Community discussions

 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Using Splunk to analyse MikroTik logs 2.7 (Graphing everything)  Topic is solved

Fri Jul 27, 2018 11:23 am

Version 2.7 01.07.2019
Top_logo.jpg

Using Splunk to monitor and graph various data from our MikroTik Routers is a nice and free way to help you showing what is going on in your network.
Splunk is free to use for logging up to 500MB pr day.

It can be used to monitor multiple devices. No ports needs to be opened (like with SNMP monitoring). All data are sent from the device to the Splunk monitor. Devices could be all around the world.

PS:
Traffic monitoring does not work correctly while fast track is enabled. Turn it off and you may loose throughput, so its something you should think about when using this type of monitoring. How to disable it: https://www.youtube.com/watch?v=6LaqhDm6PHI


What's new
A lot have changed since previous version. So much that its better to replace all MikroTik files in the Splunk server instead of trying to update files.
Before data was collected in three ways.
1. Syslog
2. SNMP
3. Scripts (remote)
Problem with SNMP is that you have to add duplicate configuration in Syslog to handle each box you monitor.
Problem with script is that you need to setup a job on the Splunk server that SSH inn to each box to get data.
The script tools did not log host IP, so you did not now from what box data was coming from.

SNMP and Scipts has been removed and change inn to local script on the Router that sends outs needed data to the Splunk using Syslog.
This way all data get correctly marked and you know for what Router you gets data from.

latest changes
2.7 (01.07.2019)
# New added "Address Lists Counters"
# Changes most view to use "Base Search"
# Changed "MikroTik DHCP request" to use stats and fixed host flaw
# Changed "MikroTik System Changes" to use 30 day and 4 hour span and maxspan in transaction
# Removed changes to "DHCP leases" in "MikroTik System Changes"
# Added search in dropdown for "MikroTik DNS Live usage"
# Added Time picker for "MikroTik Device List"
# Speeded up "MikroTik Remote Connection"
# Fixed wrong timestamp of packets logged
# Changed "MikroTik DHCP request" to use stats and fixed host flaw and maxspan in trnsaction
# Added search in dropdown for "MikroTik DNS Live usage" and added IP to client and change sorting
# Fixed "MikroTik DNS request" to use correct dropdown lists
# Fixed "MikroTik Firewall Rules" to use better searh, removed base level, added counters, long prefix
# Rewritten "MikroTik Live attack" to speed up and added more dropdown
# Fixed "MikroTik Resources" to give correct host number
# Changed "MikroTik System Changes" to use 30 day and 4 hour span, removed DHCP info
# Fixed "MikroTik Traffic" to use script= and some clean up
# Fixed "MikroTik uPnP" script name, added ip to dropdown
# Added to ">MikroTik Uptime" dropdown menu
# Fixed "MikroTik Volt/Temperature" sorting
# Fixed "MikroTik VPN Connection" faster search
# Fixed "MikroTik Web Proxy" sorting and some code clean up
# Changed "MikroTik Wifi strength" to use script tag and some clean up
# Added "dashboard.css" to set menu color global
# Fixed "props.conf" to better handel wrong prefixed and some other changes

Installation
1) On your PC (Windows/Linux)
-----------------------------------
1a) Download and install Splunk (Windows or Linux(recommended))
PS you need an account to download. It's free to create.
https://www.splunk.com/en_us/download/s ... prise.html
PS you need to create an account to download the file. Free to download and use (up to 500MB/day)

1b) PS: To install Splunk as a non root user, look here: viewtopic.php?p=677233#p677233
Splunk can fine run as root user, but not recommended.

1c) Change to free license group. Very important to do before 30 day of use. !!!!!!!!!!!!!!!!!!!!
Web gui:
1d) Settings->licensing->Change license group->Free licnse->Save

1e) Open Windows Firewall for UDP on Windows (On linux its not blocked)
Web gui:
Start->type "adv"->Select:Widows Firewall with Advanced Security->Sect Inbound rules->Right Click "Inbound Rules">New Rule-Port-Next->UDP->Specific local ports->514->Next->Next->Next->Name "syslog"

1f) Allow UDP 514 (syslog)
Web gui:
Setting->Datainputs->Add new (behind the UDP)->Port 514->Next->Sourcetype type syslog and select syslog->Next-Submit

1g) Download the Splunk spl file:
MikroTik2.7.spl.zip
1h) Extract the spl file
From Start page in Splunk, click the gear behind Apps or
from top meny click Apps->Manage Apps
Then select Install app from file and select the spl file

1i) A restart of Splunk may be needed.
Web gui:
Settings->Server controls->Restart Splunk

2) On Your MikroTik Router
-----------------------------
Before you setup logging, you should make an unique identifier of your route. Important if you have more than one router to monitor.
/system identity set name=Router-London-22
2a) Syslog
You need to make your Router able to send Syslog messages.
Web gui:
System->Logging->Action->Add New->Name (your server name)->Type:Remote->Remote Address:ip your syslog->Ok
Cli
/system logging action add name=logserver target=remote remote=192.168.1.50 remote-port=514
PS Do NOT select BSD Syslog. It will mess up the logging format.

