00:05:00:01:00:01, proto TCP (RST), 81.xx.xx.210:443->92.xx.xxx.134:52490, len 40 dhcp,info MikroTik: DHCP-Inside assigned 10.10.10.252 to AC:BA:54:00:FE:CC But here I see some Mikrotik should fix. Use upper or lower case on the mac, not both.... With this I can graph stuff by mac. Since we have a connection between mac and IP, you can store it to a db within Splunk and then later use it as lookup for other stuff. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk fahmad just joined Posts: 3 Joined: Sun Feb 26, 2017 1:30 pm ### Re: Using Splunk to analyse MikroTik logs Hello Jotne, Can you please share your complete application ? Thank you. scloutier just joined Posts: 5 Joined: Wed Jun 15, 2016 6:33 pm ### Re: Using Splunk to analyse MikroTik logs would also love if you could share your views. thanks Simon YuriS just joined Posts: 6 Joined: Thu Jul 13, 2017 2:29 pm Location: Europe ### Re: Using Splunk to analyse MikroTik logs Would you kindly tell me what and how I must configure from SPLUNK' s side? It' s fully unclear for me.... Thanks in advance Best regards, Yuri. salehko just joined Posts: 3 Joined: Fri Feb 05, 2016 1:42 am ### Re: Using Splunk to analyse MikroTik logs Good Job! I have successfully installed it and now everything is fine! but couldn't find some of the options as you captured for example " Input Interface" and so on... what about SNMP grabbing as you mentioned? Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Here is what I use to get some SNMP information from the MikroTik: inputs.conf [snmp://MikroTik-info] communitystring = public destination = 10.10.10.1 do_bulk_get = 0 do_get_subtree = 1 ipv6 = 0 object_names = 1.3.6.1.4.1.14988.1.1.3 port = 161 snmp_mode = attributes snmp_version = 2C sourcetype = mikrotik split_bulk_output = 1 trap_rdns = 0 v3_authProtocol = usmHMACMD5AuthProtocol v3_privProtocol = usmDESPrivProtocol  It runs every 60 seconds (default) and gets the environment tree. http://www.mibdepot.com/cgi-bin/getmib3 ... =v2&t=tree You can use it to get any SNMP data you like. Eks interface statistics. PS You need SNMP input module: https://splunkbase.splunk.com/app/1537/ Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk salehko just joined Posts: 3 Joined: Fri Feb 05, 2016 1:42 am ### Re: Using Splunk to analyse MikroTik logs Jotne plz contact me, I have a business offer for you about Splunk ICQ: 716330332 Skype: salivan sha Here is what I use to get some SNMP information from the MikroTik: inputs.conf [snmp://MikroTik-info] communitystring = public destination = 10.10.10.1 do_bulk_get = 0 do_get_subtree = 1 ipv6 = 0 object_names = 1.3.6.1.4.1.14988.1.1.3 port = 161 snmp_mode = attributes snmp_version = 2C sourcetype = mikrotik split_bulk_output = 1 trap_rdns = 0 v3_authProtocol = usmHMACMD5AuthProtocol v3_privProtocol = usmDESPrivProtocol  It runs every 60 seconds (default) and gets the environment tree. http://www.mibdepot.com/cgi-bin/getmib3 ... =v2&t=tree You can use it to get any SNMP data you like. Eks interface statistics. PS You need SNMP input module: https://splunkbase.splunk.com/app/1537/ Juliette64 just joined Posts: 2 Joined: Tue Sep 05, 2017 5:50 am ### Re: Using Splunk to analyse MikroTik logs Hi Jotne, I myself am a Splunk enthusiast and I actually apply the tool at work. I'm also a new Mikrotik user as i've just purchased HAP AC and now, would love to play around by Splunking some router logs. I noticed that you've already created an app, i'm assuming it's your private app as i've tried searching in the splunk app repository and was not able to find it. Am wondering if you would help the Splunk community out by contributing and uploading your app to the Splunk app database and making it public and available. Regards, Eddy Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs The Splunk app does not have the quality (yet) for sharing public. But can I send it to you, if you like. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk fahmad just joined Posts: 3 Joined: Sun Feb 26, 2017 1:30 pm ### Re: Using Splunk to analyse MikroTik logs Hey Jotne, The Splunk app does not have the quality (yet) for sharing public. But can I send it to you, if you like. Can you please send me the splunk app also ? Thank you. Wallace33 just joined Posts: 3 Joined: Sat Sep 02, 2017 1:30 pm Contact: ### Re: Using Splunk to analyse MikroTik logs Hello Can you graph data usage by MAC address? Regards James Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs I have not seen a way to do it. But maybe there are one way I have not seen. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk Juliette64 just joined Posts: 2 Joined: Tue Sep 05, 2017 5:50 am ### Re: Using Splunk to analyse MikroTik logs Hi Jotne, actually i changed my mind, as i said, i'm a student of the game. best learning is DIY practice, practice and more practice as opposed to copying someone's work =) i'm already seasoned in splunk with panels/views/search/charting etc, just wouldn't mind a little guidance with Mikrotik as i'm new to this router I have thus far; - enabled Splunk Data input UDP / manual source type - syslog / - added new rule for !ups as directed previously / prefixed with RouterOS / Action remote - defined default 'remote' in actions tab to send to my static nat'ed address, port 514, BSD Syslog checked, syslog facility = syslog 1) what was it that you mentioned previously that you had to turn on logging in your firewall rules? why? aren't you already capturing every event when you defined !ups 2) why did you choose to setup transforms in the conf files as opposed to key-value pairs in actual Splunk settings? 3) i'm healthily ingesting everything however surprisingly the logs are not classified/tagged with the appropriate source event/topic triggers (ie firewall, interface, wireless, system...), is this why you mentioned you help defined certain triggers by "I give all log rule and nat rule different number. Then its easy to see in Splunk what rule that block the data." vhgomez78 just joined Posts: 1 Joined: Sat Sep 23, 2017 12:05 am ### Re: Using Splunk to analyse MikroTik logs The Splunk app does not have the quality (yet) for sharing public. But can I send it to you, if you like. Hi, can yo send me the app? thanks ! Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs I post the files here, but there may be som work to get this working. You need to change all places where I have internal net 10.10.10.x to your net. SNMP plugin needs to be installed for Splunk to get SNMP data. Also there are setting on the Mikrotik to make it send syslogs to remote host. Setup logging external: ----------------------------- System-Logging-Action add Name: Some name of server getting Syslog Type: remote Remote Address: your Splunk server Remote port: 514 Get your Mikrotik to send logging: ------------------------------ System-Logging-Rules Topics: !degug !snmp Prefix: MikroTik Action: remote It may be more I have forget, så you must take this a beta You do not have the required permissions to view the files attached to this post. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk UNiXMIT newbie Posts: 29 Joined: Fri Jan 22, 2016 10:19 pm ### Re: Using Splunk to analyse MikroTik logs Looks great. Is this the Splunk Cloud? I can't find the Mikrotik app for Splunk Cloud only for Splunk Enterprise. Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs This is not a public app, just a home projects. I do use Splunk Enterprice Free. The "Splunk For Mikrotik" on Apps for Splunk Etnerprice is not mine, and its just a start of a prosjekt without any usefulness. Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk fahmad just joined Posts: 3 Joined: Sun Feb 26, 2017 1:30 pm ### Re: Using Splunk to analyse MikroTik logs Hello Jotne, You did a great job. Thank you. xoff just joined Posts: 2 Joined: Fri Oct 27, 2017 1:26 am ### Re: Using Splunk to analyse MikroTik logs Looks great. Is this the Splunk Cloud? I can't find the Mikrotik app for Splunk Cloud only for Splunk Enterprise. Splunk Cloud doesn't have a free tier, Splunk Enterprise (running locally on your own hardware) does, it's 500mb/day, which is a LOT of data. xoff just joined Posts: 2 Joined: Fri Oct 27, 2017 1:26 am ### Re: Using Splunk to analyse MikroTik logs This is not a public app, just a home projects. I do use Splunk Enterprice Free. The "Splunk For Mikrotik" on Apps for Splunk Etnerprice is not mine, and its just a start of a prosjekt without any usefulness. I've tried to reach out to the author of that to no avail. If you're interested in submitting the App, let me know, I'm a Splunk Admin professionally and have published Apps before. Great work! caradoc just joined Posts: 4 Joined: Sat Oct 28, 2017 12:19 am ### Re: Using Splunk to analyse MikroTik logs The "Splunk For Mikrotik" on Apps for Splunk Etnerprice is not mine, and its just a start of a prosjekt without any usefulness. Oh, I think it's useful as heck - all it needs is a proxy analyzer to go with the DNS analysis (preferably with a way to define domains/sites that are not supposed to be accessed through that router) and the clients that are making the requests, and you've got something pretty solid here. If you were to define your networks as variables, you wouldn't have to go modifying them all over the place, either. Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs I will try to clean it up some. Then we can see what we do with it Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up. MikroTik->Splunk caradoc just joined Posts: 4 Joined: Sat Oct 28, 2017 12:19 am ### Re: Using Splunk to analyse MikroTik logs I will try to clean it up some. Then we can see what we do with it I'm in the middle of rebuilding my proxy log parser - once I've gotten closer to what I had before my utterly failed migration, I'll share that with you. There are several Splunk apps that can do wonders with URL/URI parsing, but I think the URL Toolbox is probably one of the better ones. https://splunkbase.splunk.com/app/2734/ Jotne Forum Guru Topic Author Posts: 2166 Joined: Sat Dec 24, 2016 11:17 am Location: Magrathean ### Re: Using Splunk to analyse MikroTik logs Here is a dashboard for web proxy: <form> <label>MikroTik Web Proxy</label> <fieldset submitButton="false"> <input type="time" token="global_time"> <label>Time frame</label> <default> <earliest>-60m@m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="src_ip"> <label>Host</label> <choice value="*">any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>src_ip</fieldForValue> <search> <query>sourcetype=mikrotik module="web-proxy" action="$action$" | lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host | eval src_host=if(isnull(src_host),src_ip,src_host) ,src_ip_split=split(src_ip,".") ,l_ip=mvindex(src_ip_split,3) | top limit=0 src_host src_ip l_ip | eval info=src_host.".".l_ip." (".count.")" | sort - count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <default>*</default> </input> <input type="dropdown" token="action"> <label>Action</label> <choice value="*">any</choice> <fieldForLabel>info</fieldForLabel> <fieldForValue>action</fieldForValue> <search> <query>sourcetype=mikrotik module="web-proxy" src_ip="$src_ip$" | top limit=0 action | eval info=action." (".count.")" | sort - count</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest$</latest> </search> <default>*</default> </input> <input type="radio" token="site" searchWhenChanged="true"> <label>Site info</label> <choice value="site_info">Simple</choice> <choice value="url2">Medium</choice> <choice value="url">Full</choice> <default>site_info</default> </input> </fieldset> <row> <panel> <table> <search> <query>sourcetype=mikrotik module="web-proxy" src_ip="$src_ip$" action="$action$" | lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host | eval src_host=if(isnull(src_host),src_ip,src_host) ,site_split=split(url,"/") ,To_count=mvcount(site_split) ,url2=mvindex(site_split,2) ,site_split2=split(url2,".") ,To_count2=mvcount(site_split2) ,site_dom=mvindex(site_split2,To_count2-1) ,site_info=mvindex(site_split2,To_count2-2) | rex field=url2 "(?<test>\d+\.\d+\.\d+\.\d+)" | eval site_info = if(isnotnull(test),test,site_info) | top src_ip src_host$site$action limit=0</query> <earliest>$global_time.earliest$</earliest> <latest>$global_time.latest\$</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<format type="color" field="action">
<colorPalette type="map">{"allow":#65A637,"history":#A2CC3E,"firstNew":#6DB7C6}</colorPalette>
</format>
</table>
</panel>
</row>
</form>
You need this in props.conf
EXTRACT-mikrotik_web-proxy = ^web-proxy,account\s\S+\s(?<src_ip>\d+\.\d+\.\d+\.\d+)\s(?<status>\w+)(\s(?<id>\d+))?\s(?<url>\S+)
Last edited by Jotne on Sun Oct 29, 2017 2:06 am, edited 1 time in total.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

