Tool: Using Splunk to analyse MikroTik logs 2.8 (Graphing everything)

Jotne · Fri Jul 27, 2018 11:23 am

Version 2.8 07.12.2019

Top_logo.jpg

Using Splunk to monitor and graph various data from our MikroTik Routers is a nice and free way to help you showing what is going on in your network.
Splunk is free to use for logging up to 500MB pr day.

It can be used to monitor multiple devices. No ports needs to be opened (like with SNMP monitoring). All data are sent from the device to the Splunk monitor. Devices could be all around the world.

PS:
Traffic monitoring does not work correctly while fast track is enabled. Turn it off and you may loose throughput, so its something you should think about when using this type of monitoring. How to disable it: https://www.youtube.com/watch?v=6LaqhDm6PHI

What's new
A lot have changed since previous version. So much that its better to replace all MikroTik files in the Splunk server instead of trying to update files.
Before data was collected in three ways.
1. Syslog
2. SNMP
3. Scripts (remote)
Problem with SNMP is that you have to add duplicate configuration in Syslog to handle each box you monitor.
Problem with script is that you need to setup a job on the Splunk server that SSH inn to each box to get data.
The script tools did not log host IP, so you did not now from what box data was coming from.

SNMP and Scipts has been removed and change inn to local script on the Router that sends outs needed data to the Splunk using Syslog.
This way all data get correctly marked and you know for what Router you gets data from.

latest changes
# 2.8 (07.12.2019)
# Added interface changes
# Updated script to 2.7, added uncounted traffic and fastrack test, fixed when missing temperature
# Updated script to 2.8, fixed where system healt does not show anything (x86)
# Updated script to 2.9, get interface counters and you can also set modules true/false
# Updated script to 3.0, get CDP neigbhours
# Added new view "MikroTik Neighbor"
# Added uncounted packages to "MikroTik Traffic"
# Added board_name to "MikroTik Device List"
# Added Mikrotik interface Traffic"
# Fixed l2tp user extraction
# Fixed VPN when user info is missing
# Added access rule dropdown to "Live attack"
# Added some color and more field to "DHCP Request"
# Fixed Span and removed time scal "System Changes"
# Fixed missing mac in "Admin Conection"
# Added more lines and color in "DHCP request"
# Added output color in "Firewall Rules"
# Added rule menu to "Live attack"
# Added "DATETIME_CONFIG = CURRENT" to props.conf

Installation
1) On your PC (Windows/Linux)
-----------------------------------
1a) Download and install Splunk (Windows or Linux(recommended))
PS you need an account to download. It's free to create.
https://www.splunk.com/en_us/download/s ... prise.html
PS you need to create an account to download the file. Free to download and use (up to 500MB/day)

1b) PS: To install Splunk as a non root user, look here: viewtopic.php?p=677233#p677233
Splunk can fine run as root user, but not recommended.

1c) Change to free license group. Very important to do before 30 day of use. !!!!!!!!!!!!!!!!!!!!
Web gui:
1d) Settings->licensing->Change license group->Free licnse->Save

1e) Open Windows Firewall for UDP on Windows (On linux its not blocked)
Web gui:
Start->type "adv"->Select:Widows Firewall with Advanced Security->Sect Inbound rules->Right Click "Inbound Rules">New Rule-Port-Next->UDP->Specific local ports->514->Next->Next->Next->Name "syslog"

1f) Allow UDP 514 (syslog)
Web gui:
Setting->Datainputs->Add new (behind the UDP)->Port 514->Next->Sourcetype type syslog and select syslog->Next-Submit

1g) Download the Splunk spl file:

MikroTik2.8.spl.zip

1h) Extract the spl file
From Start page in Splunk, click the gear behind Apps or
from top meny click Apps->Manage Apps
Then select Install app from file and select the spl file

1i) A restart of Splunk may be needed.
Web gui:
Settings->Server controls->Restart Splunk

1j) Upgrade form previous version.
Since no files are renamed, just data added, you should be fine by just replacing current files.
You can delete the MikroTik folder if you like. No logged data will be deleted.
If you have custom dashboards, menus, saved search (reports) etc, you need to merge the configuration files.

2) On Your MikroTik Router
-----------------------------
Before you setup logging, you should make an unique identifier of your route. Important if you have more than one router to monitor.

/system identity set name=Router-London-22

2a) Syslog
You need to make your Router able to send Syslog messages.
Web gui:
System->Logging->Action->Add New->Name (your server name)->Type:Remote->Remote Address:ip your syslog->Ok
Cli

/system logging action add name=logserver target=remote remote=192.168.1.50 remote-port=514

PS Do NOT select BSD Syslog. It will mess up the logging format.

2b) Then select what to log.
I do suggest that you send all DHCP logs including debug and all other logs that are not debug.
It is very important to name the prefix like this "MikroTik" and not "mikrotik" or some other.
Splunk uses the MikroTik prefix to find out what type of syslog data that is coming to it.
Uppercase T and uppercase M, rest are lowercase
Web gui:
System->Logging->Rules->Add new->Topics:dhcp->Prefix:MikroTik->action:your syslog server->Ok
System->Logging->Rules->Add new->Topics:!debug->Prefix:MikroTik->action:your syslog server->Ok
Cli:

/system logging add action=logserver prefix=MikroTik topics=dhcp
/system logging add action=logserver prefix=MikroTik topics=!debug
/system logging add action=logserver prefix=MikroTik topics=hotspot

PS Hotspot is not needed if you do not use it.

2c) Select what to log
NB Do not use more than 20 charters, or else it start to clip other part of the log!!!!!!!!!!!
To log the Firewall and Nat rules, you need to turn on logging and add Log Prefix (under action).
Do not log more than needed. Logging rules like defconf: accept established,related rules will flod your log,
Below is a sample on how to name the log rules. Do not need to follow this rule, but it makes it more uniform.

Rule name logging
==================

Format:
x_y_z

z=name/info

Example
-------
Filter Rule Forard allow HTTP
FF_A_Http

Filter Route Input Drop ICMP
FI_D_Icmp

Nat HTTP
ND_DE_Http

Mangle Mark HTTP packets
MF_MP_Http


Filter Rule
------------------
x=
FF Filter Forward
FI Filter Input
FO Filter Output
FX Filter Custom list

y=
A  Accept
AD Add to dst address list
AS Add to src address list
D  Dropp
F  Fast track
J  Jump
L  Log
P  Passthrough
RJ Reject
RT Return
T  Tarpit

Nat Rule
------------------
x=
ND Dest nat
NS Source nat

y=
A  Accept
AD Add to dst address list
AS Add to src address list
DE Dst-nat
J  Jump
L  Log
M  Masquerade
N  Netmap
P  Passthrough
RE Redirect
RT Return
SA same
S  Src-nat

Raw
------------------
x=
RP Filter Raw Prerouting
RO Filter Raw Output

y=
A  Accept
AD Add to dst address list
AS Add to src address list
F  Fast track
D  Dropp
J  Jump
L  Log
N  No track
P  Passthrough
RT Return

Mangle
------------------
x=
MF Mangle Forward
MI Mangle Input
MP Mangle Postrouing
MR Mangle Prerouting

y=
A  Accept
AD Add to address list
AS Add to dst address list
CD Change DSCP
CM Change MSS
CT Change TTL
CL Clear DF
F  Fast track
J  Jump
L  Log
MC Marc connection
MP Mark packets
MR Mark routing
P  Passthrough
RT Return
RO Route
S  Set proirity
SP Sniff PC
ST Sniff TZSP
SI Strip IPv4 options

2d) You should at least log this rule "defconf: drop all not coming from LAN" with this prefix: FI_D_port-test
Web gui:
IP->Firewall->selec:defconf: drop all not coming from LAN->Log:v->Log Prefix:FI_D_port-test
This will populate the MikroTik Live attack view.

2e) Accounting
To get accounting data, you need to enable it on the MikroTik router. (MikroTik Traffic dashboard)
Web gui:
IP-> Accounting -> Enable Accounting -> mark Threshould:2560 OK
Cli:

/ip accounting set enabled=yes threshold=2560

2f) Script
To get all the other data like Traffic accounting, uPnP, System health, System resources and DHCP pool information you need this script on the MikroTik. It need to be named: Data_to_Splunk_using_Syslog
I did prefer to list the script without all the newline code etc need for cut and past from CLI, så do use WinBox or Webgui to add the script.
In the top of the script, you can set a module to true/false. If you do not use wifi, set :local Wireless false


# Collect information from Mikrotik RouterOS
# v 3.2 Jotne 2019
# ----------------------------------


# What data to collect.  Set to false to skip the section 
# ----------------------------------
:local SystemResource true
:local SystemInformation true
:local SystemHealth true
:local TrafficData true
:local uPnP true
:local Wireless true
:local AddressLists true
:local DHCP true
:local Neighbor true
:local InterfaceData true

# Interface to get data from (using regex)
:local IF "ether.*"
# Example
# "ether.*" All ethernet interfaces
# "^ether[1-5]\$" Only ethernet 1 to 5
# ".*" All interfaces (Briges/VLAN/pptp/Ether ++)
# "ether(1|2)\$"  interface ethernet 1 and 2 (/$ needed to prevent ether11 etc)



# Collect system resource
# ----------------------------------
if ($SystemResource) do={
	:local cpuload ([/system resource get cpu-load])
	:local freemem ([/system resource get free-memory]/1048576)
	:local totmem ([/system resource get total-memory]/1048576)
	:local freehddspace ([/system resource get free-hdd-space]/1048576)
	:local totalhddspace ([/system resource get total-hdd-space]/1048576)
	:local up ([/system resource get uptime])
	:log info message="script=resource free_memory=$freemem MB total_memory=$totmem MB free_hdd_space=$freehddspace MB total_hdd_space=$totalhddspace MB cpu_load=$cpuload uptime=$up"
}


# Get traffic data (accounting data)
# ----------------------------------
if ($TrafficData) do={
# Test if fasttrack is enabled and give warning
	:if ([/ip firewall filter find where (action=fasttrack-connection && !disabled)] != "") do={
		:log info message=("script=traffic,fasttrack=1")
	} else={
		:log info message=("script=traffic,fasttrack=0")
	}
# Test if accounting is enabled and if yes, get data
	if ([/ip accounting get enabled]=yes) do={
		/ip accounting snapshot take
# Get uncounted data
		/ip accounting uncounted {
			:log info message=("script=uncounted,bytes=".[get bytes].",packets=".[get packets])}
# Send data to loggin server
		foreach logline in=[/ip accounting snapshot find] do={
			:local output "$[/ip accounting snapshot print as-value from=$logline]"
			:set ( "$output"->"script" ) "traffic"
			:log info message="$output"
		}
	}
}


# Get interface data
# ----------------------------------
if ($InterfaceData) do={
	:foreach interface in=[/interface find where name~"$IF"] do={
		:delay 100ms
		:local iname [/interface get $interface name]
		:local monitor [/interface monitor-traffic $interface as-value once]
		:local speedRX ($monitor->"rx-bits-per-second")
		:local speedTX ($monitor->"tx-bits-per-second")
		:log info message="script=monitor interface=$iname RX=$speedRX bps TX=$speedTX bps"
	}
}


# Finding dynmaic lines used in uPnP
# ----------------------------------
if ($uPnP) do={
	:foreach logline in=[/ip firewall nat find dynamic=yes] do={
		:local output "$[/ip firewall nat print as-value from=$logline]"
		:set ( "$output"->"script" ) "upnp"
		:log info message="$output" 
	}
}


# Collect system information
# ----------------------------------
if ($SystemInformation) do={
	:local version ([/system resource get version])
	:local board ([/system resource get board-name])
	:local model ([/system routerboard get model]);
	:local serial ([/system routerboard get serial-number])
	:local identity ([/system identity get name])
	:log info message="script=sysinfo version=\"$version\" board-name=\"$board\" model=\"$model\" serial=$serial identity=\"$identity\""
}


# Collect system health
# ----------------------------------
if ($SystemHealth) do={
	:if (([/system health get]~"state=disabled" || [/system health get]="")=false) do={
		:local voltage ([/system health get voltage]/10)
		:local temperature ([/system health get temperature])
		:log info message="script=health voltage=$voltage V temperature=$temperature C"
	}
}


# Sends wireless client data to log server
# ----------------------------------
if ($Wireless) do={
	:do {
		:if ([:len [/interface wireless find ]]>0) do={
			:foreach logline in=[/interface wireless registration-table find] do={
				:local output "$[/interface wireless registration-table print  as-value from=$logline]"
				:set ( "$output"->"script" ) "wifi"
				:log info message="$output"
			}
		}
	} on-error={}
}


# Count IP in address-lists
#----------------------------------
if ($AddressLists) do={
	:local array [ :toarray "" ]
	:local addrcntdyn [:toarray ""] 
	:local addrcntstat [:toarray ""] 
	:local test
	:foreach id in=[/ip firewall address-list find] do={
		:local rec [/ip firewall address-list get $id]
		:local listname ($rec->"list")
		:local listdynamic ($rec->"dynamic")
		:set ( $array->$listname ) 1
		if ($listdynamic = true) do={
			:set ($addrcntdyn->$listname) ($addrcntdyn->$listname+1)
		} else={
			:set ($addrcntstat->$listname) ($addrcntstat->$listname+1)}
	}
	:foreach k,v in=$array do={
		:log info message=("script=address_lists list=$k dynamic=".(($addrcntdyn->$k)+0)." static=".(($addrcntstat->$k)+0))}
}