2b) Then select what to log.
I do suggest that you send all DHCP logs including debug and all other logs that are not debug.
It is very important to name the prefix like this "MikroTik" and not "mikrotik" or some other.
Splunk uses the MikroTik prefix to find out what type of syslog data that is coming to it.
Uppercase T and uppercase M, rest are lowercase
Web gui:
System->Logging->Rules->Add new->Topics:dhcp->Prefix:MikroTik->action:your syslog server->Ok
System->Logging->Rules->Add new->Topics:!debug->Prefix:MikroTik->action:your syslog server->Ok
Cli:
/system logging add action=logserver prefix=MikroTik topics=dhcp
/system logging add action=logserver prefix=MikroTik topics=!debug
/system logging add action=logserver prefix=MikroTik topics=hotspot
PS Hotspot is not needed if you do not use it.

2c) Select what to log
To log the Firewall and Nat rules, you need to turn on logging and add Log Prefix (under action).
Start all firewall rule you like to log with FW_ and then what it does, like this FW_Blocked_list.
Same with Nat rules, start with NAT_ like this: NAT_RDP or NAT_Minecraft
NB Do not use more than 20 charters, or else it start to clip other part of the log

2d) You should at least log this rule "defconf: drop all not coming from LAN" with this prefix: FW_Drop_all_from_WAN
Web gui:
IP->Firewall->selec:defconf: drop all not coming from LAN->Log:v->Log Prefix:FW_Drop_all_from_WAN
This will populate the MikroTik Live attack view.

2e) Accounting
To get accounting data, you need to enable it on the MikroTik router. (MikroTik Traffic dashboard)
Web gui:
IP-> Accounting -> Enable Accounting -> mark Threshould:2560 OK
Cli:
/ip accounting set enabled=yes threshold=2560
2f) Script
To get all the other data like Traffic accounting, uPnP, System health, System resources and DHCP pool information you need this script on the MikroTik. It need to be named: Data_to_Splunk_using_Syslog
I did prefer to list the script without all the newline code etc need for cut and past from CLI, så do use WinBox or Webgui to add the script.

# Collect information from Mikrotik RouterOS
# v 2.8 Jotne
# ----------------------------------


# Collect system resource
# ----------------------------------
:local cpuload ([/system resource get cpu-load])
:local freemem ([/system resource get free-memory]/1048576)
:local totmem ([/system resource get total-memory]/1048576)
:local freehddspace ([/system resource get free-hdd-space]/1048576)
:local totalhddspace ([/system resource get total-hdd-space]/1048576)
:local up ([/system resource get uptime])
:log info message="script=resource free_memory=$freemem MB total_memory=$totmem MB free_hdd_space=$freehddspace MB total_hdd_space=$totalhddspace MB cpu_load=$cpuload uptime=$up"


# Get snapshoot data (traffic data)
# ----------------------------------
# Test if fasttrack is enabled and give warning
:if ([/ip firewall filter find where (action=fasttrack-connection && !disabled)] != "") do={
        :log info message=("script=traffic,fasttrack=1")
} else={
        :log info message=("script=traffic,fasttrack=0")
}
# Test if accounting is enabled and if yes, get data
if ([/ip accounting get enabled]=yes) do={
        /ip accounting snapshot take
# Get uncounted data
        /ip accounting uncounted {
                :log info message=("script=uncounted,bytes=".[get bytes].",packets=".[get packets])}
# Send data to loggin server
        foreach logline in=[/ip accounting snapshot find] do={
                :local output "$[/ip accounting snapshot print as-value from=$logline]"
                :set ( "$output"->"script" ) "traffic"
                :log info message="$output"
        }
}


# Finding dynmaic lines used in uPnP
# ----------------------------------
:foreach logline in=[/ip firewall nat find dynamic=yes] do={
	:local output "$[/ip firewall nat print as-value from=$logline]"
	:set ( "$output"->"script" ) "upnp"
	:log info message="$output" 
}


# Collect system information
# ----------------------------------
:local version ([/system resource get version])
:local board ([/system resource get board-name])
:local model ([/system routerboard get model]);
:local serial ([/system routerboard get serial-number])
:local identity ([/system identity get name])
:log info message="script=sysinfo version=\"$version\" board-name=\"$board\" model=\"$model\" serial=$serial identity=\"$identity\""


# Collect system health
# ----------------------------------
:if (([/system health get]~"state=disabled" || [/system health get]="")=false) do={
	:local voltage ([/system health get voltage]/10)
	:local temperature ([/system health get temperature])
	:log info message="script=health voltage=$voltage V temperature=$temperature C"
}


# Sends wireless client data to log server
# ----------------------------------
:do {
	:if ([:len [/interface wireless find ]]>0) do={
		:foreach logline in=[/interface wireless registration-table find] do={
			:local output "$[/interface wireless registration-table print  as-value from=$logline]"
			:set ( "$output"->"script" ) "wifi"
			:log info message="$output"
		}
	}
} on-error={}


# Count IP in address-lists
#----------------------------------
:local array [ :toarray "" ]
:local addrcntdyn [:toarray ""] 
:local addrcntstat [:toarray ""] 
:local test
:foreach id in=[/ip firewall address-list find] do={
	:local rec [/ip firewall address-list get $id]
	:local listname ($rec->"list")
	:local listdynamic ($rec->"dynamic")
	:set ( $array->$listname ) 1
	if ($listdynamic = true) do={
		:set ($addrcntdyn->$listname) ($addrcntdyn->$listname+1)
	} else={
		:set ($addrcntstat->$listname) ($addrcntstat->$listname+1)}
}
:foreach k,v in=$array do={
	:log info message=("script=address_lists list=$k dynamic=".(($addrcntdyn->$k)+0)." static=".(($addrcntstat->$k)+0))}


