I havent locked down the router yet as we are still testing and the site is not a site that really needs to be secured yet.
Great. So you don't mind if your ISP cuts you off the internet? Because that's what shall happen if some device on that site (possibly the Mikrotik itself) gets infected and starts attacking other devices to further spread the malware, or sending spam, or participating in DDoS attacks - whatever its new remote administrator decides to order it to do. Or you may find yourself mining crypto-currencies for someone else while you pay the electricity bill.
if the log shows entries like this, but doesnt show an authentication failure, what are they? Are they log in attempts? If it shows tcp established, but no authentication success or failure, what does that tell me? Could that just come from a port scan?
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:09:58 pptp,info TCP connection established from 164.52.6.146
07:10:01 pptp,info TCP connection established from 164.52.6.146
A port scan doesn't seem likely to me as pptp listens at a single port and the connections come from the same IP address within a short window of time. I'd rather expect something to try to break in using some vulnerability which permits to bypass authentication, which may not exist on Mikrotik or may be unknown. Recording that traffic into a file using
and then inspecting the record using Wireshark or other packet analyzer is the only way to find out what is actually happening.