caradoc
just joined
Posts: 4
Joined: Sat Oct 28, 2017 12:19 am

### Re: Using Splunk to analyse MikroTik logs

Were you already working on that, or did you just freehand it after I mentioned it?

That's... astonishing.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

I did made it some days ago. I thing I used one hour or two to make it.
When you have created many dashboard, you are you copy the other and make some changes.
But since most of the surfing is using HTTPS, you do not get much valued data.

PS fixed script to cope with site does not have a DNS name

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Post #1 updated with a tutorial on how to get it working.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

caradoc
just joined
Posts: 4
Joined: Sat Oct 28, 2017 12:19 am

### Re: Using Splunk to analyse MikroTik logs

Post #1 updated with a tutorial on how to get it working.
Nice. I think you need to talk to xoff about getting this published through the Splunk Appbase.

karlisi
Member
Posts: 366
Joined: Mon May 31, 2004 8:09 am
Location: Latvia

### Re: Using Splunk to analyse MikroTik logs

Took little test yesterday. Great tool for log analysis. One big problem for free licence, no email alerts
---
Karlis

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

One big problem for free licence, no email alerts
I agree with you.
There is a workaround. You can request a 6 month Developer licence.
Its free, and you get full function for 6 month.
10GB/day
Alert
+++
But its only for 6 month....

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

vanduf
just joined
Posts: 1
Joined: Mon Dec 18, 2017 10:06 pm

### Re: Using Splunk to analyse MikroTik logs

Where´s the "Mikrotik.zip" file? The attachment does not exist anymore. Could you sent it again?

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

I have added the file, so it should work now.
Why it stopped work, I do not now.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

Tawfiq
just joined
Posts: 2
Joined: Wed Apr 11, 2007 6:24 pm

### Re: Using Splunk to analyse MikroTik logs

wow !! you did a great job. I've implemented it. Firewall data usage is not working for me. You mentioned to use the private key. which one is the private key? all i can see only id_dsa and id_dsa.pub

sindy
Forum Guru
Posts: 7285
Joined: Mon Dec 04, 2017 9:19 pm

### Re: Using Splunk to analyse MikroTik logs

wow !! you did a great job. I've implemented it. Firewall data usage is not working for me. You mentioned to use the private key. which one is the private key? all i can see only id_dsa and id_dsa.pub
The
.pub
stands for public which you place to the servers to which you want to log in without entering a password.
So you normally generate the pair of private and public key at the client machine in the
~/.ssh/
directory of the user from which you are going to log in to the server, and copy only the
.pub
file to the server (the Mikrotik in this case). As @Jotne says to copy the private key to Mikrotik/bin on the Splunk machine, that would be the
id_dsa
file without
.pub
suffix.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Tawfiq
just joined
Posts: 2
Joined: Wed Apr 11, 2007 6:24 pm

### Re: Using Splunk to analyse MikroTik logs

Yeah thanks. But even so Mikrotik asks for a password. So I found a different way to do it. Everything is working fine except the DNS logs. Was working since i made changes i think, and DNS logs are not getting in.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

DNS logs comes for Syslog, so if you get other sylog data, you should also get DNS.
What is your logging settings?

I have two settings in my remote syslog settings.
add action=remote prefix=MikroTik topics=dhcp
add action=remote prefix=MikroTik topics=!debug,!snmp
First line sends all DHCP message, including debug message.