# Collect DHCP Pool information
# ----------------------------------
/ip pool {
	:local poolname
	:local pooladdresses
	:local poolused
	:local minaddress
	:local maxaddress
	:local findindex

# Iterate through IP Pools
	:foreach pool in=[find] do={
		:set poolname [get $pool name]
		:set pooladdresses 0
		:set poolused 0

# Iterate through current pool's IP ranges
		:foreach range in=[:toarray [get $pool range]] do={

# Get min and max addresses
			:set findindex [:find [:tostr $range] "-"]
			:if ([:len $findindex] > 0) do={
				:set minaddress [:pick [:tostr $range] 0 $findindex]
				:set maxaddress [:pick [:tostr $range] ($findindex + 1) [:len [:tostr $range]]]
			} else={
				:set minaddress [:tostr $range]
				:set maxaddress [:tostr $range]
			}

# Calculate number of ip in one range
			:set pooladdresses ($maxaddress - $minaddress)

# /foreach range
		}

# Test if pools is used in DHCP or VPN and show leases used
		:local dname [/ip dhcp-server find where address-pool=$poolname]
		:if ([:len $dname] = 0) do={
# No DHCP server found, assume VPN
			:set poolused [:len [used find pool=[:tostr $poolname]]]
		} else={
# DHCP server found, count leases
			:local dname [/ip dhcp-server get [find where address-pool=$poolname] name]
			:set poolused [:len [/ip dhcp-server lease find where server=$dname]]}

# Send data
		:log info message=("script=pool pool=$poolname used=$poolused total=$pooladdresses")

# /foreach pool
	}
# /ip pool
}

2g) Then schedule the script to run every 5 minutes:
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog

If you have problems or comments, please feel free to ask :)

DNS_Live_usage.jpg
Volt_Temperature.jpg
Resources.jpg
Live_attac.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Thu Jul 18, 2019 10:07 am, edited 66 times in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.0

Fri Jul 27, 2018 11:35 am

More screenshots
DHCP_pool_information.jpg
DHCP_request.jpg
Treaffic.jpg
Firewall_rules.jpg
DNS_request.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Fri Jul 27, 2018 12:26 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.0

Fri Jul 27, 2018 11:36 am

Screenshot 2
Remote_connection.jpg
upnp.jpg
Uptime.jpg
Wifi_connection.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs 2.0

Fri Jul 27, 2018 3:04 pm

Hi Jotne. Really is a Great Job, thank very much to share this new version. I'll try it and I'll update the post.

:D
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs 2.0

Sat Jul 28, 2018 6:35 pm

Hi Jotne.
Hi. I have three specific issues that happen to me when I mount the new version.
The first is a warning that issues when I start splunk in the props.conf configuration file. Attached image.
Image
http://subirimagen.me/uploads/20180728073918.jpg

The second thing is that the MikroTik DNS Request module did not work for me, it did not show me any information. But I solved it by changing this in the query.
Image
http://subirimagen.me/uploads/20180728101744.jpg
Make those changes and it worked correctly.

The third thing is that the MikroTik Traffic module worked partially because it does not bring me the information of "Percent data pr client". But I solved it by changing this in the query.
Image
http://subirimagen.me/uploads/20180728102956.jpg

Make the following changes and it worked correctly.
Image
http://subirimagen.me/uploads/20180728103102.jpg

Now everything I need is working correctly. Again congratulate you for the great job and especially for sharing it.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.1

Sun Jul 29, 2018 6:13 pm

Thanks MSandoval for testing and feedback.

I have updated to v2.1
It should correct hopefully all the errors in 2.0.
Error was du to some manual change I did make on my installation du to some fixed IP.
This has now been removed, so I do use the same files as I post

# 2.1
# Fixed typo in "MikroTik DNS request"
# Fixed wrong eval in "MikroTik Traffic"
# Removed search used localy in "MikroTik DNS Live usage"
# Removed not needed SED line from props.conf
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
MSandoval
newbie
Posts: 26
Joined: Thu Mar 01, 2018 3:32 pm

Re: Using Splunk to analyse MikroTik logs 2.1 (Graphing everything)

Tue Jul 31, 2018 12:36 am

Testing all the modules, I realized that the MikroTik Wifi connection module was not working at all. Since I did not bring data from the Connected section, I only showed data in Disconnected.
Image
http://subirimagen.me/uploads/20180730163143.jpg

What I found is that in the search criterion of eventtypes, it only searches if it connects with signal strength,
Image
http://subirimagen.me/uploads/20180730160920.jpg

To show me more information what I did was create a new type of event that will look for me within the wireless module sent by syslog what will be connected.
Image
http://subirimagen.me/uploads/20180730163417.jpg

Then, edit the criteria in the search performed by the query in the dashboard adding the new criterion of "eventtype = wifi_connected" to each query with the "eventtype = wifi_connected_* "
Image
http://subirimagen.me/uploads/20180730162141.jpg

And with this already if you showed me information in the connected section.
Image
http://subirimagen.me/uploads/20180730163559.jpg
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Tue Jul 31, 2018 8:06 am

Updated files to 2.2

# 2.2
# Removed Host info at the bootom in "MikroTik DNS Live usage"
# Fixed overnship of various dashboard
# Fixed "MikroTik Wifi connection" to show connected if it has no signal strength

@MSandoval
Thanks for the feedback and the effort to fix it :)

I did thought that all connection did show signal strength.
What you have done is partially correct.