# Get MNDP (CDP) Neighbors
# ----------------------------------
if ($Neighbor) do={
	:foreach neighborID in=[/ip neighbor find] do={
		:local nb [/ip neighbor get $neighborID]
		:foreach key,value in=$nb do={
			:local newline [:find $value "\n"]
			:if ([$newline]>0) do={
				:set $value [:pick $value 0 $newline]
			}
			:set ( "$nb"->"$key" ) "\"$value\""
		}
		:set ( "$nb"->"script" ) "\"neighbor\""
		:log info message="$nb"
	}
}


# Collect DHCP Pool information
# ----------------------------------
if ($DHCP) do={
	/ip pool {
		:local poolname
		:local pooladdresses
		:local poolused
		:local minaddress
		:local maxaddress
		:local findindex

# Iterate through IP Pools
		:foreach pool in=[find] do={
			:set poolname [get $pool name]
			:set pooladdresses 0
			:set poolused 0

# Iterate through current pool's IP ranges
			:foreach range in=[:toarray [get $pool range]] do={

# Get min and max addresses
				:set findindex [:find [:tostr $range] "-"]
				:if ([:len $findindex] > 0) do={
					:set minaddress [:pick [:tostr $range] 0 $findindex]
					:set maxaddress [:pick [:tostr $range] ($findindex + 1) [:len [:tostr $range]]]
				} else={
					:set minaddress [:tostr $range]
					:set maxaddress [:tostr $range]
				}

# Calculate number of ip in one range
				:set pooladdresses ($maxaddress - $minaddress)

# /foreach range
			}

# Test if pools is used in DHCP or VPN and show leases used
			:local dname [/ip dhcp-server find where address-pool=$poolname]
			:if ([:len $dname] = 0) do={
# No DHCP server found, assume VPN
				:set poolused [:len [used find pool=[:tostr $poolname]]]
			} else={
# DHCP server found, count leases
				:local dname [/ip dhcp-server get [find where address-pool=$poolname] name]
				:set poolused [:len [/ip dhcp-server lease find where server=$dname]]}

# Send data
			:log info message=("script=pool pool=$poolname used=$poolused total=$pooladdresses")

# /foreach pool
		}
# /ip pool
	}
}

2g) Then schedule the script to run every 5 minutes:

/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog

If you have problems or comments, please feel free to ask

Example screen shots:

DNS_Live_usage.jpg

Volt_Temperature.jpg

Resources.jpg

Live_attac.jpg

Jotne · Fri Jul 27, 2018 11:35 am

More screenshots

DHCP_pool_information.jpg

DHCP_request.jpg

Treaffic.jpg

Firewall_rules.jpg

DNS_request.jpg

Jotne · Fri Jul 27, 2018 11:36 am

Screenshot 2

Remote_connection.jpg

upnp.jpg

Uptime.jpg

Wifi_connection.jpg

MSandoval · Fri Jul 27, 2018 3:04 pm

Hi Jotne. Really is a Great Job, thank very much to share this new version. I'll try it and I'll update the post.

MSandoval · Sat Jul 28, 2018 6:35 pm

Hi Jotne.
Hi. I have three specific issues that happen to me when I mount the new version.
The first is a warning that issues when I start splunk in the props.conf configuration file. Attached image.

http://subirimagen.me/uploads/20180728073918.jpg

The second thing is that the MikroTik DNS Request module did not work for me, it did not show me any information. But I solved it by changing this in the query.

http://subirimagen.me/uploads/20180728101744.jpg
Make those changes and it worked correctly.

The third thing is that the MikroTik Traffic module worked partially because it does not bring me the information of "Percent data pr client". But I solved it by changing this in the query.

http://subirimagen.me/uploads/20180728102956.jpg

Make the following changes and it worked correctly.

http://subirimagen.me/uploads/20180728103102.jpg

Now everything I need is working correctly. Again congratulate you for the great job and especially for sharing it.

Jotne · Sun Jul 29, 2018 6:13 pm

Thanks MSandoval for testing and feedback.

I have updated to v2.1
It should correct hopefully all the errors in 2.0.
Error was du to some manual change I did make on my installation du to some fixed IP.
This has now been removed, so I do use the same files as I post

# 2.1
# Fixed typo in "MikroTik DNS request"
# Fixed wrong eval in "MikroTik Traffic"
# Removed search used localy in "MikroTik DNS Live usage"
# Removed not needed SED line from props.conf

MSandoval · Tue Jul 31, 2018 12:36 am

Testing all the modules, I realized that the MikroTik Wifi connection module was not working at all. Since I did not bring data from the Connected section, I only showed data in Disconnected.

http://subirimagen.me/uploads/20180730163143.jpg

What I found is that in the search criterion of eventtypes, it only searches if it connects with signal strength,

http://subirimagen.me/uploads/20180730160920.jpg

To show me more information what I did was create a new type of event that will look for me within the wireless module sent by syslog what will be connected.

http://subirimagen.me/uploads/20180730163417.jpg

Then, edit the criteria in the search performed by the query in the dashboard adding the new criterion of "eventtype = wifi_connected" to each query with the "eventtype = wifi_connected_* "

http://subirimagen.me/uploads/20180730162141.jpg

And with this already if you showed me information in the connected section.

http://subirimagen.me/uploads/20180730163559.jpg

Jotne · Tue Jul 31, 2018 8:06 am

Updated files to 2.2

# 2.2
# Removed Host info at the bootom in "MikroTik DNS Live usage"
# Fixed overnship of various dashboard
# Fixed "MikroTik Wifi connection" to show connected if it has no signal strength

@MSandoval
Thanks for the feedback and the effort to fix it

I did thought that all connection did show signal strength.
What you have done is partially correct.

In eventtype.conf this:

search = "wireless,info *: connected"

will make it for both:

wireless,info *: connected
wireless,info *: connected, signal strength

So only this is needed (remove signalstrengt)

[wifi_connected]
search = "wireless,info *: connected"

Since evnttype [wifi_connected] does not change, no changes are needed in the dashboard.

santong7 · Tue Jul 31, 2018 9:28 am

Where is the zip file ?

Do you have any clue why splunk linux stops logging after a while, and with splunk server restart it starts again and then after a while it stops again until the next splunk server restart ?

Same happens with windows splunk version.

Jotne · Tue Jul 31, 2018 9:37 am

File is there now, se this post why it was missing:
viewtopic.php?f=2&t=137476

Not sure why you have problem with Splunk. I have used it for many years and its for me very stable.
Test a PC with Ubuntu 18.04 and Splunk. Should work very vell together.
Windows should be ok too, but I do recommend Linux (feels much faster om same hw)

You are using latest Splunk, downloaded from Splunk.com?

I will later when I have time post how to install Splunk as a non root user.

santong7 · Tue Jul 31, 2018 10:56 am

File is there now, se this post why it was missing:
viewtopic.php?f=2&t=137476

Not sure why you have problem with Splunk. I have used it for many years and its for me very stable.
Test a PC with Ubuntu 18.04 and Splunk. Should work very vell together.
Windows should be ok too, but I do recommend Linux (feels much faster om same hw)

You are using latest Splunk, downloaded from Splunk.com?

I will later when I have time post how to install Splunk as a non root user.

I have splunk running on ubuntu server 18.04 with the latest splunk version 7.1.2
When I first run splunk it starts, then it stops, then I restart the server. You can see the empty log on the firewall timeline attached image..

Capture.PNG

I tried also to see if this happens with another syslog server application, like the Kiwi Syslog Server, and I am getting logs all the time without interrupts.

Any clue ?

Jotne · Tue Jul 31, 2018 11:23 am

No idea why it stops working.
I have run Splunk for years without it stopping by it self, always using Ubuntu Server.
Maybe there are some other stuff/software on you Ubuntu that kills it.

Jotne · Tue Jul 31, 2018 1:40 pm

How to install Splunk as a non root user.
Its a security risk to run everything as a root user, so if you can, you should use a dedicated user for your program.

This tutorial will show how to install Splunk as a user with name splunk on your Ubuntu server (may work on other as well)

Download latest Splunk Enterprise to you /tmp folder

Create the splunk user:

sudo useradd -c "splunk user" -m -s /bin/bash -U -d /opt/splunk splunk

Log in a the splunk user:

sudo su - splunk

Extract the Splunk software to /opt folder (name of file will change with new version):

tar xvzf /tmp/splunk-7.1.1-8f0ead9ec3db-Linux-x86_64.tgz -C /opt

Start your Splunk server (accept license agrement and set a password for Spkunk admin user):

~/bin/splunk start

As a root user, make Splunk autostart with user splunk as a startup script:

sudo /opt/splunk/bin/splunk enable boot-start -user splunk

You should now be up and running.

Remember to use splunk user whenever you change/add files or do anything else with Splunk from the CLI

sudo su - splunk

PS:
If you run Splunk as a non root user then you can not use UDP/514 as a syslog receiver port in Splunk.
Since all port below 1024 need root permission to work.

Workarounds.
1. Send syslog to other port above 1023, like 1514 for UDP syslog. (need to change many routers to send to correct port)
2. Set up a local syslog server like r-syslog and let Splunk read the r-syslog log files.

ismaelac2 · Wed Aug 01, 2018 8:01 pm

Good job !! I'll test it, thanks for sharing Jotne !!

santong7 · Thu Aug 02, 2018 11:34 am

No idea why it stops working.
I have run Splunk for years without it stopping by it self, always using Ubuntu Server.
Maybe there are some other stuff/software on you Ubuntu that kills it.

Finally there is a problem with timestamp, found on splunkd.log
08-01-2018 15:52:07.610 +0300 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Wed Aug 1 02:35:00 2018). Context: source=udp:514|host=192.168.1.1|syslog|

And it stops logging.

This is an example of what mikrotik sends to me, on another syslog server
192.168.1.1 Jul 12 00:17:05 firewall,info DROP INPUT input in:pppoe-WAN out:(unknown 0), proto TCP (SYN), 79.129.108.120:41236->79.129.36.201:7547, len 44

Any work around ?

Jotne · Thu Aug 02, 2018 6:21 pm

You do miss a very important thing.
Where is your MikroTik tag?

A message need to looks like this:
Raw format:

firewall,info MikroTik: NAT_Web_Varg dstnat: in:ether1-Wan out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 195.29.234.174:8505->92.220.197.134:80, len 52

List format:

02/08/2018 17:15:43.000	firewall,info MikroTik: NAT_Web_Varg dstnat: in:ether1-Wan out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 195.29.234.174:8505->92.220.197.134:80, len 52

See my first post, starting from:
Then select what to log.
Make user you add prefix=MikroTik to all syslog rules.

Mordor · Thu Aug 09, 2018 7:09 am

help me set up a collection of logs with Mikrotik.
I can not understand what to add to the firewall and NAT in Mikrotik, what would the logs in to the syslog go to the Splunk server on CentOS.
if you can, make a little instruction "How to setup collect of logs".
Thanks you.

Jotne · Thu Aug 09, 2018 2:34 pm

It is clearly written in the first post under Select what to log
1 select what fw or nat rule you like to log.
2 open the fw/nat rule
3 go to action
4 mark log
5 add a text to log prefix for the log, like NAT_RDP
This text could be anything you like, but it god to have a discription tha tell you what the rule does.

PS if you see number increase in webgui you should also get syslog

PS2 do not log everything, start some small and increase with more rules when it works. Logging everything will log allot of data.

Jotne · Fri Aug 10, 2018 3:32 pm

Upgraded to 2.3

What new:
# v2.3 (10.08.2018)
# Created an Splunk app version

So for user of 2.2, there are no need to upgrade. No new function.

Jotne · Sun Aug 19, 2018 1:23 pm

Here is an example on how Hotspot data looks in Splunk

Splunk-MikroTik-Hotspot.jpg

helmi1987 · Sat Aug 25, 2018 9:29 am

Hello

very good integration.
how can i record capsman wifi?

greeting helmi1987

Gabana · Sat Sep 08, 2018 8:56 pm

hello

thanks for your great job

also does it log "Commands" executed on the device ?

Dindihi · Sun Sep 09, 2018 12:02 am

Hi,
thanks for this work!
One question, how often do you execute the script with the scheduler?

+1 for capsman
Thanks

Jotne · Sun Sep 09, 2018 8:26 am

I do schedule the script to run every 5 minutes. (first post updated)

Since I do not have Capsman, I have no possibility to make Dashboard for it.

Dindihi · Sat Sep 15, 2018 1:19 pm

Hi,
i added some functionalities for Capsman logging.
Maybe this will be helpful for someone.
I'm not a Mikrotik neither Splunk expert !!

Maybe you will find some errors. Please let me know.
But at least this works fine here.

Settings->Sourcetype->Mikrotik->Advanced->Add:
Name: EXTRACT-mikrotik_capsman_state
Value: caps,info.*(?<src_mac>.{2}:.{2}:.{2}:.{2}:.{2}:.{2})@(?<cap_device>.*)\s(?<state>connected|disconnected),\s

Script: Data_to_Splunk_using_Syslog_capsman

:local capsregistered ([/caps-man registration-table print count-only]);

 /caps-man interface
:local name
:local mac


# ignore all master interfaces
:foreach p in=[find where master-interface!="none"] do={
:set name [get $p name]
:set mac [get $p radio-mac]
:local counter ([/caps-man registration-table print count-only  where interface=$name]);
:log info message="script=caps-man name=$name counter=$counter";
}

:log info message="script=caps-man capsregistered=$capsregistered";

Schedule this script every 5 minutes.