Second line sends all message that are not debug nor SNMP.
I do not need the SNMP, nor the debug message from other modules.
This gives me logs from other modules like DNS,Firewall, System, upnp, Interface etc

PS, I am working on a new version that gives log information for booth wireless and hotspot.
Since hotspot only shows message for logout as default, you should also get debug message from they as well and do like this:
add action=remote prefix=MikroTik topics=dhcp,hotspot
add action=remote prefix=MikroTik topics=!debug,!snmp

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MikroTikFan
Member Candidate
Posts: 200
Joined: Sat Aug 02, 2014 1:13 am

### Re: Using Splunk to analyse MikroTik logs

@Jotne
I like your solution and examples in Splunk . I think that I followed your instruction, but I still have in Mikrotik App

"No results found."

Can you please help me to find what I'm doing wrong ?

Thanks in advance.
Sure I will do.

Setup where the logging should go:
System->Logging->Action->remote
Type:Remote
Remote Address: your Splunk or other logging servers IP
Remote port: 514 (default)

Then you setup what to log.
System->Loging-Rules->Add new
Enabled x
Topics: ! ups (see the not. So I log all but not ups. This is a tric to get all)
Prefix: MikroTik (I set this so that all i tagget MiktroTik in the syslog)
Action: Remote (Send to syslog server)

You can also add logging of firewall.
Eksample last rule that block all that is not allowed:
10 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=yes log-prefix="rule_10"

Her I have set log=yes and log-prefix="rule_10"
I give all log rule and nat rule different number. Then its easy to see in Splunk what rule that block the data.

I have also added a module for Splunk so that it can read SNMP.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Splunk should recieve data if Mikrotik is correctly setup, even if the Mikrotik app is not installed.

What is important.

1. Make sure your device sends syslog messages.
add name=Server_Name remote=192.168.1.x target=remote
add action=remote prefix=MikroTik topics=dhcp,hotspot
add action=remote prefix=MikroTik topics=!debug,!snmp

This should sends at least information on changes and some other logs.

2. Make sure no fw blocks the data entering your server.

3. Enable Splunk to receive the sylog

Then a search like this should give you data.
http://your-server:8000/en-GB/app/search/search?q=search%20*

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MikroTikFan
Member Candidate
Posts: 200
Joined: Sat Aug 02, 2014 1:13 am

### Re: Using Splunk to analyse MikroTik logs

Sure, that's all is working.
I see this data in splunk stream and I can browse them.

The problem is that on Mikrotik Application there is nothing.
Same problem like before : "No results found."
You do not have the required permissions to view the files attached to this post.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Go to search and write * to do a general search.
Past some line here, so I do see how it looks like.

You may not have tagged rules with MikroTik (NB upper M and upper T)
prefix=MikroTik

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MikroTikFan
Member Candidate
Posts: 200
Joined: Sat Aug 02, 2014 1:13 am

### Re: Using Splunk to analyse MikroTik logs

Thanks!
Yes, "Mikrotik" vs. "MikroTik" - works, with following :
- MikroTik DNS Live usage
- MikroTik DNS request
- MikroTik Firewall

but is not working with following:
- MikroTik Volt/Temperature
- MikroTik Live attack - I have to add name to rule "FW_Drop_all_from_WAN"
- MikroTik Web Proxy - but currently I'm not using proxy
- MikroTik DHCP request - where to add debug messages?
- Mikrotik DHCP pool information - how to run ?
- MikroTik remote connection - like VPN ?
- MikroTik Firewall data usage - SSH ? (how to run this?)
- MikroTik uPnP - SSH (how to run this?)

Can you please advise me how to run this ?

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Lots of the stuff you are missing some rules.
That is some my fault, that data i depended rules, that need names.

Click on the magnifier glass under the graph and se where data is coming from.

Live logs need a rule with correct name, look at search. (third line)
sourcetype=mikrotik
module=firewall
rule=FW_Drop_all_from_WAN
| search dest_port=*
| lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host
| iplocation src_ip
| eval City=if(isnull(City) OR City="", "Unknown", City)
,src_host=if(isnull(src_host) OR src_host="", src_ip, src_host)
,info=src_host."-".City."-".Country."-".dest_port.":".protocol
| geostats globallimit=0 count by info
Live log need this as the last FW rules.
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix=FW_Drop_all_from_WAN
Volt/Temperature
source="snmp://MikroTik-info"
Needs SNMP working. (Splunk asks using SNMP to get data)

DHCP request
Seems that some has change in MikroTik logging, so remove logging rules ans change to
add action=remote prefix=MikroTik topics=!debug,!snmp
DHCP pool information
Need SNMP to work

MikroTik Remote connection.
This should show VPN, but some has change in the logging.
Remove "severity=info" from the section "3. VPN logged in ok"

SSH is explained in the frist post.
-----------------
Get data from MikroTik with SSH (does only work with Linux Splunk version)
https://wiki.mikrotik.com/wiki/Use_SSH_ ... key_login)
Add the private key to the folder: MikroTik\bin
Change script in MikroTik\bin to use correct key and IP

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

diegoM
just joined
Posts: 1
Joined: Sun Mar 18, 2018 1:55 pm

### Re: Using Splunk to analyse MikroTik logs

Hi Jotne,

Can you please update the links to download, really it doesn´t work, and congratullations for this great job!!

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Link in first post works fine.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

AnupamPradhan
newbie
Posts: 35
Joined: Wed May 04, 2016 2:44 pm

### Re: Using Splunk to analyse MikroTik logs

@Jotne,

Can you please help me setup log analyze for hotspot user.

viewtopic.php?f=2&t=134530

philamonster
just joined
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

### Re: Using Splunk to analyse MikroTik logs

...

