Community discussions

 
sindy
Forum Guru
Forum Guru
Posts: 3759
Joined: Mon Dec 04, 2017 9:19 pm

Re: Using Splunk to analyse MikroTik logs

Sun Mar 25, 2018 10:17 pm

wow !! you did a great job. I've implemented it. Firewall data usage is not working for me. You mentioned to use the private key. which one is the private key? all i can see only id_dsa and id_dsa.pub
The
.pub
stands for public which you place to the servers to which you want to log in without entering a password.
So you normally generate the pair of private and public key at the client machine in the
~/.ssh/
directory of the user from which you are going to log in to the server, and copy only the
.pub
file to the server (the Mikrotik in this case). As @Jotne says to copy the private key to Mikrotik/bin on the Splunk machine, that would be the
id_dsa
file without
.pub
suffix.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
Tawfiq
just joined
Posts: 2
Joined: Wed Apr 11, 2007 6:24 pm

Re: Using Splunk to analyse MikroTik logs

Tue Mar 27, 2018 9:52 am

Yeah thanks. But even so Mikrotik asks for a password. So I found a different way to do it. Everything is working fine except the DNS logs. Was working since i made changes i think, and DNS logs are not getting in.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Tue Mar 27, 2018 10:46 am

DNS logs comes for Syslog, so if you get other sylog data, you should also get DNS.
What is your logging settings?

I have two settings in my remote syslog settings.
add action=remote prefix=MikroTik topics=dhcp
add action=remote prefix=MikroTik topics=!debug,!snmp
First line sends all DHCP message, including debug message.

Second line sends all message that are not debug nor SNMP.
I do not need the SNMP, nor the debug message from other modules.
This gives me logs from other modules like DNS,Firewall, System, upnp, Interface etc


PS, I am working on a new version that gives log information for booth wireless and hotspot.
Since hotspot only shows message for logout as default, you should also get debug message from they as well and do like this:
add action=remote prefix=MikroTik topics=dhcp,hotspot
add action=remote prefix=MikroTik topics=!debug,!snmp
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Using Splunk to analyse MikroTik logs

Mon Apr 02, 2018 3:31 pm

@Jotne
I like your solution and examples in Splunk . I think that I followed your instruction, but I still have in Mikrotik App

"No results found."

Can you please help me to find what I'm doing wrong ?

Thanks in advance.
Sure I will do.

Setup where the logging should go:
System->Logging->Action->remote
Type:Remote
Remote Address: your Splunk or other logging servers IP
Remote port: 514 (default)

Then you setup what to log.
System->Loging-Rules->Add new
Enabled x
Topics: ! ups (see the not. So I log all but not ups. This is a tric to get all)
Prefix: MikroTik (I set this so that all i tagget MiktroTik in the syslog)
Action: Remote (Send to syslog server)

You can also add logging of firewall.
Eksample last rule that block all that is not allowed:
10 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=yes log-prefix="rule_10"

Her I have set log=yes and log-prefix="rule_10"
I give all log rule and nat rule different number. Then its easy to see in Splunk what rule that block the data.

I have also added a module for Splunk so that it can read SNMP.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Mon Apr 02, 2018 3:51 pm

Splunk should recieve data if Mikrotik is correctly setup, even if the Mikrotik app is not installed.

What is important.

1. Make sure your device sends syslog messages.
add name=Server_Name remote=192.168.1.x target=remote
add action=remote prefix=MikroTik topics=dhcp,hotspot
add action=remote prefix=MikroTik topics=!debug,!snmp
This should sends at least information on changes and some other logs.

2. Make sure no fw blocks the data entering your server.

3. Enable Splunk to receive the sylog

Then a search like this should give you data.
http://your-server:8000/en-GB/app/search/search?q=search%20*
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Using Splunk to analyse MikroTik logs

Mon Apr 02, 2018 6:29 pm

Sure, that's all is working.
I see this data in splunk stream and I can browse them.

The problem is that on Mikrotik Application there is nothing.
Same problem like before : "No results found."
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Mon Apr 02, 2018 6:51 pm

Go to search and write * to do a general search.
Past some line here, so I do see how it looks like.

