Community discussions

 
rajeshrouthu
newbie
Topic Author
Posts: 40
Joined: Sun Jun 22, 2008 10:30 am

Remote Syslog Issue in CCR1036 & 450G

Wed Nov 19, 2014 8:18 pm

Hi All,

we have around 50 + Mikrotik Nas Box's and we logged all the firewall log to our centralized Kiwi syslog Server machine but 2 machines are not sending the data to remote syslog server but storing in disk is fine ..i am tried alot but no use..if any one intrested to resolve my issue ill share the details

Raj
Regards,
Raj
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: Remote Syslog Issue in CCR1036 & 450G

Thu Nov 20, 2014 9:00 am

Show from a working router the results of /system syslog export.

Show from a non-working router the results of /system syslog export.

Ensure the IP addresses from both routers are permitted to talk to the Kiwi server on the syslog port.
 
rajeshrouthu
newbie
Topic Author
Posts: 40
Joined: Sun Jun 22, 2008 10:30 am

Re: Remote Syslog Issue in CCR1036 & 450G

Thu Nov 20, 2014 3:06 pm

ip firewall filter> pr
chain=forward action=log connection-state=new protocol=tcp in-interface=LAN log=no log-prefix=""
system logging>
system logging> pr
Flags: X - disabled, I - invalid, * - default
# TOPICS ACTION PREFIX
0 * info disk
!firewall
1 * error memory
2 * warning memory
3 * critical echo
4 firewall remote
5 e-mail memory

system logging action> pr
Flags: * - default
# NAME TARGET REMOTE
0 * memory memory
1 * disk disk
2 * echo echo
3 * remote remote 202.133.XX.XX

Same configuration in non working syslog also.

Rajesh R

Show from a working router the results of /system syslog export.

Show from a non-working router the results of /system syslog export.

Ensure the IP addresses from both routers are permitted to talk to the Kiwi server on the syslog port.
Regards,
Raj
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 801
Joined: Tue Aug 03, 2004 9:01 am

Re: Remote Syslog Issue in CCR1036 & 450G

Fri Nov 21, 2014 3:00 am

Same configuration in non working syslog also.
Right. Now finish your response to lambert by performing the last task that he advised you to do:
Ensure the IP addresses from both routers are permitted to talk to the Kiwi server on the syslog port.
Can you ping the 202.133.XX.XX IP from the two routers that do not seem to be logging anything to the syslog server?

Are all routers -- working and not working -- running the same version of RouterOS?

-- Nathan
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: Remote Syslog Issue in CCR1036 & 450G

Fri Nov 21, 2014 6:12 am

Actually, he didn't follow instructions at all... I asked for exports in case there is something which set or unset which is one of the many RouterOS configuration parameters which do not show in the results of a print command.

Also, I guess we are supposed to take his word for it that the non-working router's results are exactly the same. The whole point is to show the "equal" results to others so that they can see what you have been staring at for too long to see for yourself.

If you don't want to show me the configs at least show me the results of "diff -u configA configB". All other claims are suspect. That is often the only way I see the mistakes in my configs.
 
rajeshrouthu
newbie
Topic Author
Posts: 40
Joined: Sun Jun 22, 2008 10:30 am

Re: Remote Syslog Issue in CCR1036 & 450G

Fri Nov 21, 2014 9:45 am

Yes, i am able to ping from both routers and kiwi syslog to routers also , even i tried to upgrade and downgrade the versions but same issue repeated.
check out the images and .rsc of non working and working
Image
Image

.rsc
http://202.133.57.81/images/syslognotworking.rsc
http://202.133.57.81/images/syslogworking.rsc




Actually, he didn't follow instructions at all... I asked for exports in case there is something which set or unset which is one of the many RouterOS configuration parameters which do not show in the results of a print command.

Also, I guess we are supposed to take his word for it that the non-working router's results are exactly the same. The whole point is to show the "equal" results to others so that they can see what you have been staring at for too long to see for yourself.

If you don't want to show me the configs at least show me the results of "diff -u configA configB". All other claims are suspect. That is often the only way I see the mistakes in my configs.
Regards,
Raj
 
lambert
Long time Member
Long time Member
Posts: 533
Joined: Fri Jul 23, 2010 1:09 am

Re: Remote Syslog Issue in CCR1036 & 450G

Mon Nov 24, 2014 11:22 pm

Yes, i am able to ping from both routers and kiwi syslog to routers also , even i tried to upgrade and downgrade the versions but same issue repeated.
check out the images and .rsc of non working and working
Please, do not make gratuitous changes such as changing the version of RouterOS. Let us debug this using scientific methods.

The working and non-working devices' remote "system logging action" settings are not identical PLUS they apparently source their syslog traffic from completely different /8s.

