Currently have a basic syslog server running that almost all devices in our network point to. I've spun up another syslog server and I want to test its functionality
It's very easy to simply add a dst-nat rule to redirect packets to the new syslog server, however I want packets to go to BOTH syslog servers

Is there a way via mangle or something else to send UDP/514 to 2 different destinations?

Look for port mirroring.

Currently have a basic syslog server running that almost all devices in our network point to. I've spun up another syslog server and I want to test its functionality

Or address the requirement at the source rather than looking for non-standard solutions:

1. add another "action" pointing to the other syslog server:
   Code: Select all

   /system logging action add name=syslog-2 target=remote remote=ip.of.the.server src-address=your.local.ip remote-port=514 ...

2. add a copy of each trigger you currently use to send messages to the primary syslog server, indicating the new action instead of the default "remote", e.g.:
   Code: Select all

   /system logging add topics=warning action=syslog-2

Done.

There are hundreds and hundreds of devices that point to this Syslog server, and most of them only support a single entry. Logging into them to change it is simply not an option (only about 5% are mikrotik devices)
If we had finalized a new syslog server I would just dst-nat the packets, simple. But we havn't and i'm testing syslog viability on the new software first, hence I want the duplication not a full hand over

Ideally i'd want a more elegant solution than port mirroring. My understanding is the only way for port mirroring to work is for me to have 2 routers at the entry point to the existing Syslog server

Normal router receives packets, and normally forwards to the syslog server in the same subnet - It's a bridge but lets just say port 4. I'm guessing the procedure would have to be....
- Port mirroring on port 4 to port 5 as the destination
- Then I would need another router connected to port 5
- New router has a dst-nat rule: All packets matching the IP of the existing syslog server at UDP/514. dst-nat to new syslog server
- New router sends back to old router. Old router forwards on to the new syslog server (externally hosted, not same subnet)
I imagine this should give me the result i'm looking for?

Ideally though i'd like to do all of this on the existing router if that's possible. Can I do port mirroring as well as have the dst-nat rules accomplish the same thing on just 1 router? The destination port would be down (nothing plugged into it) so would that cause the first issue? And if not, will it port mirror first and then apply firewall chain?

There are hundreds and hundreds of devices that point to this Syslog server, and most of them only support a single entry. Logging into them to change it is simply not an option (only about 5% are mikrotik devices)

I've started suspecting that after re-reading your original post but decided to keep my suggestion should anyone else find it useful.

Ideally i'd want a more elegant solution than port mirroring. My understanding is the only way for port mirroring to work is for me to have 2 routers at the entry point to the existing Syslog server
...
Ideally though i'd like to do all of this on the existing router if that's possible. Can I do port mirroring as well as have the dst-nat rules accomplish the same thing on just 1 router? The destination port would be down (nothing plugged into it) so would that cause the first issue? And if not, will it port mirror first and then apply firewall chain?

You can do that on a single box if you put it right in front of the original server and if the packets for the original server pass through it on L2, i.e. if you "insert the box into the cable between the original server and the rest of its subnet". The reason is that you have to use the switch to do the forking itself and you have to keep the primary path away from the CPU. Let's say you have the old server connected to ether5 and the traffic for it comes through ether4. Then, you must configure ether4 and ether5 as ports of the same bridge and make hw-offload=yes only on this bridge (if using ROS 6.41 and above), or make one of (ether4,ether5) a "slave" of the other one (if usingROS up to 6.40.x). This way, frames between ether4 and ether5 are forwarded by the switch chip alone. Next, you configure port mirroring on the switch, with Mirror Source set to ether4 and Mirror Target set to CPU. So frames which the switch would normally only forward to ether5 will be also sent to the CPU, and there the dst-nat rule can match on them and send them elsewhere, even using L3. But the CPU will also receive anything else which comes in via ether4, so your life will be much easier if everything coming in via ether4 is only for the old server so you can safely trash the copy of it you receive on the CPU except the syslog packets.

If you need that the same Mikrotik does routing for some of the syslog packets, theoretically there is a chance that you could create two bridges and connect a port of one of them to a port of another one, but I have never practically tried so the switch chip may disagree loudly. If you need to dive deeper into this idea, say so

Both sniff-pc and sniff-tzsp actions in "/ip firewall mangle" rules add extra headers to the packets which cannot be stripped by Mikrotik itself.