You may not have tagged rules with MikroTik (NB upper M and upper T)
prefix=MikroTik
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MikroTikFan
Member Candidate
Member Candidate
Posts: 196
Joined: Sat Aug 02, 2014 1:13 am

Re: Using Splunk to analyse MikroTik logs

Mon Apr 02, 2018 7:22 pm

Thanks!
Yes, "Mikrotik" vs. "MikroTik" - works, with following :
- MikroTik DNS Live usage
- MikroTik DNS request
- MikroTik Firewall

but is not working with following:
- MikroTik Volt/Temperature
- MikroTik Live attack - I have to add name to rule "FW_Drop_all_from_WAN"
- MikroTik Web Proxy - but currently I'm not using proxy
- MikroTik DHCP request - where to add debug messages?
- Mikrotik DHCP pool information - how to run ?
- MikroTik remote connection - like VPN ?
- MikroTik Firewall data usage - SSH ? (how to run this?)
- MikroTik uPnP - SSH (how to run this?)

Can you please advise me how to run this ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Mon Apr 02, 2018 8:17 pm

Lots of the stuff you are missing some rules.
That is some my fault, that data i depended rules, that need names.

Click on the magnifier glass under the graph and se where data is coming from.

Live logs need a rule with correct name, look at search. (third line)
sourcetype=mikrotik
          module=firewall
          rule=FW_Drop_all_from_WAN
          | search dest_port=*
          | lookup dnslookup clientip as src_ip OUTPUT clienthost as src_host
          | iplocation src_ip
          | eval City=if(isnull(City) OR City="", "Unknown", City)
           ,src_host=if(isnull(src_host) OR src_host="", src_ip, src_host)
           ,info=src_host."-".City."-".Country."-".dest_port.":".protocol
           | geostats globallimit=0 count by info
Live log need this as the last FW rules.
add action=drop chain=input comment="Drop all from WAN " in-interface=ether1-Wan log=yes log-prefix=FW_Drop_all_from_WAN
Volt/Temperature
source="snmp://MikroTik-info"
Needs SNMP working. (Splunk asks using SNMP to get data)

DHCP request
Seems that some has change in MikroTik logging, so remove logging rules ans change to
add action=remote prefix=MikroTik topics=!debug,!snmp
DHCP pool information
Need SNMP to work

MikroTik Remote connection.
This should show VPN, but some has change in the logging.
Remove "severity=info" from the section "3. VPN logged in ok"

SSH is explained in the frist post.
-----------------
Get data from MikroTik with SSH (does only work with Linux Splunk version)
https://wiki.mikrotik.com/wiki/Use_SSH_ ... key_login)
Add the private key to the folder: MikroTik\bin
Change script in MikroTik\bin to use correct key and IP
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
diegoM
just joined
Posts: 1
Joined: Sun Mar 18, 2018 1:55 pm

Re: Using Splunk to analyse MikroTik logs

Mon Apr 30, 2018 11:52 am

Hi Jotne,

Can you please update the links to download, really it doesn´t work, and congratullations for this great job!!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Tue May 01, 2018 7:43 pm

Link in first post works fine.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
AnupamPradhan
newbie
Posts: 35
Joined: Wed May 04, 2016 2:44 pm

Re: Using Splunk to analyse MikroTik logs

Wed May 23, 2018 5:14 am

@Jotne,

Can you please help me setup log analyze for hotspot user.

viewtopic.php?f=2&t=134530
 
philamonster
just joined
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

Re: Using Splunk to analyse MikroTik logs

Sat May 26, 2018 12:41 am

...

DHCP pool information
Need SNMP to work
...


First, thank you for all the work you have done.

