Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

[6.42.1] DHCP does not send log to remote syslog

Sun May 06, 2018 1:00 pm

I do use Splunk to analyse Miktrotik log for long time.
But for som reason, not sure since when, the DHCP does not send log remote.
DNS/Firewall/UPnP etc sends log remote.

I can see log from all the other module remote, but not DHCP.

If I just set DHCP to log to memory, it looks OK
11:46:53 dhcp,debug,packet DHCP-vlan1-Home sending offer with id 3081862081 to 10.10.10.128 
11:46:53 dhcp,debug,packet     ciaddr = 0.0.0.0 
11:46:53 dhcp,debug,packet     yiaddr = 10.10.10.128 
11:46:53 dhcp,debug,packet     siaddr = 10.10.10.1 
11:46:53 dhcp,debug,packet     chaddr = 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet     Msg-Type = offer 
11:46:53 dhcp,debug,packet     Server-Id = 10.10.10.1 
11:46:53 dhcp,debug,packet     Address-Time = 31536000 
11:46:53 dhcp,debug,packet     Subnet-Mask = 255.255.255.0 
11:46:53 dhcp,debug,packet     Router = 10.10.10.1 
11:46:53 dhcp,debug,packet     Domain-Server = 10.10.10.1 
11:46:53 dhcp,debug,packet DHCP-vlan1-Home received request with id 3081862081 from 0.0.0.0 
11:46:53 dhcp,debug,packet     ciaddr = 0.0.0.0 
11:46:53 dhcp,debug,packet     chaddr = 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet     Msg-Type = request 
11:46:53 dhcp,debug,packet     Client-Id = 01-10-0B-A9-1E-5D-DC 
11:46:53 dhcp,debug,packet     Address-Request = 10.10.10.128 
11:46:53 dhcp,debug,packet     Server-Id = 10.10.10.1 
11:46:53 dhcp,debug,packet     Host-Name = "HE131451-Isabel" 
11:46:53 dhcp,debug,packet     Client-FQDN = 00-00-00-48-45-31-33-31-34-35-31-2D-49-73-61-62-65-6C 
11:46:53 dhcp,debug,packet     Class-Id = "MSFT 5.0" 
11:46:53 dhcp,debug,packet     Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,Router-Discovery,Static-Route,Vendor-Specific,NETBIOS-Name-Server,NETBIOS-Node-Type,NETBIOS-Scope,Classless-Route,MS-Classless-R
oute,Auto-Proxy-Config 
11:46:53 dhcp,info DHCP-vlan1-Home assigned 10.10.10.128 to 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet DHCP-vlan1-Home sending ack with id 3081862081 to 10.10.10.128 
11:46:53 dhcp,debug,packet     ciaddr = 0.0.0.0 
11:46:53 dhcp,debug,packet     yiaddr = 10.10.10.128 
11:46:53 dhcp,debug,packet     siaddr = 10.10.10.1 
11:46:53 dhcp,debug,packet     chaddr = 10:0B:A9:1E:5D:DC 
11:46:53 dhcp,debug,packet     Msg-Type = ack 
11:46:53 dhcp,debug,packet     Server-Id = 10.10.10.1 
11:46:53 dhcp,debug,packet     Address-Time = 31536000 
11:46:53 dhcp,debug,packet     Subnet-Mask = 255.255.255.0 
11:46:53 dhcp,debug,packet     Router = 10.10.10.1 
11:46:53 dhcp,debug,packet     Domain-Server = 10.10.10.1
If I change to remote, no DHCP info is logged to remote server.

To test, log to memory, then change to remote syslog and compare result.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
dynek
Member Candidate
Member Candidate
Posts: 193
Joined: Tue Jan 21, 2014 10:03 pm

Re: [6.42.1] DHCP does not send log to remote syslog

Tue May 08, 2018 9:13 am

I just tested it on 6.42.1 (remote for dhcp) and I do see logs coming in (syslog)
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8309
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: [6.42.1] DHCP does not send log to remote syslog

Tue May 08, 2018 10:38 am

where's your Logging config?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Zetera
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Sat Apr 21, 2018 6:57 pm

Re: [6.42.1] DHCP does not send log to remote syslog

Wed May 09, 2018 1:47 am

Hey Chupaka. I would really appreciate your help on a script I was trying to run. I made a topic in the script topic for the forums. Please help!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: [6.42.1] DHCP does not send log to remote syslog

Wed May 09, 2018 10:32 pm

Ok

Think I found that some has change in the logging.
Here is what I like to get.

All from DCHP and Hotspot (including Debug)
All the rest that is not Debug

So these worked before: (Varg is my remote server)
 4    topics=dhcp,hotspot prefix="MikroTik" action=Varg
 5    topics=!debug prefix="MikroTik" action=Varg
It is this tat gives the problems: topics=dhcp,hotspot

These solves the problem:
 4    topics=dhcp prefix="MikroTik" action=Varg 
 5    topics=hotspot prefix="MikroTik" action=Varg 
 6    topics=!debug prefix="MikroTik" action=Varg
Hey Chupaka. I would really appreciate your help on a script I was trying to run. I made a topic in the script topic for the forums. Please help!
How is this related to my post?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: [6.42.1] DHCP does not send log to remote syslog

Thu May 10, 2018 8:43 am

Here is why I need the DHCP debug and not just the info field.