In eventtype.conf this:
search = "wireless,info *: connected"
will make it for both:
wireless,info *: connected
wireless,info *: connected, signal strength
So only this is needed (remove signalstrengt)
[wifi_connected]
search = "wireless,info *: connected"
Since evnttype [wifi_connected] does not change, no changes are needed in the dashboard.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
santong7
newbie
Posts: 39
Joined: Tue Jun 04, 2013 1:40 pm
Location: Heraklion Crete Greece
Contact:

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Tue Jul 31, 2018 9:28 am

Where is the zip file ?

Do you have any clue why splunk linux stops logging after a while, and with splunk server restart it starts again and then after a while it stops again until the next splunk server restart ?

Same happens with windows splunk version.
Electrical & Data Communications Engineer - MTCNA
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Tue Jul 31, 2018 9:37 am

File is there now, se this post why it was missing:
viewtopic.php?f=2&t=137476

Not sure why you have problem with Splunk. I have used it for many years and its for me very stable.
Test a PC with Ubuntu 18.04 and Splunk. Should work very vell together.
Windows should be ok too, but I do recommend Linux (feels much faster om same hw)

You are using latest Splunk, downloaded from Splunk.com?

I will later when I have time post how to install Splunk as a non root user.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
santong7
newbie
Posts: 39
Joined: Tue Jun 04, 2013 1:40 pm
Location: Heraklion Crete Greece
Contact:

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Tue Jul 31, 2018 10:56 am

File is there now, se this post why it was missing:
viewtopic.php?f=2&t=137476

Not sure why you have problem with Splunk. I have used it for many years and its for me very stable.
Test a PC with Ubuntu 18.04 and Splunk. Should work very vell together.
Windows should be ok too, but I do recommend Linux (feels much faster om same hw)

You are using latest Splunk, downloaded from Splunk.com?

I will later when I have time post how to install Splunk as a non root user.
I have splunk running on ubuntu server 18.04 with the latest splunk version 7.1.2
When I first run splunk it starts, then it stops, then I restart the server. You can see the empty log on the firewall timeline attached image..
Capture.PNG
I tried also to see if this happens with another syslog server application, like the Kiwi Syslog Server, and I am getting logs all the time without interrupts.

Any clue ?
You do not have the required permissions to view the files attached to this post.
Electrical & Data Communications Engineer - MTCNA
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Tue Jul 31, 2018 11:23 am

No idea why it stops working.
I have run Splunk for years without it stopping by it self, always using Ubuntu Server.
Maybe there are some other stuff/software on you Ubuntu that kills it.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Tue Jul 31, 2018 1:40 pm

How to install Splunk as a non root user.
Its a security risk to run everything as a root user, so if you can, you should use a dedicated user for your program.

This tutorial will show how to install Splunk as a user with name splunk on your Ubuntu server (may work on other as well)

Download latest Splunk Enterprise to you /tmp folder

Create the splunk user:
sudo useradd -c "splunk user" -m -s /bin/bash -U -d /opt/splunk splunk
Log in a the splunk user:
sudo su - splunk
Extract the Splunk software to /opt folder (name of file will change with new version):
tar xvzf /tmp/splunk-7.1.1-8f0ead9ec3db-Linux-x86_64.tgz -C /opt
Start your Splunk server (accept license agrement and set a password for Spkunk admin user):
~/bin/splunk start
As a root user, make Splunk autostart with user splunk as a startup script:
sudo /opt/splunk/bin/splunk enable boot-start -user splunk
You should now be up and running. :)

Remember to use splunk user whenever you change/add files or do anything else with Splunk from the CLI
sudo su - splunk
PS:
If you run Splunk as a non root user then you can not use UDP/514 as a syslog receiver port in Splunk.
Since all port below 1024 need root permission to work.

Workarounds.
1. Send syslog to other port above 1023, like 1514 for UDP syslog. (need to change many routers to send to correct port)
2. Set up a local syslog server like r-syslog and let Splunk read the r-syslog log files.
Last edited by Jotne on Mon Jul 08, 2019 1:39 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
ismaelac2
just joined
Posts: 1
Joined: Tue Feb 06, 2018 8:45 pm

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Wed Aug 01, 2018 8:01 pm

Good job !! I'll test it, thanks for sharing Jotne !!
 
santong7
newbie
Posts: 39
Joined: Tue Jun 04, 2013 1:40 pm
Location: Heraklion Crete Greece
Contact:

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Thu Aug 02, 2018 11:34 am

No idea why it stops working.
I have run Splunk for years without it stopping by it self, always using Ubuntu Server.
Maybe there are some other stuff/software on you Ubuntu that kills it.