All views are working with the exception of DHCP pool info. mikrotik_dhcp_pool_information.sh seems to be calling a script that simply doesn't exist on my MikroTik device:
/system script run DHCP-Pool-information
As per your reply above, SNMP is working as I get volt/temp info after editing defaults/inputs.conf to match my device. I don't see any info in first post about adding the above script to RouterOS. Where might I get that code?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Sat May 26, 2018 8:48 am

My fault, simply forget that there was a script involved :)
Updated first post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
AnupamPradhan
newbie
Posts: 35
Joined: Wed May 04, 2016 2:44 pm

Re: Using Splunk to analyse MikroTik logs

Sun Jun 10, 2018 4:07 pm

Hi Jotne,

Can you please help me setup log analyze for hotspot user.

viewtopic.php?f=2&t=134530
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Sun Jun 10, 2018 11:22 pm

What is wrong with the "MikroTik Hotspot login/logout information" in the app?
Is there something that does not work?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Fri Jun 15, 2018 7:04 pm

Hello to the whole community.
Jotne thank you very much for all your work, the truth is great.
I was able to make almost everything work. I just can not make the following work:
MikroTik uPnP
MikroTik Firewall data usage
Mikrotik DHCP pool information

The rest works well for me. I created the dsa certificate and I imported it in the mikrotik, but when using the private key to connect to the mikrotik, it always asks for a password. The user created in the mikrotik for the use of ssh has no password and neither the certificate is created with a password. I can not make it work anyway. something similar happened to you, you could solve it. Who can guide me in this. Thank you very much.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Sat Jun 16, 2018 1:45 am

You are welcome.

You need to get this to work:
https://wiki.mikrotik.com/wiki/Use_SSH_ ... y_login%29
It shows all steps needed to preform. If the example does not work, then Splunk will neither.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Mon Jun 25, 2018 3:50 pm

You are welcome.

You need to get this to work:
https://wiki.mikrotik.com/wiki/Use_SSH_ ... y_login%29
It shows all steps needed to preform. If the example does not work, then Splunk will neither.
Hello, thanks for answering. Try that tutorial but I can not make it work as indicated in that tutorial.
But after many trials and errors, I managed to make it work using RSA 2048 keys generated with Puttygen. After this I try to use the bash script that is in / opt / splunk / etc / apps / MikroTik / bin and it runs fine but it does not bring me any information for the modules:
MikroTik Firewall data usage
Mikrotik DHCP pool information
MikroTik uPnP

I do not know if I needed to create some rule or something else in the mikrotik because I can not make these modules work. The one that interests me the most is the MikroTik Firewall data usage. Could you guide me a little more ?. Thank you.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Mon Jun 25, 2018 10:45 pm

Look in this folder:

splunk/etc/apps/MikroTik/bin

There you should have these files:

dsa_mikrotik_private
mikrotik_accounting.sh
mikrotik_dhcp_pool_information.sh
mikrotik_upnp.sh


When in the bin filder run the DHCP script like this:
./mikrotik_dhcp_pool_information.sh

You should no see what is going on. If all is ok, you should see the DHCP information.

It its important that the private dsa key is in this folder, if not script will not connect.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Wed Jun 27, 2018 11:06 pm

Look in this folder:

splunk/etc/apps/MikroTik/bin

There you should have these files:

dsa_mikrotik_private
mikrotik_accounting.sh
mikrotik_dhcp_pool_information.sh
mikrotik_upnp.sh


When in the bin filder run the DHCP script like this:
./mikrotik_dhcp_pool_information.sh

You should no see what is going on. If all is ok, you should see the DHCP information.

It its important that the private dsa key is in this folder, if not script will not connect.
Thanks to this I found that in addition to the files that you mentioned, I had to change the user and execution group to which the splunk application belonged in order to make the connection by ssh. But I still do not work the module that I need the -MikroTik Firewall data usage.
You could show me how the information brings you because I can not find what it could be.

Here I show you a print of how the query is configured according to what the tutorial indicates
each query with the private ip range corresponding to my internal network.
Image

And here is the result of executing the mikrotik_accouting script from the console.
Image

It does not bring anything when executing this script so please check if you had a rule or something else that allows you to collect the metric of this module.
if you can, you can send me an image of what you have to do with the execution of that script to see and orient me. I thank you very much for your time and patience.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1651
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: Using Splunk to analyse MikroTik logs

Wed Jun 27, 2018 11:13 pm

keep in mind logging uses CPU resources, if you log very frequent actions you will have significant increase on CPU usage
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 2:18 pm

keep in mind logging uses CPU resources, if you log very frequent actions you will have significant increase on CPU usage
If I know, but in my case the use of my CPU is more than calm and we'll see later.
Image

chechito you use this app to monitor your mikrotik or some other?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 8:24 pm

I do not see your picture in your post, so can not see what is wrong.
But I did find some important thing that i did forget.