DHCP pool information
Need SNMP to work
...

First, thank you for all the work you have done.

All views are working with the exception of DHCP pool info. mikrotik_dhcp_pool_information.sh seems to be calling a script that simply doesn't exist on my MikroTik device:
/system script run DHCP-Pool-information

As per your reply above, SNMP is working as I get volt/temp info after editing defaults/inputs.conf to match my device. I don't see any info in first post about adding the above script to RouterOS. Where might I get that code?

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

My fault, simply forget that there was a script involved
Updated first post.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

AnupamPradhan
newbie
Posts: 35
Joined: Wed May 04, 2016 2:44 pm

### Re: Using Splunk to analyse MikroTik logs

Hi Jotne,

Can you please help me setup log analyze for hotspot user.

viewtopic.php?f=2&t=134530

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

What is wrong with the "MikroTik Hotspot login/logout information" in the app?
Is there something that does not work?

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Hello to the whole community.
Jotne thank you very much for all your work, the truth is great.
I was able to make almost everything work. I just can not make the following work:
MikroTik uPnP
MikroTik Firewall data usage
Mikrotik DHCP pool information

The rest works well for me. I created the dsa certificate and I imported it in the mikrotik, but when using the private key to connect to the mikrotik, it always asks for a password. The user created in the mikrotik for the use of ssh has no password and neither the certificate is created with a password. I can not make it work anyway. something similar happened to you, you could solve it. Who can guide me in this. Thank you very much.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

You are welcome.

You need to get this to work:
https://wiki.mikrotik.com/wiki/Use_SSH_ ... y_login%29
It shows all steps needed to preform. If the example does not work, then Splunk will neither.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

You are welcome.

You need to get this to work:
https://wiki.mikrotik.com/wiki/Use_SSH_ ... y_login%29
It shows all steps needed to preform. If the example does not work, then Splunk will neither.
Hello, thanks for answering. Try that tutorial but I can not make it work as indicated in that tutorial.
But after many trials and errors, I managed to make it work using RSA 2048 keys generated with Puttygen. After this I try to use the bash script that is in / opt / splunk / etc / apps / MikroTik / bin and it runs fine but it does not bring me any information for the modules:
MikroTik Firewall data usage
Mikrotik DHCP pool information
MikroTik uPnP

I do not know if I needed to create some rule or something else in the mikrotik because I can not make these modules work. The one that interests me the most is the MikroTik Firewall data usage. Could you guide me a little more ?. Thank you.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Look in this folder:

splunk/etc/apps/MikroTik/bin

There you should have these files:

dsa_mikrotik_private
mikrotik_accounting.sh
mikrotik_dhcp_pool_information.sh
mikrotik_upnp.sh

When in the bin filder run the DHCP script like this:
./mikrotik_dhcp_pool_information.sh

You should no see what is going on. If all is ok, you should see the DHCP information.

It its important that the private dsa key is in this folder, if not script will not connect.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Look in this folder:

splunk/etc/apps/MikroTik/bin

There you should have these files:

dsa_mikrotik_private
mikrotik_accounting.sh
mikrotik_dhcp_pool_information.sh
mikrotik_upnp.sh

When in the bin filder run the DHCP script like this:
./mikrotik_dhcp_pool_information.sh

You should no see what is going on. If all is ok, you should see the DHCP information.

It its important that the private dsa key is in this folder, if not script will not connect.
Thanks to this I found that in addition to the files that you mentioned, I had to change the user and execution group to which the splunk application belonged in order to make the connection by ssh. But I still do not work the module that I need the -MikroTik Firewall data usage.
You could show me how the information brings you because I can not find what it could be.

Here I show you a print of how the query is configured according to what the tutorial indicates
each query with the private ip range corresponding to my internal network.

And here is the result of executing the mikrotik_accouting script from the console.

It does not bring anything when executing this script so please check if you had a rule or something else that allows you to collect the metric of this module.
if you can, you can send me an image of what you have to do with the execution of that script to see and orient me. I thank you very much for your time and patience.

chechito
Forum Guru
Posts: 1775
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

### Re: Using Splunk to analyse MikroTik logs

keep in mind logging uses CPU resources, if you log very frequent actions you will have significant increase on CPU usage

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

keep in mind logging uses CPU resources, if you log very frequent actions you will have significant increase on CPU usage
If I know, but in my case the use of my CPU is more than calm and we'll see later.

chechito you use this app to monitor your mikrotik or some other?

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

I do not see your picture in your post, so can not see what is wrong.
But I did find some important thing that i did forget.

After you have copied the files to the splunk, you do need to do this.
NB!! files in folder splunk/etc/apps/MikroTik/bin needs to be executable. Do this:
chmod +x *.sh

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

I do not see your picture in your post, so can not see what is wrong.
But I did find some important thing that i did forget.

After you have copied the files to the splunk, you do need to do this.
NB!! files in folder splunk/etc/apps/MikroTik/bin needs to be executable. Do this:
chmod +x *.sh
Thanks for answering. i can see the picture. but anyway I give you the link of the image.

Here I show you a print of how the query is configured according to what the tutorial indicates
each query with the private ip range corresponding to my internal network.
http://subirimagen.me/uploads/20180627145629.jpg

And here is the result of executing the mikrotik_accouting script from the console.
http://subirimagen.me/uploads/20180627150139.jpg

what you mention of giving him permission to execute with chmod + x to the bash script, had already done it. All scripts are executed correctly. but when I run the mikrotik_accounting script it does not bring me information. That's why I asked you if you could show me an image of how you bring the information to you so I can have a clearer idea of what I may be missing.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Ups

It looks correct from the foto, so you got communication.