You actually have a lot of gratuitous differences between the working and non-working routers. However, only the remote syslog logging action is likely to have a chance of being the culprit.
 diff -u syslogworking.rsc syslognotworking.rsc            14:19:58
--- syslogworking.rsc   2014-11-21 01:42:04.000000000 -0600
+++ syslognotworking.rsc        2014-11-21 01:23:14.000000000 -0600
@@ -1,11 +1,10 @@
 #
 /system logging action
-set 0 memory-lines=100
-set 1 disk-lines-per-file=100
-set 3 remote=202.133.57.80
+set 1 disk-file-name=""
+set 2 remember=yes
+set 3 remote=202.133.57.80 syslog-facility=syslog
 /system logging
 set 0 action=disk topics=info,!firewall
 add action=remote topics=firewall
-add topics=e-mail
On the not working version, you have specified "syslog-facility=syslog". The working version is using the default "syslog-facility=daemon".

I do not know if the syslog facility takes effect when you have not checked the "bsd-syslog" box. I log to a BSD syslog server rather than Kiwi, so I enable the BSD syslog option on my devices.

Based on that, I would say the first step is to set your non-working system's syslog-facility to "daemon". Whether or not that is a problem may depend on your Kiwi config. Kiwi could, theoretically, be set to ignore the "syslog" facility tagged log entries.

The second step is to make certain that Kiwi and the Windows firewall, and any other firewalls between the non-working device and the syslog server, are configured to allow UDP traffic on port 514 from your non-working system, 175.101.X.X. Are there any working devices in the 175.101.X.X network?

You are apparently permitting UDP traffic on port 514 from your working system, 202.133.Y.Y, in Kiwi and the Windows firewall and all other firewalls between the working device and the syslog server. Are there any non-working devices in the 202.133.Y.Y network?

You may want to set your syslog source address on the non-working system so that you will know that it is not accidentally sourcing the traffic from a different non-allowed IP on the non-working system. MikroTik's syslog client will choose to use the "closest" IP to the syslog server, if you do not explicitly set the source address.
 
rajeshrouthu
newbie
Topic Author
Posts: 40
Joined: Sun Jun 22, 2008 10:30 am

Re: Remote Syslog Issue in CCR1036 & 450G

Wed Nov 26, 2014 3:30 am

Thanks Alottt Lambert

now i given source Address in syslog >remote now it is working fine in both (CCR & 450 G ) and i didn't do any changes in syslog fecility also but remaing routers having same and old versions are running but i didnt given src address even they also sending the data.


Rajesh R






Yes, i am able to ping from both routers and kiwi syslog to routers also , even i tried to upgrade and downgrade the versions but same issue repeated.
check out the images and .rsc of non working and working
Please, do not make gratuitous changes such as changing the version of RouterOS. Let us debug this using scientific methods.

The working and non-working devices' remote "system logging action" settings are not identical PLUS they apparently source their syslog traffic from completely different /8s.

You actually have a lot of gratuitous differences between the working and non-working routers. However, only the remote syslog logging action is likely to have a chance of being the culprit.
 diff -u syslogworking.rsc syslognotworking.rsc            14:19:58
--- syslogworking.rsc   2014-11-21 01:42:04.000000000 -0600
+++ syslognotworking.rsc        2014-11-21 01:23:14.000000000 -0600
@@ -1,11 +1,10 @@
 #
 /system logging action
-set 0 memory-lines=100
-set 1 disk-lines-per-file=100
-set 3 remote=202.133.57.80
+set 1 disk-file-name=""
+set 2 remember=yes
+set 3 remote=202.133.57.80 syslog-facility=syslog
 /system logging
 set 0 action=disk topics=info,!firewall
 add action=remote topics=firewall
-add topics=e-mail
On the not working version, you have specified "syslog-facility=syslog". The working version is using the default "syslog-facility=daemon".

I do not know if the syslog facility takes effect when you have not checked the "bsd-syslog" box. I log to a BSD syslog server rather than Kiwi, so I enable the BSD syslog option on my devices.

Based on that, I would say the first step is to set your non-working system's syslog-facility to "daemon". Whether or not that is a problem may depend on your Kiwi config. Kiwi could, theoretically, be set to ignore the "syslog" facility tagged log entries.

The second step is to make certain that Kiwi and the Windows firewall, and any other firewalls between the non-working device and the syslog server, are configured to allow UDP traffic on port 514 from your non-working system, 175.101.X.X. Are there any working devices in the 175.101.X.X network?

You are apparently permitting UDP traffic on port 514 from your working system, 202.133.Y.Y, in Kiwi and the Windows firewall and all other firewalls between the working device and the syslog server. Are there any non-working devices in the 202.133.Y.Y network?

You may want to set your syslog source address on the non-working system so that you will know that it is not accidentally sourcing the traffic from a different non-allowed IP on the non-working system. MikroTik's syslog client will choose to use the "closest" IP to the syslog server, if you do not explicitly set the source address.
Regards,
Raj

Who is online

Users browsing this forum: Google [Bot] and 108 guests