After you have copied the files to the splunk, you do need to do this.
NB!! files in folder splunk/etc/apps/MikroTik/bin needs to be executable. Do this:
chmod +x *.sh
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 9:07 pm

I do not see your picture in your post, so can not see what is wrong.
But I did find some important thing that i did forget.

After you have copied the files to the splunk, you do need to do this.
NB!! files in folder splunk/etc/apps/MikroTik/bin needs to be executable. Do this:
chmod +x *.sh
Thanks for answering. i can see the picture. but anyway I give you the link of the image.

Here I show you a print of how the query is configured according to what the tutorial indicates
each query with the private ip range corresponding to my internal network.
http://subirimagen.me/uploads/20180627145629.jpg

And here is the result of executing the mikrotik_accouting script from the console.
http://subirimagen.me/uploads/20180627150139.jpg

what you mention of giving him permission to execute with chmod + x to the bash script, had already done it. All scripts are executed correctly. but when I run the mikrotik_accounting script it does not bring me information. That's why I asked you if you could show me an image of how you bring the information to you so I can have a clearer idea of what I may be missing.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 10:37 pm

Ups

It looks correct from the foto, so you got communication.

Found one more important setting that needs to be turned on. Accounting.
Web Gui
IP-> Accounting -> Enable Accounting -> mark - Apply
I have set threshold to 2560 (not sure what is default)

Updated 1st post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 10:50 pm

Ups

It looks correct from the foto, so you got communication.

Found one more important setting that needs to be turned on. Accounting.
Web Gui
IP-> Accounting -> Enable Accounting -> mark - Apply
I have set threshold to 2560 (not sure what is default)

Updated 1st post.
Yeah!!! Only that important configuration was missing. Now, if you show me the traffic in the Firewall data usage module. Thank you very much, really an excellent job. I would like to learn more about the development of dashboard, what do you recommend?
threshold is 256 for default.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 11:04 pm

You are welcome.
Its not always easy to recreate steps done to get it to work.
I would love if I could these type of data us SNMP instead for script, or Router could send it out as a bulk of data every x second to Syslog.

You should see what data you have and then try to figure how to present it.
Dashboard is some complicated but not to hard.
I always try out things in search to see how it may looks like, then convert it to dashboard.

I am thinking of adding a panel with CPU/memory/uptime etc.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Thu Jun 28, 2018 11:19 pm

You are welcome.
Its not always easy to recreate steps done to get it to work.
I would love if I could these type of data us SNMP instead for script, or Router could send it out as a bulk of data every x second to Syslog.

You should see what data you have and then try to figure how to present it.
Dashboard is some complicated but not to hard.
I always try out things in search to see how it may looks like, then convert it to dashboard.

I am thinking of adding a panel with CPU/memory/uptime etc.
The truth is an excellent work and much more because you publish it that way without more that is much more admirable. I really do not know anything about this world of dashboards but I would love to learn a little more and your dashboard is a great help. If you need to try something more than what you implement, do not hesitate to tell me I think something could help you.
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Sat Jun 30, 2018 12:01 am

Jotne

Hi, I have a doubt. Is it normal for this graphic to show it that way?

Image
http://subirimagen.me/uploads/20180629155928.jpg

because before he showed it to me like this:
Image
http://subirimagen.me/uploads/20180629155744.jpg

Can you guide me what could be ?. Thank you
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Sat Jun 30, 2018 12:50 am

It has to do with the time schedule.
You could either sample more often, example every minute insted of every 5 minutes. But this would then load the MikroTik more.
Or you could zoome out showing over a bigger time periode. Example last 4 hour insted of last hour.

Your first graph goes from 5:25 to 5:35, only 30 minutes. it would then not draw line.
Second graph shows last 24 hour,
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Mon Jul 02, 2018 8:59 pm

It has to do with the time schedule.
You could either sample more often, example every minute insted of every 5 minutes. But this would then load the MikroTik more.
Or you could zoome out showing over a bigger time periode. Example last 4 hour insted of last hour.