Found one more important setting that needs to be turned on. Accounting.
Web Gui
IP-> Accounting -> Enable Accounting -> mark - Apply
I have set threshold to 2560 (not sure what is default)

Updated 1st post.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Ups

It looks correct from the foto, so you got communication.

Found one more important setting that needs to be turned on. Accounting.
Web Gui
IP-> Accounting -> Enable Accounting -> mark - Apply
I have set threshold to 2560 (not sure what is default)

Updated 1st post.
Yeah!!! Only that important configuration was missing. Now, if you show me the traffic in the Firewall data usage module. Thank you very much, really an excellent job. I would like to learn more about the development of dashboard, what do you recommend?
threshold is 256 for default.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

You are welcome.
Its not always easy to recreate steps done to get it to work.
I would love if I could these type of data us SNMP instead for script, or Router could send it out as a bulk of data every x second to Syslog.

You should see what data you have and then try to figure how to present it.
Dashboard is some complicated but not to hard.
I always try out things in search to see how it may looks like, then convert it to dashboard.

I am thinking of adding a panel with CPU/memory/uptime etc.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

You are welcome.
Its not always easy to recreate steps done to get it to work.
I would love if I could these type of data us SNMP instead for script, or Router could send it out as a bulk of data every x second to Syslog.

You should see what data you have and then try to figure how to present it.
Dashboard is some complicated but not to hard.
I always try out things in search to see how it may looks like, then convert it to dashboard.

I am thinking of adding a panel with CPU/memory/uptime etc.
The truth is an excellent work and much more because you publish it that way without more that is much more admirable. I really do not know anything about this world of dashboards but I would love to learn a little more and your dashboard is a great help. If you need to try something more than what you implement, do not hesitate to tell me I think something could help you.

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Jotne

Hi, I have a doubt. Is it normal for this graphic to show it that way?

http://subirimagen.me/uploads/20180629155928.jpg

because before he showed it to me like this:

http://subirimagen.me/uploads/20180629155744.jpg

Can you guide me what could be ?. Thank you

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

It has to do with the time schedule.
You could either sample more often, example every minute insted of every 5 minutes. But this would then load the MikroTik more.
Or you could zoome out showing over a bigger time periode. Example last 4 hour insted of last hour.

Your first graph goes from 5:25 to 5:35, only 30 minutes. it would then not draw line.
Second graph shows last 24 hour,

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

It has to do with the time schedule.
You could either sample more often, example every minute insted of every 5 minutes. But this would then load the MikroTik more.
Or you could zoome out showing over a bigger time periode. Example last 4 hour insted of last hour.

Your first graph goes from 5:25 to 5:35, only 30 minutes. it would then not draw line.
Second graph shows last 24 hour,
Thank it work,I do not know what happened. Only i restarting the splunk and it works again.

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Hi Jotne:

Summing up, I already managed to make almost all the modules work. The only things that do not work for me are MikroTik uPnP and MikroTik Vol / Temperatur. In both modules he says "No results found."
For the MikroTik Vol / Temperatur module perform the following:
In the Mikrotik - System - Logging - Topics:! Snmp> Prefix: MikroTik> Action: Remote
In the Mikrotik - Ip - SNMP - Enable: yes - Trap Community: public - Trap version: 1.
In communities Name: public> Address: 192.168.1.237 (My splunk)

In the srv splunk the file inputs.conf was edited as follows:

http://subirimagen.me/uploads/20180706111352.jpg

From the splunk application, install the SNMP-Trap-listner module and it is configured as follows:

http://subirimagen.me/uploads/20180706110247.jpg

I do not know what else to configure, in the general search (* snmp) in splunk it appears:

http://subirimagen.me/uploads/20180706110646.jpg

With regard to the MikroTik uPnP module perform the following:
In the mikrotik the access is configured by ssh and it works ok.
In the mikrotik IP - UPnP - Enable: yes - Interfaces configure both Bridge-WifiLAN networks as internal and WAN1 as external interfaces. Even so, in splunk he says "No results found."

If it occurs to you that I may be missing, I would appreciate your help again.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

uPnP gets data from a script.
What do you get when run this from within linux
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_upnp.sh

Temperature is SNMP based
What do you get when search for
SNMP*
NB uppercase
What you did search for is the log for snmp message in the MikroTik log not for the SNMP message it get from SNMP module in Splunk.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

uPnP gets data from a script.
What do you get when run this from within linux
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_upnp.sh

Temperature is SNMP based
What do you get when search for
SNMP*
NB uppercase
What you did search for is the log for snmp message in the MikroTik log not for the SNMP message it get from SNMP module in Splunk.
Hi, is true that module gets data from a script. In my case when ejecute the script dont recive nothing data. i need research more about firewall nat dynamic rules.

with respect to the volt / temperatur module, I can not see anything in splunk, and realize all the configurations. When I do a general search with SNMP * I get the following.

http://subirimagen.me/uploads/20180710143146.jpg

for what I can see it brings me SNMP data from the log with the prefix MikroTik, but even so I do not see anything when I run the module.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

This is the log from SNMP not the SNMP data. I do always set up så that I do not log snmp logs.