Finally there is a problem with timestamp, found on splunkd.log
08-01-2018 15:52:07.610 +0300 WARN DateParserVerbose - Failed to parse timestamp in first MAX_TIMESTAMP_LOOKAHEAD (32) characters of event. Defaulting to timestamp of previous event (Wed Aug 1 02:35:00 2018). Context: source=udp:514|host=192.168.1.1|syslog|

And it stops logging.

This is an example of what mikrotik sends to me, on another syslog server
192.168.1.1 Jul 12 00:17:05 firewall,info DROP INPUT input in:pppoe-WAN out:(unknown 0), proto TCP (SYN), 79.129.108.120:41236->79.129.36.201:7547, len 44


Any work around ?
Electrical & Data Communications Engineer - MTCNA
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Thu Aug 02, 2018 6:21 pm

You do miss a very important thing.
Where is your MikroTik tag?

A message need to looks like this:
Raw format:
firewall,info MikroTik: NAT_Web_Varg dstnat: in:ether1-Wan out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 195.29.234.174:8505->92.220.197.134:80, len 52
List format:
02/08/2018 17:15:43.000	firewall,info MikroTik: NAT_Web_Varg dstnat: in:ether1-Wan out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 195.29.234.174:8505->92.220.197.134:80, len 52
See my first post, starting from:
Then select what to log.
Make user you add prefix=MikroTik to all syslog rules.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Mordor
just joined
Posts: 1
Joined: Mon Jul 30, 2018 11:31 am

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Thu Aug 09, 2018 7:09 am

help me set up a collection of logs with Mikrotik.
I can not understand what to add to the firewall and NAT in Mikrotik, what would the logs in to the syslog go to the Splunk server on CentOS.
if you can, make a little instruction "How to setup collect of logs".
Thanks you.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.2 (Graphing everything)

Thu Aug 09, 2018 2:34 pm

It is clearly written in the first post under Select what to log
1 select what fw or nat rule you like to log.
2 open the fw/nat rule
3 go to action
4 mark log
5 add a text to log prefix for the log, like NAT_RDP
This text could be anything you like, but it god to have a discription tha tell you what the rule does.

PS if you see number increase in webgui you should also get syslog

PS2 do not log everything, start some small and increase with more rules when it works. Logging everything will log allot of data.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Fri Aug 10, 2018 3:32 pm

Upgraded to 2.3

What new:
# v2.3 (10.08.2018)
# Created an Splunk app version

So for user of 2.2, there are no need to upgrade. No new function.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sun Aug 19, 2018 1:23 pm

Here is an example on how Hotspot data looks in Splunk

Splunk-MikroTik-Hotspot.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
helmi1987
just joined
Posts: 2
Joined: Fri Aug 24, 2018 4:28 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sat Aug 25, 2018 9:29 am

Hello

very good integration.
how can i record capsman wifi?

greeting helmi1987
 
Gabana
just joined
Posts: 1
Joined: Sat Sep 08, 2018 8:26 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sat Sep 08, 2018 8:56 pm

hello

thanks for your great job

also does it log "Commands" executed on the device ?
 
Dindihi
newbie
Posts: 25
Joined: Tue Jan 07, 2014 7:12 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sun Sep 09, 2018 12:02 am

Hi,
thanks for this work!
One question, how often do you execute the script with the scheduler?

+1 for capsman
Thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sun Sep 09, 2018 8:26 am

I do schedule the script to run every 5 minutes. (first post updated)

Since I do not have Capsman, I have no possibility to make Dashboard for it.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Dindihi
newbie
Posts: 25
Joined: Tue Jan 07, 2014 7:12 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sat Sep 15, 2018 1:19 pm

Hi,
i added some functionalities for Capsman logging.
Maybe this will be helpful for someone.
I'm not a Mikrotik neither Splunk expert !! ;-) Maybe you will find some errors. Please let me know.
But at least this works fine here.

Settings->Sourcetype->Mikrotik->Advanced->Add:
Name: EXTRACT-mikrotik_capsman_state
Value: caps,info.*(?<src_mac>.{2}:.{2}:.{2}:.{2}:.{2}:.{2})@(?<cap_device>.*)\s(?<state>connected|disconnected),\s


Script: Data_to_Splunk_using_Syslog_capsman
:local capsregistered ([/caps-man registration-table print count-only]);

 /caps-man interface
:local name
:local mac


# ignore all master interfaces
:foreach p in=[find where master-interface!="none"] do={
:set name [get $p name]
:set mac [get $p radio-mac]
:local counter ([/caps-man registration-table print count-only  where interface=$name]);
:log info message="script=caps-man name=$name counter=$counter";
}

:log info message="script=caps-man capsregistered=$capsregistered";
Schedule this script every 5 minutes.


Only if your Mikrotik is used as DHCP server continue here, else ignore the following steps.
Check that each IP has a valid comment. I used the comment name as hostname.