Only if your Mikrotik is used as DHCP server continue here, else ignore the following steps.
Check that each IP has a valid comment. I used the comment name as hostname.

Script: manuel_export_dhcp_splunk

:log info "export_dhcp_splunk";
:local hostname;
:local mac;

/file print file="export_dhcp_splunk.txt";

/file set "export_dhcp_splunk.txt" contents="";


:local newdata ("hostname,src_mac\r\n");
/file set "export_dhcp_splunk.txt" contents=([get export_dhcp_splunk.txt contents] . $newdata);

/ip dhcp-server lease;
:log info "Entering export_dhcp_splunk loop";
:foreach i in=[find] do={
  /ip dhcp-server lease;
  :if ([:len [get $i comment]] > 0) do={
    :set hostname [get $i comment];
    :set mac [get $i mac-address];
    :local newdata ($hostname.",".$mac. "\r\n");
    /file set "export_dhcp_splunk.txt" contents=([get export_dhcp_splunk.txt contents] . $newdata);
   } else={
    :set mac [get $i mac-address];
    :local newdata ("NONE,".$mac. "\r\n");
    /file set "export_dhcp_splunk.txt" contents=([get export_dhcp_splunk.txt contents] . $newdata);
  }
}
:log info "Ended export_dhcp_splunk";

Download export_dhcp_splunk.txt to your PC.

Splunk->Settings->Lookups->Lookup table files->New
Destination App: Mikrotik
Destination filename: dhcp_clients
And upload the file export_dhcp_splunk.txt

Splunk->Settings->Lookups->Lookup Definition->New
Destination App: Mikrotik
Type: File
Lookup file: dhcp_clients

And finally the Dashboard (add to Mikrotik app)

<form>
  <label>MikroTik CapsMan</label>
  <fieldset submitButton="false">
    <input type="time" token="global_time">
      <label>Time Span</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Span" searchWhenChanged="true">
      <label>Time Span</label>
      <choice value="bins=100">Default</choice>
      <choice value="span=1m">1 min</choice>
      <choice value="span=5m">5 min</choice>
      <choice value="span=10m">10 min</choice>
      <choice value="span=20m">20 min</choice>
      <choice value="span=1h">1 hour</choice>
      <choice value="span=2h">2 hour</choice>
      <default>bins=100</default>
    </input>
    <input type="dropdown" token="cap_device">
      <label>CapsMan</label>
      <choice value="*">Any</choice>
      <fieldForLabel>cap_device</fieldForLabel>
      <fieldForValue>cap_device</fieldForValue>
      <search>
        <query>sourcetype=mikrotik
          module=caps
          | top limit=0 cap_device
          | sort cap_device</query>
        <earliest>$global_time.earliest$</earliest>
        <latest>$global_time.latest$</latest>
      </search>
      <default>*</default>
      <prefix>cap_device="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="srcmac">
      <label>Source Mac</label>
      <choice value="*">Any</choice>
      <default>*</default>
      <fieldForLabel>hostname</fieldForLabel>
      <fieldForValue>src_mac</fieldForValue>
      <search>
        <query>sourcetype=mikrotik
          module=caps
          | top limit=0 src_mac
          | sort src_mac
          |lookup dhcp_clients src_mac OUTPUT hostname</query>
        <earliest>$global_time.earliest$</earliest>
        <latest>$global_time.latest$</latest>
      </search>
      <prefix>src_mac="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Connection messages by cap_device</title>
      <chart>
        <search>
          <query>module=caps 
$cap_device$ $srcmac$
|timechart $Span$  count(_raw) by cap_device</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Devices connection messages by device</title>
      <chart>
        <search>
          <query>sourcetype=mikrotik module=caps state=connected 
$cap_device$ $srcmac$
|lookup dhcp_clients src_mac OUTPUT hostname
|timechart $Span$  count(_raw) by hostname</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Connected devices by cap</title>
      <chart>
        <search>
          <query>sourcetype=mikrotik caps-man |timechart $Span$ values(counter) by name | fillnull  |appendcols  [ search sourcetype=mikrotik caps-man|timechart $Span$ values(capsregistered) as TOTAL |fillnull]</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>Connected devices by cap</title>
      <chart>
        <search>
          <query>sourcetype=mikrotik counter&gt;0  |chart values(counter) by name</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>

Edit:
i will probably add some more features in the next week when i find time

Jotne · Sat Sep 15, 2018 1:24 pm

Nice
I will look trough it and add it to the package in the first post.
A problem with Splunk when you add stuff trough GUI, you do not know were it goes.
I may end up in your user, wrong app or correct app

And some raw loglines of various types?

philamonster · Tue Oct 09, 2018 6:15 pm

Jotne, just wanted to post a note of thanks again for Splunk integration and that I successfully upgraded from 1.1 in place without too many hoops to jump through. Added script and scheduled it on MikroTik device and data was visible in Splunk immediately. I had edited some of the accounting scripts to change time I was collecting in 1.1 due to high CPU generated on Splunk vm w/5 minute interval. New version is much better on resources overall which I am thankful for!

maperezdelrio · Tue Oct 16, 2018 3:45 am

Hello
Download your app, for splunk, and I have followed your instructions to install it. However, I notice that the dashboards do not load information, as your screenshots show.
Inside the folders of the application is not found the scripts that would process the logs sent from the device, Mikrotik as healt or resources. According to the splunk documentation this should be located in the Mikrotik / bin folder, is my assessment correct?

Thank you!

Jotne · Tue Oct 16, 2018 7:05 pm

In this version there are no script at the Splunk (bin folder). Script is moved to the Mikrotik side that do send out everything using syslog.
In splunk set it to show last 24 hour and add * i search field to see what is going on.
This should get you lots of log line from the MikroTik

Dindihi · Tue Oct 16, 2018 7:33 pm

I added index=mikrotik (your index name) to all dashboard searches.
Without this i also had no results

Jotne · Tue Oct 16, 2018 9:54 pm

When you run Splunk as a free license, the user should see all index data without need specify it.
Sounds you are either running it in a full licensed version, or are still in the 30 day free trail.
If you are in the trail mode you need to convert it as soon as possible to free version.
If not it will block your search fro on month if it passes 30 days before converting.
See installation instruction on first post.

It seems that you also have made MikroTik logs goes into another Index than default.
Follow the #1 post, it should go to the main index. It will work in other index, but you may need to adjust some like you did.

Dindihi · Tue Oct 16, 2018 10:00 pm

I agree, i have paid license.

Jotne · Tue Oct 16, 2018 10:12 pm

Then is should be fine to use and as you did write, fix was to use correct index

I do have a 500GB/day license at my work, that I do manage, so do know some about who it works in large settings.

vitvickis · Thu Oct 18, 2018 3:14 pm

Hi Jotne!
Thank You for this post! Really appreciate your work.
I have some problems : I really can't make to log accounting and for example Resources/Voltage.
What need to be done, to see that in Splunk logs?

For example - DNS,DHCP, Firewall logs are working wihtout any problems.

Jotne · Wed Nov 07, 2018 11:17 am

Working in 2.4

Here are some teasers.

Dark Theme
Added view to better show system changes
Added view to show wifi client strength for all clients connected
++++
.

MikroTik Wifi strength.jpg

Jotne · Wed Nov 07, 2018 11:42 am

Hi Jotne!
Thank You for this post! Really appreciate your work.
I have some problems : I really can't make to log accounting and for example Resources/Voltage.
What need to be done, to see that in Splunk logs?

For example - DNS,DHCP, Firewall logs are working wihtout any problems.

It seems that you miss the data coming from the script part.

Try these test to see if you see data in a command:
--------------
Show if ip accounting works, used to get firewall data
{

/ip accounting snapshot take
# Send data to loggin server
foreach logline in=[/ip accounting snapshot find] do={:put message="$[/ip accounting snapshot print as-value from=$logline]"}}

List health info:

{:local voltage ([/system health get voltage]/10);
:local temperature ([/system health get temperature]);
:put message="script=health voltage=$voltage V temperature=$temperature C";}

If cut and past of these commands gives information, you need to look at the script.
Have you created the script?
Does it have correct name?
Does it show a run count behind it greater than 0?
Do you get data out if you run the script manually?
Have you setup the scheduler?
Does it have correct name for the script to run?
Does the scheduler run (show run count)?

Hunty · Mon Nov 12, 2018 4:28 pm

I'm not able to see any result into splunk server.
I've followed the guide step by step, I'm seeing that the Mikrotik's script has Run Count = 40 so it is sending to Splunk server, I've added the windows firewall inbound rules, but I'm not able to see any data in splunk server.
Can you please help me?
Thanks

p.s. thanks a lot for your guide and effort, it is the tool I was searching for a long time.

Jotne · Tue Nov 13, 2018 6:50 pm

In Splunk under:
Settings -> Data Inputs -> UDP
Do you se port 514 like this?

UDP port	Source type	Status	Actions
514	syslog	Enabled | Disable	Clone | Delete

If you do run Splunk on a windows, have you opened Windows firewall for Splunk or UDP:514?
You can try to disable firewall temporary.

Is logging correcty setup?
Can you on your MT post output of this:

 /system logging export

Hunty · Wed Nov 14, 2018 3:41 pm

Hi Jotne, thanks for your reply

In Splunk under:
Settings -> Data Inputs -> UDP
Do you se port 514 like this?
Code: Select all
UDP port	Source type	Status	Actions
514	syslog	Enabled | Disable	Clone | Delete

Yes

If you do run Splunk on a windows, have you opened Windows firewall for Splunk or UDP:514?

Yes

You can try to disable firewall temporary.

I've tried but without any result

Is logging correcty setup?
Can you on your MT post output of this:
Code: Select all
 /system logging export

[admin@MikroTik CRS125] > /system logging export
# nov/14/2018 14:33:07 by RouterOS 6.43.4
# software id =
#
# model = CRS125-24G-1S-2HnD
# serial number =
/system logging action
add name=logserver remote=192.168.88.210 target=remote
/system logging
add action=logserver prefix=MikroTik topics=dhcp
add action=logserver prefix=MikroTik topics=!debug

Jotne · Wed Nov 14, 2018 4:47 pm

Can you ping the Splunk server from MT?
Are you running Widows/Linux? I do recommend Linux.
On windows, you can confirm that Splunk is listening on port UDP/514 by running this command:

netstat -toan | find "514"

You should get one line like this:

UDP    0.0.0.0:514            *:*                                    5108

For Linux

netstat -pan | grep 514
udp    62848      0 0.0.0.0:514             0.0.0.0:*                           17949/splunkd

Hunty · Thu Nov 15, 2018 11:12 am

Can you ping the Splunk server from MT?

yes

[admin@MikroTik CRS125] > ping 192.168.88.210
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 192.168.88.210                             56 128 0ms  
    1 192.168.88.210                             56 128 0ms  
    2 192.168.88.210                             56 128 0ms  
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

Are you running Widows/Linux? I do recommend Linux.
On windows, you can confirm that Splunk is listening on port UDP/514 by running this command:
Code: Select all
netstat -toan | find "514"
You should get one line like this:
Code: Select all
UDP    0.0.0.0:514            *:*                                    5108
For Linux
Code: Select all
netstat -pan | grep 514
udp    62848      0 0.0.0.0:514             0.0.0.0:*                           17949/splunkd

I'm running it on Windows Server 2016

C:\Windows\system32>netstat -toan | find "514"
  UDP    0.0.0.0:514            *:*                                    9784
  UDP    0.0.0.0:58514          *:*                                    3464
  UDP    0.0.0.0:59514          *:*                                    3464
  UDP    [::]:60514             *:*                                    3464
  UDP    [::]:61514             *:*                                    3464
  UDP    [::]:62514             *:*                                    3464

Jotne · Thu Nov 15, 2018 1:02 pm

Then the only thing I do not see if the Windows Server block some in the firewall. But as you write, you have opened it.
If you did not try it, try to disable the whole fw for some time.

Hunty · Thu Nov 15, 2018 2:47 pm

I've tried to disable the entire firewall for 10 minutes and I've executed manually the script at least three times, but no info was present in the dashboards

Jotne · Thu Nov 15, 2018 6:22 pm

Try this.
On terminal of the Router OS type:

:log info message="mandarin"

In Splunk, set it to last 15 min and do a search like this:

mandarin

You should get at least one line like this (in raw mode)

script,info MikroTik: mandarin

If you get output you have communication.
If it does not show script,info MikroTik: in front of mandarin, you MikroTik app is not correctly installed in Splunk
Post your output.

Dindihi · Thu Nov 15, 2018 6:26 pm

Is there a tcpdump or similar on windows?
Maybe check if udp packets are coming from your MT.

Jotne · Thu Nov 15, 2018 6:44 pm

This is UPD, so tcpdump would not help.
Did the last test not give you anything?

Dindihi · Thu Nov 15, 2018 6:47 pm

Sure,
tcpdump also shows udp packets.