You should setup some like this:
 /system logging> print detail
Flags: X - disabled, I - invalid, * - default
0 X* topics=info prefix="" action=memory #default
1  * topics=error prefix="" action=memory  #default
2  * topics=warning prefix="" action=memory #default
3  * topics=critical prefix="" action=echo #default
4    topics=dhcp prefix="MikroTik" action=Logsrever
5    topics=hotspot prefix="MikroTik" action=Logserever
6    topics=!debug,!snmp prefix="MikroTik" action=Logserver
Here you see I ignore snmp logs.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

This is the log from SNMP not the SNMP data. I do always set up så that I do not log snmp logs.

You should setup some like this:
 /system logging> print detail
Flags: X - disabled, I - invalid, * - default
0 X* topics=info prefix="" action=memory #default
1  * topics=error prefix="" action=memory  #default
2  * topics=warning prefix="" action=memory #default
3  * topics=critical prefix="" action=echo #default
4    topics=dhcp prefix="MikroTik" action=Logsrever
5    topics=hotspot prefix="MikroTik" action=Logserever
6    topics=!debug,!snmp prefix="MikroTik" action=Logserver
Here you see I ignore snmp logs.
Yes i have that setting in my Logging configuration:
/system logging print detail
Flags: X - disabled, I - invalid, * - default
0  * topics=info prefix="" action=memory
1  * topics=error prefix="" action=memory
2  * topics=warning prefix="" action=memory
3  * topics=critical prefix="" action=echo
4    topics=error prefix="" action=Email
5    topics=dhcp prefix="MikroTik" action=remote
6    topics=!debug prefix="MikroTik" action=remote
7    topics=!ups prefix="MikroTik" action=remote
8    topics=!snmp prefix="MikroTik" action=remote

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Its not equal. It seems to works some different when you have stuff together.
You do see SNMP logs from syslog, you should not see those message.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Its not equal. It seems to works some different when you have stuff together.
You do see SNMP logs from syslog, you should not see those message.
Well, I changed my settings to be exactly like yours, now I'll wait to see what happens. Thank you very much for your time and patience !!
/system logging print detail
Flags: X - disabled, I - invalid, * - default
0  * topics=info prefix="" action=memory
1  * topics=error prefix="" action=memory
2  * topics=warning prefix="" action=memory
3  * topics=critical prefix="" action=echo
4    topics=error prefix="" action=Email
5    topics=dhcp prefix="MikroTik" action=remote
6    topics=!debug,!snmp prefix="MikroTik" action=remote
7    topics=hotspot prefix="MikroTik" action=remote

Could you show me the output of this command in your mikrotik. thank you.:
/system logging action print detail

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Line 3 is to one who sends logs to external server
/system logging action print detail
Flags: * - default
0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no

1 * name="disk" target=disk disk-file-name="flash/log" disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no

2 * name="echo" target=echo remember=yes

3 * name="remote" target=remote remote=10.10.10.50 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

If you got any thing in your logs from syslog, this part is ok.

There are 3 ways data coming to the Splunk
1. Syslog
2. SNMP
3. Scripts

Do a search last 24 hours like this:
sourcetype=mikrotik| top limit=20 source |  table source
Then you should get some like this:
udp:514
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_accounting.sh
snmp://MikroTik-info
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_dhcp_pool_information.sh

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Line 3 is to one who sends logs to external server
/system logging action print detail
Flags: * - default
0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no

1 * name="disk" target=disk disk-file-name="flash/log" disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no

2 * name="echo" target=echo remember=yes

3 * name="remote" target=remote remote=10.10.10.50 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

If you got any thing in your logs from syslog, this part is ok.

There are 3 ways data coming to the Splunk
1. Syslog
2. SNMP
3. Scripts

Do a search last 24 hours like this:
sourcetype=mikrotik| top limit=20 source |  table source
Then you should get some like this:
udp:514
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_accounting.sh
snmp://MikroTik-info
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_dhcp_pool_information.sh
looking for what you indicated to me I see that I lack sources:

http://subirimagen.me/uploads/20180711135032.jpg

Do not bring me the source snmp: // MikroTik-info

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

You do not need to quote the whole message above you.

You have problem with getting SNMP data
From the linux server try this: (change your.mikrotik.ip to your actual IP)
snmpget -v2c -c public your.mikrotik.ip 1.3.6.1.4.1.14988.1.1.3.10.0
iso.3.6.1.4.1.14988.1.1.3.10.0 = INTEGER: 470
This should give you the temperature x10, so here 47.0 degree.

What do you get when you type on MikroTik
/snmp print 

You should see that its enabled and the community
          enabled: yes
contact: USA
location: under water
engine-id:
trap-target: 10.10.10.50
trap-community: public
trap-version: 1
trap-generators:

If all this is OK, look at SNMP settings in Splunk.
Settings -> Data Input -> SNMP
You should have: MikroTik-info
Open it and see that is shows same community as above (public) and correct IP for your Mikrotik

You have installed SNMP app for Splunk?
Apps-> Manage Apps -> snmp_ta
It should show enabled

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

You have problem with getting SNMP data
From the linux server try this: (change your.mikrotik.ip to your actual IP)
snmpget -v2c -c public your.mikrotik.ip 1.3.6.1.4.1.14988.1.1.3.10.0
iso.3.6.1.4.1.14988.1.1.3.10.0 = INTEGER: 470
 	      enabled: yes
contact: USA
location: under water
engine-id:
trap-target: 10.10.10.50
trap-community: public
trap-version: 1
trap-generators:

Hi Jotne, I have a question. with mention that you use the command "snmpget -v2c -c public ......." you indicate with the parameter version 2c (-v2c) but in the mikrotik the SNMP you have it configured with version 1 this is correct ?.