Your first graph goes from 5:25 to 5:35, only 30 minutes. it would then not draw line.
Second graph shows last 24 hour,
Thank it work,I do not know what happened. Only i restarting the splunk and it works again.
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Fri Jul 06, 2018 7:15 pm

Hi Jotne:

Summing up, I already managed to make almost all the modules work. The only things that do not work for me are MikroTik uPnP and MikroTik Vol / Temperatur. In both modules he says "No results found."
For the MikroTik Vol / Temperatur module perform the following:
In the Mikrotik - System - Logging - Topics:! Snmp> Prefix: MikroTik> Action: Remote
In the Mikrotik - Ip - SNMP - Enable: yes - Trap Community: public - Trap version: 1.
In communities Name: public> Address: 192.168.1.237 (My splunk)

In the srv splunk the file inputs.conf was edited as follows:
Image
http://subirimagen.me/uploads/20180706111352.jpg

From the splunk application, install the SNMP-Trap-listner module and it is configured as follows:
Image
http://subirimagen.me/uploads/20180706110247.jpg

I do not know what else to configure, in the general search (* snmp) in splunk it appears:
Image
http://subirimagen.me/uploads/20180706110646.jpg


With regard to the MikroTik uPnP module perform the following:
In the mikrotik the access is configured by ssh and it works ok.
In the mikrotik IP - UPnP - Enable: yes - Interfaces configure both Bridge-WifiLAN networks as internal and WAN1 as external interfaces. Even so, in splunk he says "No results found."

If it occurs to you that I may be missing, I would appreciate your help again.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Fri Jul 06, 2018 9:58 pm

uPnP gets data from a script.
What do you get when run this from within linux
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_upnp.sh


Temperature is SNMP based
What do you get when search for
SNMP*
NB uppercase
What you did search for is the log for snmp message in the MikroTik log not for the SNMP message it get from SNMP module in Splunk.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Tue Jul 10, 2018 10:33 pm

uPnP gets data from a script.
What do you get when run this from within linux
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_upnp.sh


Temperature is SNMP based
What do you get when search for
SNMP*
NB uppercase
What you did search for is the log for snmp message in the MikroTik log not for the SNMP message it get from SNMP module in Splunk.
Hi, is true that module gets data from a script. In my case when ejecute the script dont recive nothing data. i need research more about firewall nat dynamic rules.

with respect to the volt / temperatur module, I can not see anything in splunk, and realize all the configurations. When I do a general search with SNMP * I get the following.
Image
http://subirimagen.me/uploads/20180710143146.jpg

for what I can see it brings me SNMP data from the log with the prefix MikroTik, but even so I do not see anything when I run the module.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Wed Jul 11, 2018 12:44 am

This is the log from SNMP not the SNMP data. I do always set up så that I do not log snmp logs.

You should setup some like this:
 /system logging> print detail  
Flags: X - disabled, I - invalid, * - default 
 0 X* topics=info prefix="" action=memory #default
 1  * topics=error prefix="" action=memory  #default
 2  * topics=warning prefix="" action=memory #default
 3  * topics=critical prefix="" action=echo #default
 4    topics=dhcp prefix="MikroTik" action=Logsrever
 5    topics=hotspot prefix="MikroTik" action=Logserever
 6    topics=!debug,!snmp prefix="MikroTik" action=Logserver
Here you see I ignore snmp logs.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Wed Jul 11, 2018 4:01 pm

This is the log from SNMP not the SNMP data. I do always set up så that I do not log snmp logs.

