Community discussions

MikroTik App
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Remote syslog server and logs viewer?

Fri Sep 30, 2016 10:18 pm

Hi,
I was wondering if its possible using the remote logging server feature in routeros to send various logs to a remote syslog-ng server, or other log server on a EC2 Amazon instance, and if there is some webbased log viewer (like example webalizer\etc) to use and view various statistics from my mikrotik routers I have placed in various locations?

Is the "remote logging" server feature reffering to a server located inside the LAN or could be remote as in a public server with public IP on the Internet, etc?

Could you set up multiple routeros devices to send logs to a remote server and view the logs using the various tools available as apps and web based?
 
me1100
just joined
Posts: 15
Joined: Wed May 28, 2014 1:56 am

Re: Remote syslog server and logs viewer?

Fri Sep 30, 2016 10:59 pm

I was wondering if its possible using the remote logging server feature in routeros to send various logs to a remote syslog-ng server
Yes
Is the "remote logging" server feature reffering to a server located inside the LAN or could be remote as in a public server with public IP on the Internet, etc?
Remote just means not on this router, so it can be on the LAN or over a VPN or on a public IP, but I would be careful: syslog traffic is not encrypted.
Could you set up multiple routeros devices to send logs to a remote server and view the logs using the various tools available as apps and web based?
Yes, I do this today.
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: Remote syslog server and logs viewer?

Sat Oct 08, 2016 1:29 am

I was wondering if its possible using the remote logging server feature in routeros to send various logs to a remote syslog-ng server
Yes
Is the "remote logging" server feature reffering to a server located inside the LAN or could be remote as in a public server with public IP on the Internet, etc?
Remote just means not on this router, so it can be on the LAN or over a VPN or on a public IP, but I would be careful: syslog traffic is not encrypted.
Could you set up multiple routeros devices to send logs to a remote server and view the logs using the various tools available as apps and web based?
Yes, I do this today.
Can you suggest some log viewers to get me started?
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 1816
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Remote syslog server and logs viewer?

Sat Oct 08, 2016 8:42 am

Setting remote syslog in ROS: http://forum.mikrotik.com/viewtopic.php ... 23#p561023
Syslog-ng configuration file - from running syslog server:
@version:3.6
@include "scl.conf"

# syslog-ng configuration file.
#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: it also sources additional configuration files (*.conf)
#       located in /etc/syslog-ng/conf.d/

options {
    flush_lines (0);
    time_reopen (10);
    log_fifo_size (9000);
    chain_hostnames (off);
    use_dns (no);
    use_fqdn (no);
    create_dirs (no);
    keep_hostname (yes);
};

source s_sys {
    system();
    internal();
    udp(ip(0.0.0.0) port(514));
};

#source s_mikr { udp(ip(192.168.100.130) port(514)); };

destination d_mikr { file("/home/SYSLOG/mikrotik.log"); };
destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" flush_lines(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv) 
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news) 
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };
filter f_mikr { host(172.16.161.10) or  host(172.16.15.230); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };
log { source(s_sys); filter(f_mikr); destination(d_mikr); };
#log { source(s_sys); destination(d_mikr); };

# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:
Real admins use real keyboards.
 
me1100
just joined
Posts: 15
Joined: Wed May 28, 2014 1:56 am

Re: Remote syslog server and logs viewer?

Sat Oct 08, 2016 10:10 pm

Could you set up multiple routeros devices to send logs to a remote server and view the logs using the various tools available as apps and web based?
Yes, I do this today.
Can you suggest some log viewers to get me started?
I'm sorry, I guess I didn't read your question fully (sorry about that). We send our logs to a server that is running OSSEC (http://ossec.github.io) and it records those messages and reports to us anything that we have deemed as needing to be reported. It can even do some actions automatically based on traffic patterns (e.g. too many failed logins from an IP address --> block that IP address from our network). Then, if we need to, we use vim to read the archives of the logs.

Not really web or app based for us.
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: Remote syslog server and logs viewer?

Wed Oct 12, 2016 2:26 pm

Could you set up multiple routeros devices to send logs to a remote server and view the logs using the various tools available as apps and web based?
Yes, I do this today.
Can you suggest some log viewers to get me started?
I'm sorry, I guess I didn't read your question fully (sorry about that). We send our logs to a server that is running OSSEC (http://ossec.github.io) and it records those messages and reports to us anything that we have deemed as needing to be reported. It can even do some actions automatically based on traffic patterns (e.g. too many failed logins from an IP address --> block that IP address from our network). Then, if we need to, we use vim to read the archives of the logs.

Not really web or app based for us.
Looks interesting, I'll take a look!

Thanks!

I'm currently experimenting with some Amazon EC2 instances :)

Who is online

Users browsing this forum: ZacharyGoozy and 67 guests