Script: manuel_export_dhcp_splunk
:log info "export_dhcp_splunk";
:local hostname;
:local mac;

/file print file="export_dhcp_splunk.txt";

/file set "export_dhcp_splunk.txt" contents="";


:local newdata ("hostname,src_mac\r\n");
/file set "export_dhcp_splunk.txt" contents=([get export_dhcp_splunk.txt contents] . $newdata);

/ip dhcp-server lease;
:log info "Entering export_dhcp_splunk loop";
:foreach i in=[find] do={
  /ip dhcp-server lease;
  :if ([:len [get $i comment]] > 0) do={
    :set hostname [get $i comment];
    :set mac [get $i mac-address];
    :local newdata ($hostname.",".$mac. "\r\n");
    /file set "export_dhcp_splunk.txt" contents=([get export_dhcp_splunk.txt contents] . $newdata);
   } else={
    :set mac [get $i mac-address];
    :local newdata ("NONE,".$mac. "\r\n");
    /file set "export_dhcp_splunk.txt" contents=([get export_dhcp_splunk.txt contents] . $newdata);
  }
}
:log info "Ended export_dhcp_splunk";
Download export_dhcp_splunk.txt to your PC.

Splunk->Settings->Lookups->Lookup table files->New
Destination App: Mikrotik
Destination filename: dhcp_clients
And upload the file export_dhcp_splunk.txt


Splunk->Settings->Lookups->Lookup Definition->New
Destination App: Mikrotik
Type: File
Lookup file: dhcp_clients



And finally the Dashboard (add to Mikrotik app)
<form>
  <label>MikroTik CapsMan</label>
  <fieldset submitButton="false">
    <input type="time" token="global_time">
      <label>Time Span</label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
    <input type="dropdown" token="Span" searchWhenChanged="true">
      <label>Time Span</label>
      <choice value="bins=100">Default</choice>
      <choice value="span=1m">1 min</choice>
      <choice value="span=5m">5 min</choice>
      <choice value="span=10m">10 min</choice>
      <choice value="span=20m">20 min</choice>
      <choice value="span=1h">1 hour</choice>
      <choice value="span=2h">2 hour</choice>
      <default>bins=100</default>
    </input>
    <input type="dropdown" token="cap_device">
      <label>CapsMan</label>
      <choice value="*">Any</choice>
      <fieldForLabel>cap_device</fieldForLabel>
      <fieldForValue>cap_device</fieldForValue>
      <search>
        <query>sourcetype=mikrotik
          module=caps
          | top limit=0 cap_device
          | sort cap_device</query>
        <earliest>$global_time.earliest$</earliest>
        <latest>$global_time.latest$</latest>
      </search>
      <default>*</default>
      <prefix>cap_device="</prefix>
      <suffix>"</suffix>
    </input>
    <input type="dropdown" token="srcmac">
      <label>Source Mac</label>
      <choice value="*">Any</choice>
      <default>*</default>
      <fieldForLabel>hostname</fieldForLabel>
      <fieldForValue>src_mac</fieldForValue>
      <search>
        <query>sourcetype=mikrotik
          module=caps
          | top limit=0 src_mac
          | sort src_mac
          |lookup dhcp_clients src_mac OUTPUT hostname</query>
        <earliest>$global_time.earliest$</earliest>
        <latest>$global_time.latest$</latest>
      </search>
      <prefix>src_mac="</prefix>
      <suffix>"</suffix>
    </input>
  </fieldset>
  <row>
    <panel>
      <title>Connection messages by cap_device</title>
      <chart>
        <search>
          <query>module=caps 
$cap_device$ $srcmac$
|timechart $Span$  count(_raw) by cap_device</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Devices connection messages by device</title>
      <chart>
        <search>
          <query>sourcetype=mikrotik module=caps state=connected 
$cap_device$ $srcmac$
|lookup dhcp_clients src_mac OUTPUT hostname
|timechart $Span$  count(_raw) by hostname</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
  <row>
    <panel>
      <title>Connected devices by cap</title>
      <chart>
        <search>
          <query>sourcetype=mikrotik caps-man |timechart $Span$ values(counter) by name | fillnull  |appendcols  [ search sourcetype=mikrotik caps-man|timechart $Span$ values(capsregistered) as TOTAL |fillnull]</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">line</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">connect</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
    <panel>
      <title>Connected devices by cap</title>
      <chart>
        <search>
          <query>sourcetype=mikrotik counter&gt;0  |chart values(counter) by name</query>
          <earliest>$global_time.earliest$</earliest>
          <latest>$global_time.latest$</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.abbreviation">none</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.abbreviation">none</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.abbreviation">none</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">pie</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.mode">standard</option>
        <option name="charting.legend.placement">right</option>
        <option name="charting.lineWidth">2</option>
        <option name="refresh.display">progressbar</option>
        <option name="trellis.enabled">0</option>
        <option name="trellis.scales.shared">1</option>
        <option name="trellis.size">medium</option>
      </chart>
    </panel>
  </row>
</form>
Edit:
i will probably add some more features in the next week when i find time :-)
You do not have the required permissions to view the files attached to this post.
Last edited by Dindihi on Sat Sep 15, 2018 1:33 pm, edited 2 times in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Sat Sep 15, 2018 1:24 pm

Nice
I will look trough it and add it to the package in the first post.
A problem with Splunk when you add stuff trough GUI, you do not know were it goes.
I may end up in your user, wrong app or correct app :)

And some raw loglines of various types?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
philamonster
just joined
Posts: 13
Joined: Mon Apr 03, 2017 4:08 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 09, 2018 6:15 pm

Jotne, just wanted to post a note of thanks again for Splunk integration and that I successfully upgraded from 1.1 in place without too many hoops to jump through. Added script and scheduled it on MikroTik device and data was visible in Splunk immediately. I had edited some of the accounting scripts to change time I was collecting in 1.1 due to high CPU generated on Splunk vm w/5 minute interval. New version is much better on resources overall which I am thankful for!
 
maperezdelrio
just joined
Posts: 1
Joined: Fri Oct 12, 2018 8:01 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 16, 2018 3:45 am

Hello
Download your app, for splunk, and I have followed your instructions to install it. However, I notice that the dashboards do not load information, as your screenshots show.
Inside the folders of the application is not found the scripts that would process the logs sent from the device, Mikrotik as healt or resources. According to the splunk documentation this should be located in the Mikrotik / bin folder, is my assessment correct?