This is what is logged as info:
dhcp,info MikroTik: DHCP-vlan1-Home deassigned 10.10.10.134 from 84:A4:66:52:A1:FE
dhcp,info MikroTik: DHCP-vlan1-Home deassigned 10.10.10.132 from D0:E7:82:D6:71:B5
dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.116 to 70:70:0D:5C:91:FA
Here is how it looks like when getting debug and using Splunk to do som DNS lookup as well
_time			Host_Name			src_host		chaddr			yiaddr		Address_Request	Class_Id
2018-05-10 07:21:29	H****944			pc-he163944-**-wifi	E4:A4:71:04:7F:8B	10.10.10.129	10.10.10.129	MSFT 5.0
2018-05-10 07:19:53	Chromecast			dev-chromecast-**	D0:E7:82:D6:71:B5	10.10.10.132	10.10.10.132	dhcpcd-5.2.10:Linux-3.8.13+:armv7l:MV88DE3108
2018-05-10 05:02:42	HUAWEI_Mate_10_Pro-5c515a	tlf-huawaip10-**	BC:3D:85:2F:71:32	10.10.10.202	10.10.10.202	HUAWEI:android:BLA
2018-05-10 01:39:04	HE131451-I****			pc-he131451-i****	10:0B:A9:1E:5D:DC	10.10.10.128	10.10.10.128	MSFT 5.0
Host_Name is the name the DHCP server sees from the client.
src_host is an lookup at the DNS server
So If I could get the Host_Name just using info, it would be nice.
Eks
dhcp,info MikroTik: DHCP-vlan1-Home deassigned 10.10.10.132 from D0:E7:82:D6:71:B5 host dev-chromecast-**
Last edited by Jotne on Thu May 10, 2018 9:06 am, edited 2 times in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1303
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: [6.42.1] DHCP does not send log to remote syslog

Thu May 10, 2018 8:58 am

Also it would be nice if MicroTik remove the extra spaces in the log, so it goes from this:
dhcp,debug,packet MikroTik: DHCP-vlan1-Home received request with id 3988783859 from 0.0.0.0
dhcp,debug,packet MikroTik:     secs = 1
dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
dhcp,debug,packet MikroTik:     chaddr = D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type = request
dhcp,debug,packet MikroTik:     Address-Request = 10.10.10.132
dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
dhcp,debug,packet MikroTik:     Max-DHCP-Message-Size = 1500
dhcp,debug,packet MikroTik:     Class-Id = "dhcpcd-5.2.10:Linux-3.8.13+:armv7l:MV88DE3108"
dhcp,debug,packet MikroTik:     Host-Name = "Chromecast"
dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Static-Route,Router,Domain-Server,Domain-Name,Broadcast-Address,Address-Time,Renewal-Time,Rebinding-Time
dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.132 to D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik: DHCP-vlan1-Home sending ack with id 3988783859 to 10.10.10.132
dhcp,debug,packet MikroTik:     ciaddr = 0.0.0.0
dhcp,debug,packet MikroTik:     yiaddr = 10.10.10.132
dhcp,debug,packet MikroTik:     siaddr = 10.10.10.1
dhcp,debug,packet MikroTik:     chaddr = D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type = ack
dhcp,debug,packet MikroTik:     Server-Id = 10.10.10.1
dhcp,debug,packet MikroTik:     Address-Time = 31536000
dhcp,debug,packet MikroTik:     Subnet-Mask = 255.255.255.0
dhcp,debug,packet MikroTik:     Router = 10.10.10.1
dhcp,debug,packet MikroTik:     Domain-Server = 10.10.10.1
To this:
dhcp,debug,packet MikroTik: DHCP-vlan1-Home received request with id 3988783859 from 0.0.0.0
dhcp,debug,packet MikroTik:     secs=1
dhcp,debug,packet MikroTik:     ciaddr=0.0.0.0
dhcp,debug,packet MikroTik:     chaddr=D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type=request
dhcp,debug,packet MikroTik:     Address-Request=10.10.10.132
dhcp,debug,packet MikroTik:     Server-Id=10.10.10.1
dhcp,debug,packet MikroTik:     Max-DHCP-Message-Size=1500
dhcp,debug,packet MikroTik:     Class-Id="dhcpcd-5.2.10:Linux-3.8.13+:armv7l:MV88DE3108"
dhcp,debug,packet MikroTik:     Host-Name="Chromecast"
dhcp,debug,packet MikroTik:     Parameter-List=Subnet-Mask,Static-Route,Router,Domain-Server,Domain-Name,Broadcast-Address,Address-Time,Renewal-Time,Rebinding-Time
dhcp,info MikroTik: DHCP-vlan1-Home assigned 10.10.10.132 to D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik: DHCP-vlan1-Home sending ack with id 3988783859 to 10.10.10.132
dhcp,debug,packet MikroTik:     ciaddr=0.0.0.0
dhcp,debug,packet MikroTik:     yiaddr=10.10.10.132
dhcp,debug,packet MikroTik:     siaddr=10.10.10.1
dhcp,debug,packet MikroTik:     chaddr=D0:E7:82:D6:71:B5
dhcp,debug,packet MikroTik:     Msg-Type=ack
dhcp,debug,packet MikroTik:     Server-Id=10.10.10.1
dhcp,debug,packet MikroTik:     Address-Time=31536000
dhcp,debug,packet MikroTik:     Subnet-Mask=255.255.255.0
dhcp,debug,packet MikroTik:     Router=10.10.10.1
dhcp,debug,packet MikroTik:     Domain-Server=10.10.10.1
Then Splunk would extract all the fields automatically.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 76 guests