[~] # tcpdump udp port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:46:01.876313 IP 192.168.215.4.58292 > NAS.syslog: [|syslog]
17:46:01.876371 IP 192.168.215.4.58292 > NAS.syslog: [|syslog]
17:46:05.144568 IP 192.168.214.117.syslog > NAS.syslog: SYSLOG user.info, length: 66

Edit:
You tried to manually search for events (not the dashboard).
index=YOURINDEX
(on ALL TIME)

Hunty · Thu Nov 15, 2018 7:15 pm

Try this.
On terminal of the Router OS type:
Code: Select all
:log info message="mandarin"
In Splunk, set it to last 15 min and do a search like this:
Code: Select all
mandarin
You should get at least one line like this (in raw mode)
Code: Select all
script,info MikroTik: mandarin
If you get output you have communication.
If it does not show script,info MikroTik: in front of mandarin, you MikroTik app is not correctly installed in Splunk
Post your output.

I've found the mandarin entry

In the Search app I'm seeing this:

490.761 event and it is growing!

Why I'm not seeing anything under mikrotik app?

Hunty · Thu Nov 15, 2018 7:17 pm

Anyway I've also tried to install Splunk in a UbuntuVM using Virtualbox, I've followed your guide to add the splunk user, I'm trying to configure the UDP 514 input port but I'm having this error:

Parameter name: UDP port 514 is not available.

I prefere to solve the issue under Windows server that is installed bare metal

Jotne · Thu Nov 15, 2018 7:49 pm

You do get data inn to Splink

Do a search like this in Splunk last 15 min

Post some lines, so that I do see how it looks like.

Hunty · Thu Nov 15, 2018 8:00 pm

I've attached two screenshot

Hunty · Thu Nov 15, 2018 8:03 pm

please note that I've inserted "Mikrotik" under System/Logging

Jotne · Thu Nov 15, 2018 8:13 pm

All apps needs to be in

$SPLUNK_HOME/etc/apps

So on windows you should have:

C:\Program Files\Splunk\etc\apps\MikroTik

Hunty · Thu Nov 15, 2018 8:14 pm

All apps needs to be in
Code: Select all
$SPLUNK_HOME/etc/apps
So on windows you should have:
Code: Select all
C:\Program Files\Splunk\etc\apps\MikroTik

Yes

Jotne · Thu Nov 15, 2018 8:16 pm

Uninstall everything.
Install follow post #1 step by step.

You should also see

C:\Program Files\Splunk\etc\apps\MikroTik\default
C:\Program Files\Splunk\etc\apps\MikroTik\metadata

etc
Not

C:\Program Files\Splunk\etc\apps\MikroTik\MikroTik\default

If that does not work, I will try to do an install my self from the #1 post and test it.

PS no need to quote post above you.

Hunty · Thu Nov 15, 2018 8:23 pm

are you sure?
I've attached a screenshot of the content of the folder

Jotne · Thu Nov 15, 2018 8:43 pm

You have restarted Splunk after app install?
All looks correct.

Hunty · Thu Nov 15, 2018 8:50 pm

Yes several times

Jotne · Thu Nov 15, 2018 8:55 pm

You have installed Splunk free as in post #1, or do you use Splunk before to some else?
I have seen problem with installed version that using other index.

From the picture above, it does not seem that splunk does the filed extraction.

If you like, I can try teamviewer to see what is wrong.
Not able to post a private message to you, so post an email so I can get in touch with you.

Hunty · Thu Nov 15, 2018 9:08 pm

thanks for your help, but I'll try tomorrow with the linux VM but I've to solve first why the 514 port is not available even if I followed your guide to install the app with a non root user

Jotne · Tue Nov 20, 2018 12:20 pm

2.4 Released

Nearly all code are rewritten to get better speed and make it cleaner.
Dark Theme makes a big visual change.

# v2.4 (20.11.2018)
# Updated "MikroTik Hotspot login/logout information" to show IP
# Fixed when inn interface= unknown
# Updated view 2.4 to handel more hits
# Updated "MikroTik DNS" to not view revers lookup "site!=*.in-addr.arpa"
# Rewritten "Microtik Traffic" Error in all calculation
# Fixed data rounding and fixed typo
# Fixed formating in "MikroTik Remote Connection"
# Set permission view the view to show in app only
# Added System Changes as a new default menu
# Fixed missing host in "MikroTik Uptime"
# Added Host to "MikroTik Traffic"
# Added view "MikroTik Wifi strength"
# Added view "MikroTik System Changes"
# Dark theme needs >=7.2
# Removed global time (use default time)
# Removed searchWhenChanged="true" (default)
# Cleaned code
# Fixed error in "13. OSCam config changes"
# Added Sprakline to "MikroTik Device List"

2.4 Device list.jpg

.

2.4 System Changes.jpg

.

2.4 Traffic.jpg

jareckib12 · Sat Nov 24, 2018 12:06 am

Hi,
First - thx for update.
Second - in MikroTik DNS request view, client filtering does not work. When selecting any item in addition to "any" does not show any results.

Jarecki

Jotne · Sun Nov 25, 2018 10:40 am

Good catch,

I have updated to 2.5

# 2.5 (25.11.2018)
# Change all "if" test to use "coalesce"
# Fixed error in "MikroTik DNS request"
# Moved more to base search
# Removed some code not needed in "MikroTik Web Proxy"
# Fixed error with src_port in dest_ip dropdown in "MikroTik Firewall Rules"

sherics · Sun Nov 25, 2018 9:26 pm

Hello,

I have installed it completely and except the Traffic, everything work.

In the traffic I see just few MBs, even if I download 500MB or 1GB, it does not shows up there, just few % of the downloaded amount.

I do not have a public IP on my internal network, the public IP is on the WAN port, ether1, as a standard home router, other clients are on WiFi on first VLAN and 2 computers on second VLAN.

Do you have an idea what is wrong?

Thank you.

Jotne · Mon Nov 26, 2018 6:08 pm

I did download an 1GB file from here: http://www.ovh.net/files/
And it showed up correctly.

Do you have Fasttrack on?
If so try to disable it, it may be that packed are not accounted when Fasttrack is on.
https://www.youtube.com/watch?v=6LaqhDm6PHI

MSandoval · Mon Nov 26, 2018 8:45 pm

Hello Jotne and the whole community.
First I want to tell you, good job, really good jobs, and thanks for sharing with us Jotne.

Secondly I have a question, in version 2.4 I see in the record that wrote "List of devices" this function indicates that it already supports multi-router log ?, in such case as it is identified in each module to which router belongs each record?

Jotne · Mon Nov 26, 2018 9:32 pm

You are correct, it does support as many routers as you like to add.
Going away from SNMP to Syslog only was driven by the simpler way to do thing.
With SNMP, you need to set up the monitor system to request SNMP from the device.
This is ok for singel router ans small system.
But if you like to monitor a router across public internet, you end up in a security risk by open for SNMP.

Whit using script and Syslog this is a one way communication. All data are sent from the device to the monitor system.
No need to open ports. Same script for all routers. No need to configure any configuration on the monitoring system for each router.

I have four routers/host that sends log to my sentral log server.

On every view you can select host to view only that host.

MSandoval · Mon Nov 26, 2018 9:41 pm

Great, you're right, forget that each module has a drop-down menu Hosts. I'm going to try it and anything I write. Thanks again.

sherics · Mon Nov 26, 2018 10:59 pm

I did download an 1GB file from here: http://www.ovh.net/files/
And it showed up correctly.

Do you have Fasttrack on?
If so try to disable it, it may be that packed are not accounted when Fasttrack is on.
https://www.youtube.com/watch?v=6LaqhDm6PHI

Well, I forgot about fastrack... without fastrack it works now, but unfortunately without fastrack my router is on 95-99% CPU while I download/upload anything; and the speed is lowered for 300mbit/s... With fastrack enable, the cpu is approx on 70% on full gigabit connection, about 90MB/s real speed. Well, after 4 years, I think, I need to purchase a more powerul and new router

Jotne · Mon Nov 26, 2018 11:22 pm

It may also be that you could configure your router to use hardware offloading. Depending on type and software version.
But old boxes do have less power so upgrade may be the only option.

Its a good point to now that traffic monitoring does not work when fast track is enabled, so I will mention that in the first post.

MSandoval · Fri Nov 30, 2018 3:45 pm

Hello everyone, I have a problem with module MikroTik_Traffic section Public IP. when reviewing this, I found a small error when declaring the variable host, in this case that variable is capitalized Host, it does that the section does not work, changing this I achieved that it works correctly.

<title>Public IP</title>
        <search base="base_search">
          <query>
            search
              Host="$Host$"         >>>   change with host="$Host$"
            | eval ip_in=if("$direction$"=="in",src_address,dst_address)
            | eval ip_out=if("$direction$"!="in",src_address,dst_address)

Jotne · Fri Nov 30, 2018 5:28 pm

Thanks for the feedback

It will be fixed in 2.6. For others you can edit det file and correct the typo.

ariefwido · Fri Dec 07, 2018 4:18 am

Hello there,

This is my first time using splunk and I have no result on dashboard anyway also I did every step on the post #1, any idea why this happen?
The logs already show up on the splunk but the MikroTik app dashboard have no result at all.

Thanks and appreciate your help.

Jotne · Fri Dec 07, 2018 11:51 pm

/system logging add action=logserver prefix=MikroTik topics=dhcp
/system logging add action=logserver prefix=MikroTik topics=!debug

I would guess you have typed wrong prefix. Any other word than MikroTik would brake the index of the data.
Make sure its 100% equal with capital M and K

Cut and Past is the best option to get it correct.

Do a search like this in Splunk, change to your MikroTik Routers IP, what is the output?

index=* host=192.168.88.1 | rex "^\S+\s(?<prefix>\S+)\s" | stats count by prefix

ariefwido · Sat Dec 08, 2018 1:23 am

Hello,

I did copy and paste that command on cli.

The result prefix search on attachment

Search MT.JPG

And then I found something that on the search section if I remove module=xxx then I got the result on the dashboard.
For the example on the device list dashboard I use this

No Module.JPG

instead of your originally script

With Module.JPG

I think that module=xx didn't work on my splunk search. Any idea?

Jotne · Sat Dec 08, 2018 9:38 am

Strange.

Can you post output of sourcetype=mikrotik script=sysinfo
Make sure you have Smart Mode selected (see circle on picture)
Click the arrow to expand one post so I see the extraction. >
.

test_output.jpg

ariefwido · Sat Dec 08, 2018 10:33 am

Hi Jotne,

Here is the output and just different from yours.

test_output_1.JPG

Jotne · Sat Dec 08, 2018 12:26 pm

I see two strange things.
1. It seems that Splunk does not handle the date/time correctly since its shown within your event.
2.I do not see the information from router that shows where it comes from and type (ipsec/DNS/DHCP) (debug packets)

Is this a clean Splunk installation, followed the steps above?

You are running on a 951G a common box, I have a 941 and 750Gr3 and some other.
Your RouterOS software 6.43.4 is the same as I do run, so should be ok

Can you post the last lines of the output on the Router of /log print and /log print detail
Just cut and paste the line, so I do see how it looks like.

On mine

11:21:32 script,info script=pool pool=default-dhcp used=1 total=245
and
time=11:21:32 topics=script,info
message="script=pool pool=default-dhcp used=1 total=245"

I do miss the stuff in bold from your logg message and would like to see how it looks like on the router to compare what Splunk sees.

ariefwido · Sat Dec 08, 2018 12:52 pm

Hi Jotne,

Yes, this is fresh install splunk and I did several time remove my VM and install again to make sure that.

Here is the output

/log print

17:47:19 firewall,info FW_INTERNAL forward: in:PJX out:BRX-LAN, proto TCP (ACK), 10.99.100.102:7332->10.121.61.108:52380, len 40

/log print detail

time=17:48:19 topics=firewall,info message="FW_INTERNAL forward: in:PJX out:BRX-LAN, proto TCP (ACK), 10.99.100.102:7332->10.121.61.108:52380, len 40"

Jotne · Sat Dec 08, 2018 1:09 pm

This looks correct, so it have to be some wrong with Splunk implementation since message looks different there.
Several other has used this, so should not be an big error in the code.

If you tyoe index=* in splunk, do you see any message that have the module tag coming from the router?

Like this

firewall,info

PS If you set time to: real time 1-minute window you should see data live as they arrive.

ariefwido · Sat Dec 08, 2018 1:28 pm

Unfortunately I didn't see that message on my splunk,

test_output_2.JPG

Any idea what is happening on my splunk?

Jotne · Sat Dec 08, 2018 2:10 pm

You have some strange in your message that I have not see with other: RTZPKN02

Can you post this? /system logging export

How did you install the files in Splunk?

Why do you get Des 9 in your log, I am still at Des 8?
Your logs has two different time stamp.
See if all clock is equal everywhere. Router, Computer ++

ariefwido · Sat Dec 08, 2018 2:23 pm

Sorry the Dec 9 is from date server, I already change the NTP

Here is the output

 /system logging export
# dec/08/2018 19:21:37 by RouterOS 6.43.4
# software id = 29W1-FTPT
#
# model = 951G-2HnD
# serial number = 642E05A9020A
/system logging action
add name=syslog remote=10.99.100.77 remote-port=7514 src-address=10.122.82.200 \
    target=remote
add bsd-syslog=yes name=logserver remote=10.100.10.105 src-address=\
    10.122.82.200 target=remote
/system logging
add action=syslog disabled=yes topics=info,error,interface,warning
add action=logserver prefix=MikroTik topics=dhcp
add action=logserver prefix=MikroTik topics=!debug

Jotne · Sat Dec 08, 2018 2:44 pm

Seems that you do not have a clean install.
You are logging to several system at the same time.
It should work.