Thank you!
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 16, 2018 7:05 pm

In this version there are no script at the Splunk (bin folder). Script is moved to the Mikrotik side that do send out everything using syslog.
In splunk set it to show last 24 hour and add * i search field to see what is going on.
This should get you lots of log line from the MikroTik
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Dindihi
newbie
Posts: 25
Joined: Tue Jan 07, 2014 7:12 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 16, 2018 7:33 pm

I added index=mikrotik (your index name) to all dashboard searches.
Without this i also had no results
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 16, 2018 9:54 pm

When you run Splunk as a free license, the user should see all index data without need specify it.
Sounds you are either running it in a full licensed version, or are still in the 30 day free trail.
If you are in the trail mode you need to convert it as soon as possible to free version.
If not it will block your search fro on month if it passes 30 days before converting.
See installation instruction on first post.

It seems that you also have made MikroTik logs goes into another Index than default.
Follow the #1 post, it should go to the main index. It will work in other index, but you may need to adjust some like you did.
Last edited by Jotne on Tue Oct 16, 2018 10:00 pm, edited 1 time in total.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Dindihi
newbie
Posts: 25
Joined: Tue Jan 07, 2014 7:12 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 16, 2018 10:00 pm

I agree, i have paid license.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Oct 16, 2018 10:12 pm

Then is should be fine to use and as you did write, fix was to use correct index :)

I do have a 500GB/day license at my work, that I do manage, so do know some about who it works in large settings.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
vitvickis
just joined
Posts: 1
Joined: Wed Oct 10, 2018 4:09 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Oct 18, 2018 3:14 pm

Hi Jotne!
Thank You for this post! Really appreciate your work.
I have some problems : I really can't make to log accounting and for example Resources/Voltage.
What need to be done, to see that in Splunk logs?

For example - DNS,DHCP, Firewall logs are working wihtout any problems.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Wed Nov 07, 2018 11:17 am

Working in 2.4

Here are some teasers.

Dark Theme
Added view to better show system changes
Added view to show wifi client strength for all clients connected
++++
.
MikroTik Wifi strength.jpg
You do not have the required permissions to view the files attached to this post.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Wed Nov 07, 2018 11:42 am

Hi Jotne!
Thank You for this post! Really appreciate your work.
I have some problems : I really can't make to log accounting and for example Resources/Voltage.
What need to be done, to see that in Splunk logs?

For example - DNS,DHCP, Firewall logs are working wihtout any problems.
It seems that you miss the data coming from the script part.

Try these test to see if you see data in a command:
--------------
Show if ip accounting works, used to get firewall data
{
/ip accounting snapshot take
# Send data to loggin server
foreach logline in=[/ip accounting snapshot find] do={:put message="$[/ip accounting snapshot print as-value from=$logline]"}}
List health info:
{:local voltage ([/system health get voltage]/10);
:local temperature ([/system health get temperature]);
:put message="script=health voltage=$voltage V temperature=$temperature C";}
If cut and past of these commands gives information, you need to look at the script.
Have you created the script?
Does it have correct name?
Does it show a run count behind it greater than 0?
Do you get data out if you run the script manually?
Have you setup the scheduler?
Does it have correct name for the script to run?
Does the scheduler run (show run count)?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Hunty
just joined
Posts: 16
Joined: Mon May 28, 2018 11:37 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Mon Nov 12, 2018 4:28 pm

I'm not able to see any result into splunk server.
I've followed the guide step by step, I'm seeing that the Mikrotik's script has Run Count = 40 so it is sending to Splunk server, I've added the windows firewall inbound rules, but I'm not able to see any data in splunk server.
Can you please help me?
Thanks

p.s. thanks a lot for your guide and effort, it is the tool I was searching for a long time.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Tue Nov 13, 2018 6:50 pm

In Splunk under:
Settings -> Data Inputs -> UDP
Do you se port 514 like this?
UDP port	Source type	Status	Actions
514	syslog	Enabled | Disable	Clone | Delete
If you do run Splunk on a windows, have you opened Windows firewall for Splunk or UDP:514?
You can try to disable firewall temporary.

