viewtopic.php?f=2&t=137338
If you like the perfect tool for analyze MikroTik logs, look at Splunk.
For up to 500MB of log pr day, its absolutely free
Here is a simple install tutorial:
-----------------------------------------
Download and install Splunk (Windows or Linux(recomended))
Change to free license group. Very important to do before 30 day of use. !!!!!!!!!!!!!!!!!!!!
Settings->licensing->Change license group->Free licnse->Save
Open Windows Firewall for UDP on Windows
Start->type "adv"->Select:Widows Firewall with Advanced Security->Sect Inbound rules->Right Click "Inbound Rules">New Rule-Port-Next->UDP->Specific local ports->514->Next->Next->Next->Name "syslog"
Allow UDP 514 (syslog)
Setting->Datainputs->Add new (behind the UDP)->Port 514->Next->Sourcetype type syslog and select syslog->Next-Submit
Install "SNMP"
At launch page click the gear near the Apps
Brows more apps->in search field-> SNMP Modular Input->Install->use your user/password (from splunk.com)
Download the ZIP file
Extract it with all its folders and copy them to %Splunk home%/etc/app NB!! files in folder splunk/etc/apps/MikroTik/bin needs to be executable. Do this:
chmod +x *.sh
Send Sylog from your Mikrotik to Splunk
System->Logging->Action->Add New->Name (your server name)->Type:Remote->Remote Address:ip your syslog->Ok
add name=Server_Name remote=192.168.1.x target=remote
System->Logging->Rules->Add new->Enable:v->Topics:!debug->Prefix:MikroTik->action:your syslog server->Ok
It is very important to name the prefix like this "MikroTik" and not "mikrotik" or some other. It will break all.
Edit: This gets all logs from dhcp and hotspot, incluing debug, pluss it gets info logs from all other modules, except snmp that I do not need.
add action=remote prefix=MikroTik topics=dhcp
add action=remote prefix=MikroTik topics=!debug
You should at least log this rule "defconf: drop all not coming from LAN"
IP->Firewall->selec:defconf: drop all not coming from LAN->Log:v->Log Prefix:FW_Drop_all_from_WAN
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1 log=yes log-prefix=FW_Drop_all_from_WAN
Start Firewall rules with "FW_", Nat rules with "NAT_" etc. Do not use space in name.
Example on logging Nat session to my web server:
add action=netmap chain=dstnat comment="Web -> Server" dst-port=80 in-interface=ether1 log=yes log-prefix=NAT_Web_Server protocol=tcp to-addresses=192.168.1.58 to-ports=80
https://wiki.mikrotik.com/wiki/Use_SSH_ ... key_login)
Add the private key to the folder: MikroTik\bin
Change script in MikroTik\bin to use correct key and IP (your MikroTik)
To get accounting data, you need to enable it on the MikroTik router
Web Gui
IP-> Accounting -> Enable Accounting -> mark - Apply
I have set threshold to 2560 (not sure what is default)
MikroTik Firewall data usage (MikroTik Traffic) (in Mikrotik/defaul/data/ui/views/mikrotik_firewall_data_usage.xml
Edit all lines with:
search ip="10.10.10.0/24"
to your inside IP
Script to get DHCP pool information. Important that it use the same name as below:
DHCP-Pool-information
# List stats for IP -> Pool
# v1.1
# https://forum.mikrotik.com/viewtopic.php?t=40467
# criticalthreshold = output pool display in red if pool used is above this %
# warnthreshold = output pool display in gold if pool used is above this %
:local criticalthreshold 90
:local warnthreshold 80
:local hostname [/system identity get name]
# Internal processing below...
# ----------------------------------
/ip pool {
:local poolname
:local pooladdresses
:local poolused
:local poolpercent
:local minaddress
:local maxaddress
:local findindex
:local tmpint
:local maxindex
:local line
# :put ("IP Pool Statistics")
# :put ("------------------")
# Iterate through IP Pools
:foreach p in=[find] do={
:set poolname [get $p name]
:set pooladdresses 0
:set poolused 0
:set line ""
:set line ("pool=" . $poolname)
# Iterate through current pool's IP ranges
:foreach r in=[:toarray [get $p range]] do={
# Get min and max addresses
:set findindex [:find [:tostr $r] "-"]
:if ([:len $findindex] > 0) do={
:set minaddress [:pick [:tostr $r] 0 $findindex]
:set maxaddress [:pick [:tostr $r] ($findindex + 1) [:len [:tostr $r]]]
} else={
:set minaddress [:tostr $r]
:set maxaddress [:tostr $r]
}
# Convert to array of octets (replace '.' with ',')
:for x from=0 to=([:len [:tostr $minaddress]] - 1) do={
:if ([:pick [:tostr $minaddress] $x ($x + 1)] = ".") do={
:set minaddress ([:pick [:tostr $minaddress] 0 $x] . "," . \
[:pick [:tostr $minaddress] ($x + 1) [:len [:tostr $minaddress]]]) }
}
:for x from=0 to=([:len [:tostr $maxaddress]] - 1) do={
:if ([:pick [:tostr $maxaddress] $x ($x + 1)] = ".") do={
:set maxaddress ([:pick [:tostr $maxaddress] 0 $x] . "," . \
[:pick [:tostr $maxaddress] ($x + 1) [:len [:tostr $maxaddress]]]) }
}
# Calculate available addresses for current range
:if ([:len [:toarray $minaddress]] = [:len [:toarray $maxaddress]]) do={
:set maxindex ([:len [:toarray $minaddress]] - 1)
:for x from=$maxindex to=0 step=-1 do={
# Calculate 256^($maxindex - $x)
:set tmpint 1
:if (($maxindex - $x) > 0) do={
:for y from=1 to=($maxindex - $x) do={ :set tmpint (256 * $tmpint) }
}
:set tmpint ($tmpint * ([:tonum [:pick [:toarray $maxaddress] $x]] - \
[:tonum [:pick [:toarray $minaddress] $x]]) )
:set pooladdresses ($pooladdresses + $tmpint)
# for x
}
# if len array $minaddress = $maxaddress
}
# Add current range to total pool's available addresses
:set pooladdresses ($pooladdresses + 1)
# foreach r
}
# Now, we have the available address for all ranges in this pool
# Get the number of used addresses for this pool
:set poolused [:len [used find pool=[:tostr $poolname]]]
:set poolpercent (($poolused * 100) / $pooladdresses)
# Output information
:set line ([:tostr $line] . " used=" . $poolused . " total=" . $pooladdresses)
:set line ([:tostr $line] . " percent=" . $poolpercent . " hostname=" . $hostname)
# Set colored display for used thresholds
:if ( [:tonum $poolpercent] > $criticalthreshold ) do={
:log error ("IP Pool " . $poolname . " is " . $poolpercent . "% full")
:put ([:terminal style varname] . $line)
} else={
:if ( [:tonum $poolpercent] > $warnthreshold ) do={
:log warning ("IP Pool " . $poolname . " is " . $poolpercent . "% full")
:put ([:terminal style syntax-meta] . $line)
} else={
:put ([:terminal style none] . $line)
}
}
# foreach p
}
# /ip pool
}
Gives a view of what the firewall does. I use this to see who is online. You can also create views to see the actual DNS request Shows all DHCP request