Try this: Remove all logg line and add this:

/system logging action
add name=myserver remote=10.100.10.105 target=remote
/system logging
add action=myserver prefix=MikroTik topics=!debug
add action=myserver prefix=MikroTik topics=dhcp

Is this your Splunk server? 10.100.10.105
If not, do you relay your message (rslyslog or other server)?
Do you send your log message passing trough several routers?

ariefwido · Sat Dec 08, 2018 3:45 pm

Seems that you do not have a clean install.
You are logging to several system at the same time.
It should work.

Try this: Remove all logg line and add this:
Code: Select all
/system logging action
add name=myserver remote=10.100.10.105 target=remote
/system logging
add action=myserver prefix=MikroTik topics=!debug
add action=myserver prefix=MikroTik topics=dhcp
Is this your Splunk server? 10.100.10.105
If not, do you relay your message (rslyslog or other server)?
Do you send your log message passing trough several routers?

Ok I will reinstall my splunk VM again and change all log line and I will tell you the result

And yes my log message passing through several routers.

Jotne · Sat Dec 08, 2018 3:46 pm

But is this your Splunk server? 10.100.10.105
Or do you send data to an rsyslog or other syslog server, that then sends it to your Splunk server?

ariefwido · Sat Dec 08, 2018 5:30 pm

Hi Jotne,

It seems I found the problem, the problem is marking the BSD Syslog on log remote action.

test_output_3.JPG

Finally the result is come.

Thanks and very appreciate your help.

WeWiNet · Tue Dec 11, 2018 1:53 pm

Hi Jotne,

Wanted to say thank you, very nice job.
Also to highlight that this tutorial works perfect on MacOS 10.14.
I just followed your tutorial and installed it with the Splunk Enterprise version
and all is working perfect (Ok I had to restart my machine once as splunk did not launch first time correctly).

I now try to make sense out of all that data and nice graphs ...

PS: How can you know how much data you log per day (which is the limitation of the free version)?

Jotne · Tue Dec 11, 2018 2:52 pm

Thanks.

You find license information her:

Settings->Licensing
There you see this for free version
Licensed daily volume 500 MB

Select:
Usage-Report->Previous 30 days

Here you will see how much of the license you use each day, last 30 days.

zandhaas · Tue Jan 01, 2019 11:47 pm

Thank You for this post and all the work to get all the information in Graphs.

Only I had a hard time to get all the information in Splunk.
After three hours of trying a lot of different things I finaly discoverd that I missed the last "}" in the Router script.

Perhaps you can change the post where the script is too make the beginning and end of the script more clear.

Regards Peter

Jotne · Wed Jan 02, 2019 5:50 pm

Thanks for the feedback.
Added some space in the script to make it better to see start end.

Next time you can click Select ALL, behind the Code: at the top of the script and you get all that is needed.

Hunty · Thu Jan 03, 2019 10:37 am

Thank You for this post and all the work to get all the information in Graphs.

Only I had a hard time to get all the information in Splunk.
After three hours of trying a lot of different things I finaly discoverd that I missed the last "}" in the Router script.

Perhaps you can change the post where the script is too make the beginning and end of the script more clear.

Regards Peter

I had the same problem,
now everything works

Hunty · Thu Jan 03, 2019 11:06 am

I'm seeing two problems:
The script reports a cpu higher than usual, it detects the cpu loads when the scripts is running, so instead of reading a normal 10% load, it reads a load near to 100%

The second is the Disk graph.
I've attached two screenshot

Hunty · Thu Jan 03, 2019 11:21 am

I've modified the script in order to read the cpu load at the beginning, now the readings are correct

# This script is used to send data to Splunk using syslog.
#===================================

# Collect system resource
# ----------------------------------
:local cpuload ([/system resource get cpu-load]);
:local freemem ([/system resource get free-memory]/1000000);
:local totmem ([/system resource get total-memory]/1000000);
:local freehddspace ([/system resource get free-hdd-space]/1000000);
:local totalhddspace ([/system resource get total-hdd-space]/1000000);
:local up ([/system resource get uptime]);
:log info message="script=resource free_memory=$freemem MB total_memory=$totmem MB free_hdd_space=$freehddspace MB total_hdd_space=$totalhddspace MB cpu_load=$cpuload uptime=$up";



# Collect accounting traffic
# ----------------------------------
# Take a snapshoot
if ([/ip accounting get enabled]=yes) do={
/ip accounting snapshot take
# Send data to loggin server
foreach logline in=[/ip accounting snapshot find] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}};

# Finding dynmaic lines used in uPnP
# ----------------------------------
:foreach logline in=[/ip firewall nat find dynamic=yes] do={:log info message="$[/ip firewall nat print as-value from=$logline]"};

# Collect system information
# ----------------------------------
:local version ([/system resource get version]);
:local board ([/system resource get board-name]);
:local model ([/system routerboard get model]);
:local serial ([/system routerboard get serial-number]);
:log info message="script=sysinfo version=\"$version\" board-name=\"$board\" model=\"$model\" serial=$serial";

# Collect system health
# ----------------------------------
:local voltage ([/system health get voltage]/10);
:local temperature ([/system health get temperature]);
:log info message="script=health voltage=$voltage V temperature=$temperature C";

# Sends wireless client data to log server
# ----------------------------------
:foreach logline in=[/interface wireless registration-table find] do={:log info message="$[/interface wireless registration-table print  as-value from=$logline]"};

# Collect DHCP Pool information
# ----------------------------------
/ip pool {
   :local poolname
   :local pooladdresses
   :local poolused
   :local minaddress
   :local maxaddress
   :local findindex
   :local tmpint
   :local maxindex


 #  :put ("IP Pool Statistics")
 #  :put ("------------------")

# Iterate through IP Pools
   :foreach p in=[find] do={

      :set poolname [get $p name]
      :set pooladdresses 0
      :set poolused 0


#   Iterate through current pool's IP ranges
      :foreach r in=[:toarray [get $p range]] do={

#      Get min and max addresses
         :set findindex [:find [:tostr $r] "-"]
         :if ([:len $findindex] > 0) do={
            :set minaddress [:pick [:tostr $r] 0 $findindex]
            :set maxaddress [:pick [:tostr $r] ($findindex + 1) [:len [:tostr $r]]]
         } else={
            :set minaddress [:tostr $r]
            :set maxaddress [:tostr $r]
         }

#       Convert to array of octets (replace '.' with ',')
         :for x from=0 to=([:len [:tostr $minaddress]] - 1) do={
            :if ([:pick [:tostr $minaddress] $x ($x + 1)] = ".") do={
               :set minaddress ([:pick [:tostr $minaddress] 0 $x] . "," . \
                                       [:pick [:tostr $minaddress] ($x + 1) [:len [:tostr $minaddress]]]) }
         }
         :for x from=0 to=([:len [:tostr $maxaddress]] - 1) do={
            :if ([:pick [:tostr $maxaddress] $x ($x + 1)] = ".") do={
               :set maxaddress ([:pick [:tostr $maxaddress] 0 $x] . "," . \
                                       [:pick [:tostr $maxaddress] ($x + 1) [:len [:tostr $maxaddress]]]) }
         }

#      Calculate available addresses for current range
         :if ([:len [:toarray $minaddress]] = [:len [:toarray $maxaddress]]) do={
            :set maxindex ([:len [:toarray $minaddress]] - 1)
            :for x from=$maxindex to=0 step=-1 do={
#             Calculate 256^($maxindex - $x)
               :set tmpint 1
               :if (($maxindex - $x) > 0) do={
                  :for y from=1 to=($maxindex - $x) do={ :set tmpint (256 * $tmpint) }
               }
               :set tmpint ($tmpint * ([:tonum [:pick [:toarray $maxaddress] $x]] - \
                                                    [:tonum [:pick [:toarray $minaddress] $x]]) )
               :set pooladdresses ($pooladdresses + $tmpint)
#         for x
            }

#      if len array $minaddress = $maxaddress
         }

#      Add current range to total pool's available addresses
         :set pooladdresses ($pooladdresses + 1)

#   foreach r
      }

          :set poolused [:len [used find pool=[:tostr $poolname]]]
#   Send data
    #      :log info message=("pool=" . $poolname  . " used=" . $poolused . " total=" . $pooladdresses)
          :log info message=("script=pool pool=$poolname used=$poolused total=$pooladdresses")

# foreach p
   }
# /ip pool
}

Jotne · Thu Jan 03, 2019 3:10 pm

Good idea moving the cpu reading to the top. I have updated fist post view new version.
PS mine du not give much difference in CPU when script is running. Maybe you device is some under-powered or you have som wrong in your configuration (fasttrack or hw acceleration missing)

I see that MB is wrongly reported due to dividing on 1000000 and not 1048576 (1024*1024). Corrected in the script.
Since graph is in percentage it should not make any change to the view.

fengyuclub · Fri Jan 18, 2019 3:08 am

Good idea moving the cpu reading to the top. I have updated fist post view new version.
PS mine du not give much difference in CPU when script is running. Maybe you device is some under-powered or you have som wrong in your configuration (fasttrack or hw acceleration missing)

I see that MB is wrongly reported due to dividing on 1000000 and not 1048576 (1024*1024). Corrected in the script.
Since graph is in percentage it should not make any change to the view.

No matter how it is set, my splunk can't get my ccr1016 data. Splunk is a virtual machine ubuntu server in the LAN, ccr on what you said, every 5 minutes running script can see a lot of log information generated, but still no data into splunk, there is nothing I did not do Is it? Please forgive my english, from google translation.

Jotne · Fri Jan 18, 2019 8:29 am

No need to quote message above you, only part of it when needed. Always use Post Reply button under the post.

Are you 100% sure you have tagged the packet with MikroTik? There are no firewall?
Try in the search page and search for a star last 15 min. Do you get any?

Hunty · Mon Jan 21, 2019 9:50 am

After three hours of trying a lot of different things I finaly discoverd that I missed the last "}" in the Router script.

Check this!

zandhaas · Mon Jan 21, 2019 3:30 pm

I'm Using Splunk for a couple of weeks now.

In the Firewall Rule section I see beside the attacks from the large big spooky internet also local adresses appear as a result of the "FW_Drop_All_From_Wan" rules.
and that are mainly request with dest_port 53 (DNS).

Is it possible to filter out the local addresses?

Jotne · Mon Jan 21, 2019 6:38 pm

You should not see local address in the outside inn block rule.

Can you post an example like this:

2019-01-21 17:25:25	FW_Drop_all_from_WAN	input	ether1-Wan	(unknown 0)	00:05:00:01:00:01	TCP	104.131.145.9	45167	92.31.200.211	2082	San Francisco	United States

And yes, you can get rid of the message in two ways.
1. Add a rule on the fw above the outside in block rule that block the specific ip/port of your choice.
2. Modify Splunk to exclude the ip/port you like.

First is the simplest solution.

zandhaas · Mon Jan 21, 2019 7:07 pm

Below an example of the local 192.168.0.1 address

_time	rule	chain	in_if	out_if	src_mac	protocol	src_ip	src_port	dest_ip	dest_port	City	Country
2019-01-21 17:56:20	FW_Drop_all_from_WAN	input	(unknown 1)	(unknown 0)	na	UDP	192.168.0.1	42597	192.168.0.1	53	Unknown	 
2019-01-21 17:56:20	FW_Drop_all_from_WAN	input	(unknown 1)	(unknown 0)	na	UDP	192.168.0.1	57660	192.168.0.1	53	Unknown	 
2019-01-21 17:56:20	FW_Drop_all_from_WAN	input	(unknown 1)	(unknown 0)	na	UDP	192.168.0.1	56630	192.168.0.1	53	Unknown

And I wil try the solution with an extra Drop rule in the firewall.

Jotne · Mon Jan 21, 2019 7:34 pm

It looks like your router tries to resolve DNS on it self and get blocked.
From router console try this.

:put [/resolve mikrotik.com]

You should get an IP as result, like 159.148.147.196

zandhaas · Mon Jan 21, 2019 8:20 pm

I get the same IP as a result biut perhaps My PI-Hole implementation has something to do with it.

I'm using PI-Hole as an "Ad blocker for my Internal network"
And for this I'm using DHCP option 6 to force all internal clients to go to the PI-Hole server for the DNS resolving.

By the way I changed the "Drop all from not coming from LAN" rule.
I replaced the "In Interface list" from !LAN to "In Interface" Ether1-WAN.

This seemed to have resolved my issue.

Jotne · Tue Jan 22, 2019 8:43 am

2.6 released

# 2.6 (22.01.2019)
# Added information about fast track in "traffic monitor"
# Fixed typo in Traffic view. Added fast track info
# Changed to checkbox in "DNS Request"
# Added better sparkline "in Device List"
# Added identity to "Device List"
# Updated script to get identity
# Removed parentheses from services from "MikroTik uPnP"
# Added ip to client drop-down list to "MikroTik uPnP"
# Added more disk info to "MikroTik Resources"
# Changed to last 12 hour instead of 4 in "MikroTik DNS Live usage"
# Changed to sort by count in "Sort by count"
# Added timeline dashboard to "DNS Request"
# Fixed public IP speed by reducing lookup in "Traffic"

zandhaas · Tue Jan 22, 2019 11:05 am

I see some strange things happen.

I have added three devices to the Splunk Mikrotik environment.