Is logging correcty setup?
Can you on your MT post output of this:
 /system logging export
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Hunty
just joined
Posts: 16
Joined: Mon May 28, 2018 11:37 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Wed Nov 14, 2018 3:41 pm

Hi Jotne, thanks for your reply
In Splunk under:
Settings -> Data Inputs -> UDP
Do you se port 514 like this?
UDP port	Source type	Status	Actions
514	syslog	Enabled | Disable	Clone | Delete
Yes
If you do run Splunk on a windows, have you opened Windows firewall for Splunk or UDP:514?
Yes
You can try to disable firewall temporary.
I've tried but without any result
Is logging correcty setup?
Can you on your MT post output of this:
 /system logging export
[admin@MikroTik CRS125] > /system logging export
# nov/14/2018 14:33:07 by RouterOS 6.43.4
# software id =
#
# model = CRS125-24G-1S-2HnD
# serial number =
/system logging action
add name=logserver remote=192.168.88.210 target=remote
/system logging
add action=logserver prefix=MikroTik topics=dhcp
add action=logserver prefix=MikroTik topics=!debug
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Wed Nov 14, 2018 4:47 pm

Can you ping the Splunk server from MT?
Are you running Widows/Linux? I do recommend Linux.
On windows, you can confirm that Splunk is listening on port UDP/514 by running this command:
netstat -toan | find "514"
You should get one line like this:
UDP    0.0.0.0:514            *:*                                    5108
For Linux
netstat -pan | grep 514
udp    62848      0 0.0.0.0:514             0.0.0.0:*                           17949/splunkd
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Hunty
just joined
Posts: 16
Joined: Mon May 28, 2018 11:37 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 11:12 am

Can you ping the Splunk server from MT?
yes
[admin@MikroTik CRS125] > ping 192.168.88.210
  SEQ HOST                                     SIZE TTL TIME  STATUS             
    0 192.168.88.210                             56 128 0ms  
    1 192.168.88.210                             56 128 0ms  
    2 192.168.88.210                             56 128 0ms  
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms 
Are you running Widows/Linux? I do recommend Linux.
On windows, you can confirm that Splunk is listening on port UDP/514 by running this command:
netstat -toan | find "514"
You should get one line like this:
UDP    0.0.0.0:514            *:*                                    5108
For Linux
netstat -pan | grep 514
udp    62848      0 0.0.0.0:514             0.0.0.0:*                           17949/splunkd
I'm running it on Windows Server 2016
C:\Windows\system32>netstat -toan | find "514"
  UDP    0.0.0.0:514            *:*                                    9784
  UDP    0.0.0.0:58514          *:*                                    3464
  UDP    0.0.0.0:59514          *:*                                    3464
  UDP    [::]:60514             *:*                                    3464
  UDP    [::]:61514             *:*                                    3464
  UDP    [::]:62514             *:*                                    3464
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 1:02 pm

Then the only thing I do not see if the Windows Server block some in the firewall. But as you write, you have opened it.
If you did not try it, try to disable the whole fw for some time.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Hunty
just joined
Posts: 16
Joined: Mon May 28, 2018 11:37 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 2:47 pm

I've tried to disable the entire firewall for 10 minutes and I've executed manually the script at least three times, but no info was present in the dashboards :(
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 6:22 pm

Try this.
On terminal of the Router OS type:
:log info message="mandarin"
In Splunk, set it to last 15 min and do a search like this:
mandarin
You should get at least one line like this (in raw mode)
script,info MikroTik: mandarin
If you get output you have communication.
If it does not show script,info MikroTik: in front of mandarin, you MikroTik app is not correctly installed in Splunk
Post your output.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Dindihi
newbie
Posts: 25
Joined: Tue Jan 07, 2014 7:12 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 6:26 pm

Is there a tcpdump or similar on windows?
Maybe check if udp packets are coming from your MT.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 6:44 pm

This is UPD, so tcpdump would not help.
Did the last test not give you anything?
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
Dindihi
newbie
Posts: 25
Joined: Tue Jan 07, 2014 7:12 pm

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 6:47 pm

Sure,
tcpdump also shows udp packets.

[~] # tcpdump udp port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:46:01.876313 IP 192.168.215.4.58292 > NAS.syslog: [|syslog]
17:46:01.876371 IP 192.168.215.4.58292 > NAS.syslog: [|syslog]
17:46:05.144568 IP 192.168.214.117.syslog > NAS.syslog: SYSLOG user.info, length: 66

Edit:
You tried to manually search for events (not the dashboard).
index=YOURINDEX
(on ALL TIME)
 
Hunty
just joined
Posts: 16
Joined: Mon May 28, 2018 11:37 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 7:15 pm

Try this.
On terminal of the Router OS type:
:log info message="mandarin"
In Splunk, set it to last 15 min and do a search like this:
mandarin
You should get at least one line like this (in raw mode)
script,info MikroTik: mandarin
If you get output you have communication.
If it does not show script,info MikroTik: in front of mandarin, you MikroTik app is not correctly installed in Splunk
Post your output.
I've found the mandarin entry

In the Search app I'm seeing this:

490.761 event and it is growing!

Why I'm not seeing anything under mikrotik app?
 
Hunty
just joined
Posts: 16
Joined: Mon May 28, 2018 11:37 am

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 7:17 pm

Anyway I've also tried to install Splunk in a UbuntuVM using Virtualbox, I've followed your guide to add the splunk user, I'm trying to configure the UDP 514 input port but I'm having this error:

Parameter name: UDP port 514 is not available.

I prefere to solve the issue under Windows server that is installed bare metal
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1139
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Using Splunk to analyse MikroTik logs 2.3 (Graphing everything)

Thu Nov 15, 2018 7:49 pm

You do get data inn to Splink

Do a search like this in Splunk last 15 min
*
Post some lines, so that I do see how it looks like.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 2 guests