You should setup some like this:
 /system logging> print detail  
Flags: X - disabled, I - invalid, * - default 
 0 X* topics=info prefix="" action=memory #default
 1  * topics=error prefix="" action=memory  #default
 2  * topics=warning prefix="" action=memory #default
 3  * topics=critical prefix="" action=echo #default
 4    topics=dhcp prefix="MikroTik" action=Logsrever
 5    topics=hotspot prefix="MikroTik" action=Logserever
 6    topics=!debug,!snmp prefix="MikroTik" action=Logserver
Here you see I ignore snmp logs.
Yes i have that setting in my Logging configuration:
/system logging print detail 
Flags: X - disabled, I - invalid, * - default 
 0  * topics=info prefix="" action=memory 
 1  * topics=error prefix="" action=memory 
 2  * topics=warning prefix="" action=memory 
 3  * topics=critical prefix="" action=echo 
 4    topics=error prefix="" action=Email 
 5    topics=dhcp prefix="MikroTik" action=remote 
 6    topics=!debug prefix="MikroTik" action=remote 
 7    topics=!ups prefix="MikroTik" action=remote 
 8    topics=!snmp prefix="MikroTik" action=remote
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Wed Jul 11, 2018 6:38 pm

Its not equal. It seems to works some different when you have stuff together.
You do see SNMP logs from syslog, you should not see those message.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Wed Jul 11, 2018 7:28 pm

Its not equal. It seems to works some different when you have stuff together.
You do see SNMP logs from syslog, you should not see those message.
Well, I changed my settings to be exactly like yours, now I'll wait to see what happens. Thank you very much for your time and patience !!
/system logging print detail 
Flags: X - disabled, I - invalid, * - default 
 0  * topics=info prefix="" action=memory 
 1  * topics=error prefix="" action=memory 
 2  * topics=warning prefix="" action=memory 
 3  * topics=critical prefix="" action=echo 
 4    topics=error prefix="" action=Email 
 5    topics=dhcp prefix="MikroTik" action=remote 
 6    topics=!debug,!snmp prefix="MikroTik" action=remote 
 7    topics=hotspot prefix="MikroTik" action=remote 
Could you show me the output of this command in your mikrotik. thank you.:
/system logging action print detail
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Wed Jul 11, 2018 7:42 pm

Line 3 is to one who sends logs to external server
/system logging action print detail  
Flags: * - default 
 0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no 

 1 * name="disk" target=disk disk-file-name="flash/log" disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no 

 2 * name="echo" target=echo remember=yes 

 3 * name="remote" target=remote remote=10.10.10.50 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto
If you got any thing in your logs from syslog, this part is ok.

There are 3 ways data coming to the Splunk
1. Syslog
2. SNMP
3. Scripts

Do a search last 24 hours like this:
sourcetype=mikrotik| top limit=20 source |  table source
Then you should get some like this:
udp:514
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_accounting.sh
snmp://MikroTik-info
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_dhcp_pool_information.sh
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Wed Jul 11, 2018 9:53 pm

Line 3 is to one who sends logs to external server
/system logging action print detail  
Flags: * - default 
 0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no 

 1 * name="disk" target=disk disk-file-name="flash/log" disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no 

 2 * name="echo" target=echo remember=yes 

 3 * name="remote" target=remote remote=10.10.10.50 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto
If you got any thing in your logs from syslog, this part is ok.

There are 3 ways data coming to the Splunk
1. Syslog
2. SNMP
3. Scripts

Do a search last 24 hours like this:
sourcetype=mikrotik| top limit=20 source |  table source
Then you should get some like this:
udp:514
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_accounting.sh
snmp://MikroTik-info
/opt/splunk/etc/apps/MikroTik/bin/mikrotik_dhcp_pool_information.sh
looking for what you indicated to me I see that I lack sources:
Image
http://subirimagen.me/uploads/20180711135032.jpg

Do not bring me the source snmp: // MikroTik-info
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Thu Jul 12, 2018 12:35 am

You do not need to quote the whole message above you.

You have problem with getting SNMP data
From the linux server try this: (change your.mikrotik.ip to your actual IP)
snmpget -v2c -c public your.mikrotik.ip 1.3.6.1.4.1.14988.1.1.3.10.0
iso.3.6.1.4.1.14988.1.1.3.10.0 = INTEGER: 470
This should give you the temperature x10, so here 47.0 degree.