1. RB750Gr3 as a router. (sending over UDP 514)
2. HAPac2 configured as a switch (Accesspoint) (sending over UDP 515)
3. Mikrotik CHR as Dude server. (sending over UDP 516)

Everything seems to log all information to splunk but after somtime the data of the HAPac2 is not examind any more by Splunk.
After restarting the splunk server Everything is OK again for a short time.
The Router and the DUDE server have no issues.

When i check the Splunkd.log file I see a lot "Failed to parse timestamp" messages for the HAPac2 syslog.

01-22-2019 09:46:45.504 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:515|host=192.168.0.8|syslog|

What can be wrong?

This morning I updated to version 2.6.
But I had this problem before. So it is not version related.

Jotne · Tue Jan 22, 2019 11:40 am

It may be that the props filter only look at UDP:514 and syslog.
When data comming in on UDP:515 it will not see that its MikroTik data.

You can fix this by edit etc/apps/MikroTik/default/props.conf and add

[source::udp:515]
TRANSFORMS-dns=remove_dns_query,remove_dns_answer
TRANSFORMS-force_mikrotik = force_mikrotik

[source::udp:516]
TRANSFORMS-dns=remove_dns_query,remove_dns_answer
TRANSFORMS-force_mikrotik = force_mikrotik

But my questioon to you is, why use more than on UDP?
I do see noe good reason to use on port for each device. Send all to UDP/514

zandhaas · Tue Jan 22, 2019 1:10 pm

I started with using port 514 for all 3 mikrotik devices.
At that moment I had the same problem. No data in visible in Splunk.
After that I changed to port 515 and restarted splunk. And yes I saw data in Splunk. but some time later Splunk stopped showing data in the graphs.
Then I restarted splunk again and yes Splunk is showing data for an hour or so.
The Router and the Dude device are showing Up as expected.

See the picture below:

2019-01-22 11_52_06-MikroTik Wifi strength _ Splunk 7.png

At the moment I changed all 3 devices back to UDP port 514. With the same result as before.

I still see below messages in the splunkd.log file saying it suppresses messages:

01-22-2019 12:02:41.342 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|\n                                1295 similar messages suppressed.  First occurred at: Tue Jan 22 11:57:40 2019
01-22-2019 12:02:41.342 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.345 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.348 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.350 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.350 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.351 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.351 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.352 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.352 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|
01-22-2019 12:02:41.356 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|

Jotne · Tue Jan 22, 2019 1:19 pm

Do examine time on all your devices. It must be in sync.
Do use NTP on all devices to make sure time is ok.

zandhaas · Tue Jan 22, 2019 1:52 pm

The router is used as the timeserver for my local environment.
the HAPac2, the Dude server and the Splunk server synchronize time with the router and all have the same time and date.

Jotne · Wed Jan 23, 2019 9:57 am

It may have something to do that you have used different UDP ports. I may not recognize the message correctly.
You may try to start over and follow the example step by step.

zandhaas · Wed Jan 23, 2019 7:10 pm

I made some progress.

After an other look at the messages in the splunkd.log file

01-22-2019 12:02:41.350 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Tue Jan 22 00:20:00 2019). Context: source=udp:514|host=192.168.0.8|syslog|

I focused on the MAX_TIMESTAMP_LOOKAHEAD option. according to the default props.conf file this option default to 32 for syslog events.
Looking at the mikrotik log events the consists of 19 characters (excluding the mili seconds).

To change the default 32 to 19 I added the MAX_TIMESTAMP_LOOKAHEAD option to the "/opt/splunk/etc/apps/MikroTik/default/props.conf " file and restarted Splunk.

[syslog]
TRANSFORMS-force_mikrotik = force_mikrotik
MAX_TIMESTAMP_LOOKAHEAD = 19

After this change I do not see the above message in the Splunkd.log file anymore. And more important, the Hapac2 is logging events for more as 3 hours now. This is already an hour longer as before (max 2 hours).

I will keep an eye on the Mikrotik splunk environment to see if everything keeps running.

Jotne · Wed Jan 23, 2019 9:11 pm

Interesting. Have not used much time in my splunkd.log, but have the same problem as you,
But only in one of 4 routers. Other are ok.

Tried bot 19 and 23 but still get samme message.

01-23-2019 20:08:40.136 +0100 WARN  DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (23) characters of event. Defaulting to timestamp of previous event (Wed Jan 23 20:08:39 2019). Context: source=udp:514|host=193.1.1.100|syslog|

zandhaas · Wed Jan 23, 2019 10:41 pm

At my site it was 1 out of 3 that failed and I was missing information for that router.
Are you also missing data?
After the change my failing router is still visible in Splunk so for mee it seems the solution.
But I did not check the log files that come from the routers. Do you now were I can find them?
Perhaps it has something to do with too many events during a short time period.

We need to debug this.

Regards Peter

Jotne · Thu Jan 24, 2019 8:12 am

I do get event from all routers. To see if you get from one specific router use search and type host=1.2.3.4 (change to your IP)

Egert143 · Fri Jan 25, 2019 3:38 pm

Hello

Could i get instructions how to create splunk source type manualy ? I have splunk light (paid) and it doesent support apps (as far as i know).

Current problem is that source and dest addres fields are merged with port numbers.

Jotne · Fri Jan 25, 2019 10:07 pm

I have no idea on how to use Splunk Light.
In normal Splunk, source type based on the source it comes from udp:514

props.conf

[source::udp:514]
TRANSFORMS-force_mikrotik = force_mikrotik

transforms.conf

[force_mikrotik]
DEST_KEY =  MetaData:Sourcetype
REGEX =  \sMikroTik:\s
FORMAT =  sourcetype::mikrotik

Egert143 · Sat Jan 26, 2019 10:07 pm

And how would i turn 123.123.123.123:1234->12.34.45.67:80 to Source Address = 123.123.123.123 Source Port = 1234 Dest Address = 12.34.45.67 Dest Port 80 So they would be searchable ?

Jotne · Sat Jan 26, 2019 11:02 pm

The traffic solution are based on that you have private ip inside your net and public on the outside.
Private IPv4 addresses
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

But if you like to log other IP and know what is inside/outside, you have to modify the Splunk files.

Edit:
MikroTik Traffic
Replace all

 | search (ip_in="10.0.0.0/8" OR ip_in="172.16.0.0/12" OR ip_in="192.168.0.0/16")

with

 | search ip_in="12.34.45.0/8"

That if you like 12.34.45.0/8 to be your inside net.

JieYu2001 · Fri Feb 01, 2019 8:41 am

Where can I find the link to download MikroTik2.6 spl? Thanks.

zandhaas · Sat Feb 02, 2019 9:47 pm

In the first post of this topic

Or the below link
download/file.php?id=35231

JieYu2001 · Mon Feb 04, 2019 9:40 am

Thanks zandhaas - I got it downloaded.

I also installed everything per our topic owner Jotne's procedure but cannot get the data flow from MikroTik to Splunk, after verifying port 514 is open. Upon diving into some details, I suspect it's due to the lack of SSL of my MikronTik (192.168.88.1 shows "Not secure") - anyone know if this is the root cause? If yes what is the easiest way to enable SSL under RouterOS v6.40.8 and Win10? Appreciate any tips there.

Jotne · Tue Feb 05, 2019 10:55 am

There are no certificates involved in the transaction. All data are sent using UDP/514 Syslog (not encrypted).

In Splunk search, type only a * and do a search for the last 24 hour. Do you see any data at all?
Make sure you follow all steps in the first post 1 by 1.
Do you have any deviation? Using a clean Splunk install? Windows firewall opened if you run on Windows?

JieYu2001 · Wed Feb 06, 2019 7:16 am

Thanks Jotne. Now I see the data (events) through the Splunk search, though MikroTik2.6 app still not sees the data yet and I am still debugging.

BTW the Splunk observed event entry looks like - do you see any anomaly there?

2/5/19
9:09:54.000 PM
Feb 5 21:09:54 router.lan Feb 5 21:09:54 MikroTik MikroTik: Router = 192.168.88.1
host = router.lan
source = udp:514
sourcetype = mikrotik

Jotne · Wed Feb 06, 2019 8:22 am

Can you post some example line from search in Splunk that shows what you got in the log from using * search?

Do you have tagget all packet with MikroTik? This will fail Mikrotik since its not the same name.

JieYu2001 · Thu Feb 07, 2019 6:19 am

Hi Jonte, here're three snapshots

1. Splunk Event entry sample from the MikroTik UDP feed - great if you can help review the "Host", "Source", "Sourcetype" field to see if they are right for the MikroTik2.6 App

Splunk Event Entry from UDP and MikroTik.png

2. Splunk UDP input setting

Splunk UDP Input Setting.png

3. MikroTik2.6 App snapshot (system change search, with no data found while the Splunk search gives items like above)

Splunk MikroTik 2.6 App Lauch Snapshot.png

Thanks

Jotne · Thu Feb 07, 2019 8:27 am

1. Is this the only type of event you see?

Here are some example on how they should look like: (various modules)

firewall,info MikroTik: NAT_Web_server dstnat: in:ether1-Wan out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 91.12.58.49:49145->92.220.200.251:80, len 60
dhcp,debug,packet MikroTik:     Parameter-List = Subnet-Mask,Router,Domain-Server,Domain-Name,NETBIOS-Name-Server,Static-Route
dns,packet MikroTik: --- sending reply to 10.10.10.244:53720:
script,info MikroTik: script=health voltage=24 V temperature=42 
wireless,info MikroTik: 04:62:73:xx:xx:21@wlan1 established connection on 2437000, SSID GjestenettHMN
ipsec MikroTik: invalied encryption algorithm=6.
interface,info MikroTik: ether1 link up (speed 100M, full duplex)

Have you followed tutorial in post#1?
Do you use Splunk for other stuff?

JieYu2001 · Thu Feb 07, 2019 10:26 am

Hi I followed your first post but skipped 2c~2e (FW/NAT/Traffic logging since not sure about the detailed steps). I did have Home Monitor app before that affected the MikroTik data inputs, and I have it removed so the data inputs seems right (though not complete if without 2c~2e). The question I have is that, even with incomplete but valid data (say only DHCP request part), should MikroTik2.6 App see them and populate some view right? But now it seems the app does not pick up anything and I am not sure if the app has access to the log. Thanks.

Jotne · Thu Feb 07, 2019 11:52 am

You should get DHCP and other stuff from the router if you skipped 2c-2e.
Thats why I asked about how the log lines looks like.
You could use a search for host=192.168.88.1 and post some line.

JieYu2001 · Mon Feb 11, 2019 9:17 am

Thanks again Jotne. Here's a screenshot. Seems the Splunk events have the right contents, but the format is different from yours.

Splunk MikroTik 2.6 Event Snapshots.png

Basically, before the identifier "MikroTik", there are timestamps and another "MikroTik", but without the log field name like "dns,packet" as in your snapshots.
I copied the MikroTik scripts exactly, so do you think I missed something on the Splunk side? My Splunk version is 7.2.3.

zandhaas · Mon Feb 11, 2019 9:44 am

Are you sure your "router script" is complete?

I had problems getting my data visible in splunk to.
It turned out that I missed the last "}" in the Router script.

JieYu2001 · Mon Feb 11, 2019 10:04 am

Hi Jotne ~ some progress - for some reason, the "Module" field picks up part of the timestamp (the Month) since their is no syslog field name for some reason (the event item format difference I mentioned). After tweaking the Volt/Temperature code (removing the module key from the search), I was able to get that view right. Encouraged and will see how to get the module field right in the first place - help appreciated.

Splunk MikroTik 2.6 Volt_n_Temp.png

Larsa · Mon Feb 11, 2019 12:04 pm

Since I'm not a Splunk expert I wonder if anyone has some bright ideas how to optimize Splunk / Mongodb?

We have about 15.5 million entries and the reports are getting really slow to produce. In a regular SQL database you can run a "Query Execution Plan" and then add indexes to columns that performs table scans. Is there an equivalent way in Splunk or any other way to optimize the environment? We're running Splunk with 12 cores, 20 Gb ram and SSD which ought to be sufficient.

Any suggestions are welcome!

Jotne · Mon Feb 11, 2019 6:41 pm

@Larsa
Not sure if I could help with this. But when you have a lot of data, its sometime better to do a summary indexes that is based of for example 1 hour reports. Then you get less data to search trough.

I do recommend that you start a thread about your problem over here:
https://answers.splunk.com/index.html

Jotne · Mon Feb 11, 2019 6:51 pm

@JieYu2001

There are some wrong with extraction of the data in the Splunk or the format that your MT Router sends it.
In List view in Splunk your should not see time and date in the Event space, only in Time column.
In your view, I do not see it only one time extra, but two times in front of the data. This breaks all view.
You get it to work since you adjusted to view to accept your wrong data.
source=udp:514 and sourcetype=mikrotik looks correct.

I would recommend you to start over.
Clean Install of Splunk, remove all connection to Splunk in your router.

@zandhaas
You do not need the script to get data inn to splun, so it could also be removed to rule out problems.

JieYu2001 · Tue Feb 12, 2019 9:26 am

Thanks Jotne - the issue is resolved. In the MK Logging setting, I checked "BSD Syslog" which caused issue (still don't know why since that is the correct syslog protocol supported in Splunk). Uncheck it and things look fine now.