This is a result of that command in my linux server. I think maybe is for the version.
snmpget -v2c -c public 192.168.1.1 1.3.6.1.4.1.14988.1.1.3.10.0
iso.3.6.1.4.1.14988.1.1.3.10.0 = No Such Object available on this agent at this OID
And this for /snmp print
	enabled: yes
contact: myemail@hotmail.com
location: MK_Home
engine-id:
trap-target: 192.168.1.237
trap-community: public
trap-version: 1
trap-generators:

From the splunk application, install the SNMP-Trap-listner module and it is configured as follows:

http://subirimagen.me/uploads/20180706110247.jpg

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

I do see there is a mixup with SNMP for the traps, so it should be changed to 2 in the MikroTik config.
and 2c in Splunk
MikroTik-info	attributes	0	2C	192.168.1.1		0	1	0
mikrotik
MikroTik
Enabled | Disable	Clone
SNMP-Trap-listner	traps	0	2C			0	0	0
snmp-trap
MikroTik
Enabled | Disable	Clone
But it does not have anything to with your problem.

SNMP goes two way,

SNMP read, the one we use to get temperature etc. Splunk uses the MikroTik-info to asks Miktrotik for info.
SNMP-Trap-listner is used for when MiktroTik sends SNMP traps to Splunk (i have not used it, yet)

So it looks like your device does not support temperature. Try uptime:
snmpget -v2c -c public 192.168.1.1 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (480102100) 55 days, 13:37:01.00
It shows here 55 days uptime.

PS Click the Post Reply button and not the Quote button. I can read my own message. You have quoted in all your replays.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

Ok sorry for Quote all your message.

I changed all the settings in my mikrotik and snmp-plugin in splunk for version 2c. And execute the command with this result.
snmpget -v2c -c public 192.168.1.1 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (23825500) 2 days, 18:10:55.00
and apparently I think my mikrotik does not support that oid. My mikrotik is RB951G-2HnD. What is your mikrotik?.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Ahh that explains it.

I have two Mikrotik routers.

750G r3 do gives temperature, but
941-2nD does not give temperature

So not all units gives temperature.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

I am working on the Splunk app to handle multiple MikroTik routers.
If you now setup more units that sends information to Splunk, it needs to have multiple SNMP get lines.
Dashboards needs to have option to select what unit to look at.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

### Re: Using Splunk to analyse MikroTik logs

@Jotne

Thank you very much for all your time and knowledge. Again, I congratulate you on this project and I am waiting for your updates.
As I told you if you need to try something, you can contact me and let's try it. Thank you very much.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

A new version 2.0 has been posted here:
viewtopic.php?f=2&t=137338

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

rout3rx
just joined
Posts: 3
Joined: Wed May 12, 2021 7:08 pm

### Re: Using Splunk to analyse MikroTik logs

Hi
i have a problem with show mikrotik events in splunk Enterprise Security (ES), nothing show.
i have around 10M logs in splunk but all of my notables in ES are empty!
what can i do ?

jvanhambelgium
Member
Posts: 480
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

### Re: Using Splunk to analyse MikroTik logs

Since when did it start to happen ? When was the last moment you received data ? You can see that in for example "data summary" overview.
Tried stop/start of Splunk ?

Did you update/upgrade Splunk ES ?

If have more then 50M event historically without any issue.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

Try this search to see if anything comes inn.
index=*
You have tagged the events? Section 2b (in new thread)
Has it worked before?
MikroTik
Capital M and T'

NB this is an obsolete thread, use this:
viewtopic.php?f=2&t=137338

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

rout3rx
just joined
Posts: 3
Joined: Wed May 12, 2021 7:08 pm

### Re: Using Splunk to analyse MikroTik logs

Hello
thanks for guide.
I think the MikroTik log index is not detected by ES
i attach some pictures.

i this picture: 192.168.110.1 is my mikrotik routerboard:
Screen Shot 2021-05-17 at 18.12.35.png
as you see i have too many DNS activity:
Screen Shot 2021-05-18 at 18.09.02.png

but i ES nothing show:
Screen Shot 2021-05-18 at 18.10.50.png

what can i do ?
You do not have the required permissions to view the files attached to this post.

Jotne
Forum Guru
Topic Author
Posts: 2166
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

### Re: Using Splunk to analyse MikroTik logs

You are posting on an old and obsolete thread. Start a new one.

I do not now anything about Splunk Enterprise Security and DNS.
Why DNS view in ES does not see DNS logs, I guess may be due to that Mikrotik logs DNS in another format compare to what ES needs to be able to understand.

Try Splunk> to monitor your MikroTik Router(s). Look at this page in how to set it up.

MikroTik->Splunk

rout3rx
just joined
Posts: 3
Joined: Wed May 12, 2021 7:08 pm

### Re: Using Splunk to analyse MikroTik logs

thanks for answer
if the logs store in CIM format it was detected by ES

### Who is online

Users browsing this forum: DarkNate and 194 guests