What do you get when you type on MikroTik
/snmp print 

You should see that its enabled and the community
          enabled: yes
          contact: USA
         location: under water
        engine-id: 
      trap-target: 10.10.10.50
   trap-community: public
     trap-version: 1
  trap-generators: 
If all this is OK, look at SNMP settings in Splunk.
Settings -> Data Input -> SNMP
You should have: MikroTik-info
Open it and see that is shows same community as above (public) and correct IP for your Mikrotik

You have installed SNMP app for Splunk?
Apps-> Manage Apps -> snmp_ta
It should show enabled
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Thu Jul 12, 2018 5:24 pm

You have problem with getting SNMP data
From the linux server try this: (change your.mikrotik.ip to your actual IP)
snmpget -v2c -c public your.mikrotik.ip 1.3.6.1.4.1.14988.1.1.3.10.0
iso.3.6.1.4.1.14988.1.1.3.10.0 = INTEGER: 470
 	      enabled: yes
          contact: USA
         location: under water
        engine-id: 
      trap-target: 10.10.10.50
   trap-community: public
     trap-version: 1
  trap-generators: 
Hi Jotne, I have a question. with mention that you use the command "snmpget -v2c -c public ......." you indicate with the parameter version 2c (-v2c) but in the mikrotik the SNMP you have it configured with version 1 this is correct ?.

This is a result of that command in my linux server. I think maybe is for the version.
snmpget -v2c -c public 192.168.1.1 1.3.6.1.4.1.14988.1.1.3.10.0
iso.3.6.1.4.1.14988.1.1.3.10.0 = No Such Object available on this agent at this OID
And this for /snmp print
	enabled: yes
          contact: myemail@hotmail.com
         location: MK_Home
        engine-id: 
      trap-target: 192.168.1.237
   trap-community: public
     trap-version: 1
  trap-generators:
From the splunk application, install the SNMP-Trap-listner module and it is configured as follows:
Image
http://subirimagen.me/uploads/20180706110247.jpg
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Thu Jul 12, 2018 9:26 pm

I do see there is a mixup with SNMP for the traps, so it should be changed to 2 in the MikroTik config.
and 2c in Splunk
MikroTik-info	attributes	0	2C	192.168.1.1		0	1	0	
mikrotik
MikroTik
Enabled | Disable	Clone
SNMP-Trap-listner	traps	0	2C			0	0	0	
snmp-trap
MikroTik
Enabled | Disable	Clone
But it does not have anything to with your problem.

SNMP goes two way,

SNMP read, the one we use to get temperature etc. Splunk uses the MikroTik-info to asks Miktrotik for info.
SNMP-Trap-listner is used for when MiktroTik sends SNMP traps to Splunk (i have not used it, yet)

So it looks like your device does not support temperature. Try uptime:
snmpget -v2c -c public 192.168.1.1 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (480102100) 55 days, 13:37:01.00
It shows here 55 days uptime.

PS Click the Post Reply button and not the Quote button. I can read my own message. You have quoted in all your replays.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Thu Jul 12, 2018 11:11 pm

Ok sorry for Quote all your message.

I changed all the settings in my mikrotik and snmp-plugin in splunk for version 2c. And execute the command with this result.
snmpget -v2c -c public 192.168.1.1 .1.3.6.1.2.1.1.3.0
iso.3.6.1.2.1.1.3.0 = Timeticks: (23825500) 2 days, 18:10:55.00
and apparently I think my mikrotik does not support that oid. My mikrotik is RB951G-2HnD. What is your mikrotik?.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Fri Jul 13, 2018 8:46 am

Ahh that explains it.

I have two Mikrotik routers.

750G r3 do gives temperature, but
941-2nD does not give temperature

So not all units gives temperature.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Fri Jul 13, 2018 11:29 am

I am working on the Splunk app to handle multiple MikroTik routers.
If you now setup more units that sends information to Splunk, it needs to have multiple SNMP get lines.
Dashboards needs to have option to select what unit to look at.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs

Tue Jul 17, 2018 4:04 pm

@Jotne

Thank you very much for all your time and knowledge. Again, I congratulate you on this project and I am waiting for your updates.
As I told you if you need to try something, you can contact me and let's try it. Thank you very much.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1236
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs

Fri Jul 27, 2018 11:23 am

A new version 2.0 has been posted here:
viewtopic.php?f=2&t=137338
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: Bing [Bot] and 52 guests