Jotne · Tue Feb 12, 2019 3:08 pm

There was nothing in the first post telling you to select it so not sure why you did it.
Will update post #1 to say not to select it.
Good you find out what was wrong

Larsa · Tue Feb 12, 2019 9:07 pm

Not sure if I could help with this. But when you have a lot of data, its sometime better to do a summary indexes that is based of for example 1 hour reports. Then you get less data to search trough.I do recommend that you start a thread about your problem over here: https://answers.splunk.com/index.html

Thanks for the suggestion, I'll report back if I find out an appropriate solution!

oaas · Fri Feb 15, 2019 5:41 pm

Great work!

Had some issues with parsing messages from one cAP ac where the messages suddenly dropped due to "Failed to parse timestamp" warning messages.

Seems it got solved by adding

TIME_FORMAT = %b/%d/%Y %H:%M:%S

to the props.conf file.

Please consider adding this to future releases.

/Thanks

frankcale · Sun Feb 17, 2019 11:28 am

Hi, Can u pls help with displaying Vlan info

Jotne · Sun Feb 17, 2019 11:59 am

Not sure what you asks for.
A list of Vlan on the router?
Traffic going trough Vlan?

frankcale · Sun Feb 17, 2019 4:59 pm

Hi, Can u include vlan traffic monitoring and if possible protocols like youtube, torrent, updates, etc

Jotne · Sun Feb 17, 2019 7:30 pm

Protocol are complicated to monitor due to https, near to impossible.
Vlan can be monitored used SNMP or you can use script and syslog to send data.

Jotne · Tue Mar 05, 2019 12:19 pm

Updated 1a to mention that you need an account at splunk.com to download software.
Account is free to create.

ithelp · Wed Mar 06, 2019 6:18 am

Hi, thanks for this magnificent explanation.
Can you give me on how to see the PPP and PPPOE information from the log?
I've already configure it on the rules tab, but nothing shows on any dashboard.
Thanks,

Jotne · Wed Mar 06, 2019 8:09 am

I do not have PPP nor PPPOE so I can not easily make log for it.

But if you could post 3-4 pages of logs that involves PPP and PPPOE output I could have look at it.

cavin12 · Thu Mar 07, 2019 12:32 pm

thanks for such a clear presentation for the newbies to understand, appreciate the efforts.

neutronlaser · Sat Mar 16, 2019 8:07 pm

Price is ridiculous.

Jotne · Sat Mar 16, 2019 9:40 pm

500MB/day for free is ridiculous much to pay.

But I do agree that if you pay retail price for Splunk and need eks 500GB/day, price is high.

Halfeez92 · Mon Apr 29, 2019 9:25 am

Hi how can I remove the MikroTik device list in the splunk dashboard view? I have multiple same devices showing up because I forgot to disable NAT and enable routing. Now it have 2 same devices with different IP

Jotne · Mon Apr 29, 2019 1:14 pm

I am not sure what you mean. All MT send their IP when sending syslog, not the identity name.
So if you select the host drop down in each view, it shows what IP logs comes from.

If its data that are already been logged in splunk you like to remove, do a search for what to remove and then add delete.
Like his:

your search | delete

PS this just mark data as deleted so they does not who up in logs. It does not remove any data.

Halfeez92 · Mon Apr 29, 2019 7:08 pm

I am not sure what you mean. All MT send their IP when sending syslog, not the identity name.
So if you select the host drop down in each view, it shows what IP logs comes from.

If its data that are already been logged in splunk you like to remove, do a search for what to remove and then add delete.
Like his:
Code: Select all
your search | delete
PS this just mark data as deleted so they does not who up in logs. It does not remove any data.

Ok thanks for the help. Already delete the duplicate device.

Jotne · Mon Jun 10, 2019 5:49 pm

Updated section 2c regarding Log prefix.

NB Do not use more than 20 charters, or else it start to clip other part of the log

firewall,info MikroTik: 123456789012345678901234567890 : in:ether1-Wan ...
firewall,info MikroTik: 1234567890123456789012345 forwa: in:ether1-Wan ...
firewall,info MikroTik: 12345678901234567890123 forward: in:ether1-Wan...
firewall,info MikroTik: 12345678901234567890 forward: in:ether1-Wan ...

As you see here the chain word forward is eat'n up by the prefix.
MT is this a bug???
If not, set a warning in the gui

Jotne · Thu Jun 13, 2019 1:54 pm

Updated section 2f)

Script updated to collect and show how many dynamic/static address lists entry there are.
Eks output

script,info MikroTik: script=address_lists list=rdp_stage2 dynamic=24 static=0
script,info MikroTik: script=address_lists list=rdp_stage1 dynamic=28 static=0
script,info MikroTik: script=address_lists list=ftp_stage2 dynamic=1 static=0
script,info MikroTik: script=address_lists list=ftp_stage1 dynamic=1 static=0
script,info MikroTik: script=address_lists list=black_list_rdp dynamic=42 static=0
script,info MikroTik: script=address_lists list=black_list_ftp dynamic=1 static=0
script,info MikroTik: script=address_lists list=Whitelist_IP dynamic=3 static=2
script,info MikroTik: script=address_lists list=Router dynamic=0 static=1
script,info MikroTik: script=address_lists list=IPSEC dynamic=1 static=0
script,info MikroTik: script=address_lists list=FW_Block_user_try_unkown_port dynamic=1089 static=0
script,info MikroTik: script=address_lists list=Clients dynamic=0 static=2
script,info MikroTik: script=address_lists list=Blocked dynamic=1 static=7

This will later be used in its own graph to see variation in the lists.

PS only one IP en the ssh black list black_list_ssh is due to that I do not use default port.

You can update script only and wait for new Mikrotik Splunk app to be updated later.

zandhaas · Thu Jun 20, 2019 9:59 am

Hello Jotne,

I want to upgrade my Splunk version 7.2 environment tot Splunk 7.3

Is the mikrotik app compatible with Splunk 7.3?

Jotne · Thu Jun 20, 2019 1:43 pm

Yes, I do try to not use anything special in the APP so it should be compatible with all new version.

Jotne · Fri Jun 21, 2019 9:29 pm

Updated section 2f)

Updated script to v2.4 and fixed reserved DHCP leases to be taken inn to account.

pidde · Sun Jun 23, 2019 2:59 am

Hi!

Must say you did a great work with this app!
Is it possible to add option82 to dhcpserver part?
And is it also possible decode the option82 from hex?

zandhaas · Tue Jun 25, 2019 10:34 am

Updated section 2f)

Updated script to v2.4 and fixed reserved DHCP leases to be taken inn to account.

When I look at the current script under 2f I only see the "# Collect DHCP Pool information" part.

It seems the rest of the script is missing.

Jotne · Tue Jun 25, 2019 1:09 pm

You are 100% correct. Copy past error.

Fixed.

PS It's getting closer to the release of v 2.7 of Splunk for MikroTik

Jotne · Fri Jun 28, 2019 2:10 pm

Script to get information on the router is upgraded to 2.6 section 2f

Simpler DHCP calculation.
Fixed comment so it start on the beginning of the line.
Fixed Script names

Jotne · Mon Jul 01, 2019 1:15 pm

Upgraded to 2.7

There are a lot of new changes to the app as listed below, so its a larger upgrade.
Simplest way to upgrade, if you have not made changes your self, remove (uninstall) previous version, install new version.
Please report any problems back to this thread, and I will try to fixed.

PS If you do upgrade, you also need to upgrade script in section 2f (fist post) on all router you like to get data from.
Just cut/past the script over the old one.

PS2 File is found under section 1g first post

Request to changes are also welcome

What new:
# 2.7 (01.07.2019)
# New view added "Address Lists Counters"
# Changes most view to use "Base Search"
# Changed "MikroTik DHCP request" to use stats and fixed host flaw
# Changed "MikroTik System Changes" to use 30 day and 4 hour span and maxspan in transaction
# Removed changes to "DHCP leases" in "MikroTik System Changes"
# Added search in dropdown for "MikroTik DNS Live usage"
# Added Time picker for "MikroTik Device List"
# Speeded up "MikroTik Remote Connection"
# Fixed wrong timestamp of packets logged
# Changed "MikroTik DHCP request" to use stats and fixed host flaw and maxspan in trnsaction
# Added search in dropdown for "MikroTik DNS Live usage" and added IP to client and change sorting
# Fixed "MikroTik DNS request" to use correct dropdown lists
# Fixed "MikroTik Firewall Rules" to use better searh, removed base level, added counters, long prefix
# Rewritten "MikroTik Live attack" to speed up and added more dropdown
# Fixed "MikroTik Resources" to give correct host number
# Changed "MikroTik System Changes" to use 30 day and 4 hour span, removed DHCP info
# Fixed "MikroTik Traffic" to use script= and some clean up
# Fixed "MikroTik uPnP" script name, added ip to dropdown
# Added to ">MikroTik Uptime" dropdown menu
# Fixed "MikroTik Volt/Temperature" sorting
# Fixed "MikroTik VPN Connection" faster search
# Fixed "MikroTik Web Proxy" sorting and some code clean up
# Changed "MikroTik Wifi strength" to use script tag and some clean up
# Added "dashboard.css" to set menu color global
# Fixed "props.conf" to better handel wrong prefixed and some other changes

fengyuclub · Wed Jul 03, 2019 5:36 am

I have been paying attention to this post, very powerful chart, but the cumbersome construction and the lack of relevant knowledge have been unsuccessful. I can only temporarily use the mrtg icon inside routeros to temporarily cope with it. I hope the poster can write the deployment manual from the perspective of the technology-poor. .

Jotne · Wed Jul 03, 2019 3:17 pm

Its written so that a user with some knowlege should be able to set it up.
You can start by telling me what your problem is, and we may be able to help you out.

fengyuclub · Sat Jul 06, 2019 6:50 am

Reinstalled splunk on ubuntu18.04, is a virtual machine under esxi, the deployment is very simple and normal, according to the steps of the top post, but the splunk dashboard can not see the task data incoming. Very strange, what else do I need to pay attention to? Please forgive my English using Google Translate, I am from China

1.png

Jotne · Sat Jul 06, 2019 10:43 am

After starting Splunk, go to Search & Reporting menu. Add following search:

sourcetype=mikrotik

and set last 24 hour.
Do you then see any data?
If not try to just use a * (star) and last 24 hour.
If you do not see any data, make sure
Router is sending data to correct IP/Port.
Splunk is listening on correct IP/port
No local firewall (Windows/Linux) are blocking incoming data.

fengyuclub · Mon Jul 08, 2019 12:57 pm

After starting Splunk, go to Search & Reporting menu. Add following search:
Code: Select all
sourcetype=mikrotik
and set last 24 hour.
Do you then see any data?
If not try to just use a * (star) and last 24 hour.
If you do not see any data, make sure
Router is sending data to correct IP/Port.
Splunk is listening on correct IP/port
No local firewall (Windows/Linux) are blocking incoming data.

According to what you said carefully, but still can not receive the data, I introduced the cdb1016 log file db format, can be displayed to splunk, indicating that splunk no problem, is the data input problem, I see ros is the log The output is udp514 port, but I only see tcp listening port settings in splunk's receiving settings. Is this the reason?

1.png

2.png

3.jpg

Jotne · Mon Jul 08, 2019 1:36 pm

It need to be UDP/514. Its there Router OS sends its syslog.

But:
If you use UDP/514, you need to run Splunk as root user. (allow ports below 1024 need root permission)
If you can not do that, there are two workaround.
1. Send syslog to other port above 1023, like 1514 for UDP syslog.
2. Set up a local syslog server like r-syslog and let Splunk read the lr-syslog log files.

PS updated original post with this information.

fengyuclub · Tue Jul 09, 2019 5:51 am

There is no local listening udp514, now there is data in, but click on the meter in the Mikrotik2.7 dashboard, most of them do not have any charts, how to add or customize the dashboard you need here, for example, I want The wan's real-time or past and downstream traffic in a certain period of time, as well as the system temperature, the number of online hosts, and so on. How to do it?

Jotne · Tue Jul 09, 2019 8:29 am

514 UDP do need to be active
Do you run it on Linux?

If so, as Root, type:

netstat -opan | grep 514

You should see one line like this:

udp        0      0 0.0.0.0:514             0.0.0.0:*                           23557/splunkd        off (0.00/0/0)

if not UDP/514 is not running.

One the mikrotik, post the output of:

/system logging export

You should see some like:

# jul/09/2019 07:26:37 by RouterOS 6.43.16
# software id = E4B6-94N8
#
# model = RouterBOARD 750G r3
# serial number = 6F3806E0A160
/system logging action
set 3 remote=ip_your_syslog_server
/system logging
set 0 disabled=yes
add action=remote prefix=MikroTik topics=dhcp
add action=remote prefix=MikroTik topics=hotspot
add action=remote prefix=MikroTik topics=!debug

There should be IP for your server, and prefix for all action with MikroTik. If one letter is wrong in the prefix, it will fail. See capital M and T in the MikroTik.

fengyuclub · Thu Jul 11, 2019 1:03 pm

It’s true that I set it wrong, Mikrotik changed to MikroTik, and it should be fine, then I will report it.

haaroons · Thu Jul 11, 2019 1:32 pm

Hello Jotne,
I am new to this forum.

I have install MikroTik logs 2.7.

MikroTik DNS Live usage and MikroTik DNS Live request is not working. if i do search eventtype=dns_query No item found

Do advice how to fix this.

Jotne · Thu Jul 11, 2019 11:43 pm

DNS information are coming from standard logs on the router.

What do you get if you go to search window and search with the following line:

sourcetype=mikrotik earliest=-24h latest=now() | stats count by module

I do get some like this:

module		count
dhcp		12764
dns		324512
firewall	1349
ipsec		7
script		91182
upnp		308

fengyuclub · Fri Jul 12, 2019 6:02 am

The data is coming, some of the tables are already filled, some still have no data, such as dns, it doesn't matter, I want to know how to monitor the flow table of an interface (wan), just like mirkrotik's built-in mrtg chart, every 5 minutes, 30 minutes and so on. . . As shown

1.png

Jotne · Fri Jul 12, 2019 8:05 am

That is why I need the output of the above command.
Some data are coming from the logg.
Some are comming from scripting

Log:
-------
dhcp,dhcp_static,dns,firewall,ipsec,upnp

script:
-------
IPSEC_failed,address_list,healt,pool,resource,sysinfo,traffic,uncounted,upnp

So I guess you have some log problems. Read section 2b carefully.

fengyuclub · Fri Jul 12, 2019 11:42 am

Splunk is too powerful. If I have multiple ccr1016, how can I transfer data to the splunk server, how do I distinguish syslogs from different mikrotik routers?

Jotne · Fri Jul 12, 2019 1:29 pm

All the view for MikroTik in Splunk has a host drop down. So if you have more than one router, just select the host you like to monitor.
There is one possible problem, if you have many routers with same IP that sends log to same Splunk.
That could be solved using unique ID for each router and some small change to the code.

fengyuclub · Mon Jul 15, 2019 6:24 am

How can I write the interface tx-bits-per-second parameter to the log and then plot it in splunk.

Jotne · Mon Jul 15, 2019 8:06 am

What command do you use on the router to see this data?

fengyuclub · Mon Jul 15, 2019 10:07 am

What command do you use on the router to see this data?

interface monitor-traffic ether1

Search forums see scripts with such calls

  "/interface monitor-traffic ether1 once do={
:put ($"tx-bits-per-second"/1000 /1000 )
}"

Jotne · Tue Jul 16, 2019 8:12 pm

It can be done.
I do use IP accounting to see the traffic going trough the router.
This way are more generic and does work without any modification.
If you monitor one and one interface, this has to be adopted for each setup.

fengyuclub · Fri Jul 19, 2019 5:03 am

{
:local iname;
:local monitor;
:local speedRX;
:local speedTX;
:local mbpsRX;
:local mbpsTX;
:foreach interface in=[/interface find] do={
:delay 100ms;
:set $iname [/interface get $interface name];
:set $monitor [/interface monitor-traffic $iname as-value once];
:set $speedRX ($monitor->"rx-bits-per-second");
:set $speedTX ($monitor->"tx-bits-per-second");
:set $mbpsRX (($speedRX/1000)/1000);
:set $mbpsTX (($speedTX/1000)/1000);
:put "$iname RX:$mbpsRX Mbps TX:$mbpsTX Mbps";
}
}

I found the script for this post available, but after running it is all interfaces, I don't want all interfaces, only a few interfaces are needed, for example, I only need ether1, ether2, how to modify the script, and how can I get it? Let him display in the log, I use the splunk search call, and display it as 14.5Mbps instead of 14528. I hope to get everyone's help.

Jotne · Fri Jul 19, 2019 9:29 am

Info
It seems that data you get from monitor are just moment blink of data going through the interface. So it will fly up and down for every time you run it. If it would be like cisco, average last 5 min, it would be perfect to rune every 5 min. Not sure if it are useful at as is.

If you have not renamed interface

:foreach interface in=[/interface find] do={

To

:foreach interface in=[/interface find where (name~"^ether1\$" || name~"^ether2\$") ] do={

or use regex

:foreach interface in=[/interface find where name~"^ether[12]\$" ] do={

Anchor ^ \$ are used to distinguish ether1 from ether11 etc.

Edit
You can use ID instead of name, so you can change from:

:set $iname [/interface get $interface name];
:set $monitor [/interface monitor-traffic $iname as-value once];

to

:set $monitor [/interface monitor-traffic $interface as-value once]

PS2, no need to declare variables, use them directly
do not divide data by 1000 two times, let splunk do that, so you do not loose any resolution
use equal sign for splunk to read data directly
you do not need semicolon behind each line ;

So final script could be some like this

:foreach interface in=[/interface find where name~"^ether[12]\$"] do={
	:delay 100ms
	:local iname [/interface get $interface name]
	:local monitor [/interface monitor-traffic $interface as-value once]
	:local speedRX ($monitor->"rx-bits-per-second")
	:local speedTX ($monitor->"tx-bits-per-second")
	:log info message="script=monitor interface=$iname RX=$speedRX bps TX=$speedTX bps"
	}

fengyuclub · Fri Jul 19, 2019 11:47 am

Your script, the regular expression method, no success without any output, it doesn't matter, my code is as follows
I want to know how to search for rich charts, and there are 14.8Mbps and 14833 display problems. This is not important. The important thing is how splunk draws charts.

mycode

{
:local iname;
:local monitor;
:local speedRX;
:local speedTX;
:local mbpsRX;
:local mbpsTX;
:foreach interface in=[/interface find where (name~"WAN-ether2") ] do={
:delay 100ms;
:set $iname [/interface get $interface name];
:set $monitor [/interface monitor-traffic $iname as-value once];
:set $speedRX ($monitor->"rx-bits-per-second");
:set $speedTX ($monitor->"tx-bits-per-second");
:set $mbpsRX ($speedRX/1000);
:set $mbpsTX ($speedTX/1000);
:put "$iname RX=$mbpsRX Kbps TX=$mbpsTX Kbps";
:log info "WAN-ether2 down RX=$mbpsRX Kbps";
:log info "WAN-ether2 up   TX=$mbpsTX Kbps"
}
:foreach interface in=[/interface find where (name~"adsl-tx") ] do={
:delay 100ms;
:set $iname [/interface get $interface name];
:set $monitor [/interface monitor-traffic $iname as-value once];
:set $speedRX ($monitor->"rx-bits-per-second");
:set $speedTX ($monitor->"tx-bits-per-second");
:set $mbpsRX ($speedRX/1000);
:set $mbpsTX ($speedTX/1000);
:put "$iname RX=$mbpsRX Kbps TX=$mbpsTX Kbps";
:log info "adsl-tx down RX=$mbpsRX Kbps";
:log info "adsl-tx up   TX=$mbpsTX Kbps"
}
:foreach interface in=[/interface find where (name~"bonding1") ] do={
:delay 100ms;
:set $iname [/interface get $interface name];
:set $monitor [/interface monitor-traffic $iname as-value once];
:set $speedRX ($monitor->"rx-bits-per-second");
:set $speedTX ($monitor->"tx-bits-per-second");
:set $mbpsRX ($speedRX/1000);
:set $mbpsTX ($speedTX/1000);
:put "$iname RX=$mbpsRX Kbps TX=$mbpsTX Kbps";
:log info "bonding1 down RX=$mbpsRX Kbps";
:log info "bonding1 up   TX=$mbpsTX Kbps"
}
}

After the schedule is displayed as follows

1.png

fengyuclub · Fri Jul 19, 2019 12:26 pm

Tested on other ccr1016 your script is successful, it should be the problem of the interface name, but it is important to draw the splunk graphics, I hope you can add to the new version.

3.png

Jotne · Fri Jul 19, 2019 1:38 pm

When you have multiple interface, use only one section, no a section for every interface

change

:foreach interface in=[/interface find where (name~"WAN-ether2") ] do={

to

:foreach interface in=[/interface find where (name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1") ] do={

Test code that should output data to screen:

{
:foreach interface in=[/interface find where (name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1") ] do={
	:delay 100ms
	:local iname [/interface get $interface name]
	:local monitor [/interface monitor-traffic $interface as-value once]
	:local speedRX ($monitor->"rx-bits-per-second")
	:local speedTX ($monitor->"tx-bits-per-second")
	:put "script=monitor interface=$iname RX=$speedRX bps TX=$speedTX bps"
	}
}

PS, when testing cut and past on the cli, you need to wrape all script in brackets {} !!!

PS how often would you like to run the script? every 5 min. Do you know if monitor could show average 5 min data?

Jotne · Fri Jul 19, 2019 1:58 pm

Try this

Add this to the Data_to_Splunk_using_Syslog script

# Get interface data (test)
# ----------------------------------
:foreach interface in=[/interface find where (name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1")(name~"WAN-ether2" || name~"adsl-tx" || name~"bonding1") ] do={
	:delay 100ms
	:local iname [/interface get $interface name]
	:local monitor [/interface monitor-traffic $interface as-value once]
	:local speedRX ($monitor->"rx-bits-per-second")
	:local speedTX ($monitor->"tx-bits-per-second")
	:log info message="script=monitor interface=$iname RX=$speedRX bps TX=$speedTX bps"
	}

Then in Splunk do this search for the last 4 hour.

sourcetype=mikrotik script=monitor| timechart avg(RX) as RX avg(TX) as TX by interface limit=10

May take some time to nice graphs.

zandhaas · Fri Jul 19, 2019 7:06 pm

Nice,
I have added the additional script entries and changed the inteface names to the names I use.
But............
The sourcetype entry in the search entry schould be "sourcetype=MikroTik"

Jotne · Fri Jul 19, 2019 7:32 pm

In Splunk, search ignore case

Even if this works, I like better the view in Splunk MikroTik Traffic, that uses accounting for creating the graphs.
There you can see who is generating the traffic, compare to only see what interface traffic goes in/out.

zandhaas · Fri Jul 19, 2019 9:06 pm

Even if this works, I like better the view in Splunk MikroTik Traffic, that uses accounting for creating the graphs.
There you can see who is generating the traffic, compare to only see what interface traffic goes in/out.

The current "Mikrotik Traffic" overview is indeed a nice oveview.
But apart from knowing who is generating the traffic I am very interested in the amount of traffic that floats over each individual interface. And especially the WAN interface(s) and ISL interfaces. And when you see a bottleneck on one of your interfaces you can drill down to your traffic overview to identify the source of all that traffic.

fengyuclub · Sat Jul 20, 2019 5:46 am

Jotne，Great, I did it according to your script, and the beautiful chart shows normal. I tried to add scripts to my multiple ccr and routerboards, so my interface has a lot of duplicate names, such as bonding1 and bridge1, how can I distinguish between them, or change the name for each interface.

4.png

fengyuclub · Sat Jul 20, 2019 5:59 am

Understand, add host=x.x.x.x in front of the search statement you gave to open my ccr and rb.

fengyuclub · Sat Jul 20, 2019 7:10 am

Host=x.x.x.x Although this option is available, some devices have an internet connection that is a dynamic ip obtained by adsl dialing. So before the log warning, add an identity=xxxxx to distinguish the mikrotik device. After testing, it is feasible and runs very well.

Jotne · Mon Jul 22, 2019 10:24 am

@ fengyuclub
Nice to see you are getting it to work.

@ All
Section 2c) Logging prefix has been updated with sample on how to name to logs.

Jotne · Mon Jul 22, 2019 3:44 pm

Script in section 2f) updated to 2.9

It now support to get interface counters and you can also set modules true/false if you do not like to monitor one section.
If you do not have wifi/dhcp, you can just set them to false.

Jotne · Wed Jul 24, 2019 8:23 am

Script in section 2f) updated to 3.0

Do now get CDP neighbors

fengyuclub · Thu Jul 25, 2019 12:46 pm

Splunk is really powerful, I see splunk have a lot of apps to install, in our China use wechat (similar to facebook, telegram) this social software, I saw this social software related app, WeChat Alert App for Splunk, I installed this App, sending test messages from wechat is successful, but I don't know much about splun's alert settings, set it many times, only a single success, can you help me?

5.png

Jotne · Thu Jul 25, 2019 1:44 pm

No need for extra app to send message. Sending email using a gmail account is easy and works well.

But there is a big issue.

If you have a free Splunk license, you do loose a lot of thing.
* Monitor and Alerting (needed for sending alerts)
* 500MB pr day maximum
* Cluster
* Universal Forwarder
* HA
* Distributed Search
* Perfomance Acceleration
* Access controll (only on user)
* LDAP
+++

This is why I have not included any Alerting in the project.

There is a workaround. You can setup an batch job that runs search from command line and do stuff from it. (I have not tested it)

fengyuclub · Sat Jul 27, 2019 4:56 am

I have Splunk Enterprise license, gmail alert can't be real-time, mobile mail client can't update mail in real time, there is a delay of about 10 minutes, so I choose wechat alert.I received some wechat alert, but some of them use the search to save as an alert, I can't receive a wechat alert, I don't know where the problem is.

6.jpg

7.jpg

Jotne · Sat Jul 27, 2019 8:30 am

Splunk do handle real time alerts (or close to)
https://docs.splunk.com/Documentation/S ... TimeAlerts
It should not depend of type of action you are using, starting a program, sending sms, email, wechat etc. Alerts should go out.
But you should not use to many alerts, since it will use more CPU to handle them.

Not sure what your problem is.

Jotne · Fri Aug 02, 2019 10:20 am

Updated script to 3.1

Fixed CDP, since some devices sends long version with new lines breaking up the log lines. (Cisco)

PS still have problem that line is cut in Splunk. Not sure if its MT not sending whole line, or Splunk that cuts the lines.
I do only get 278 characters.