Community discussions

MUM Europe 2020
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Sending output of script commands to syslog

Mon Jul 16, 2018 11:17 am

I have lots of logging going to syslog, so I know how that part works.

My question is: How to send output from a script to syslog?

Example:
I would like a script to show the dynamic nat and send that to my external syslog server.
/ip firewall nat print dynamic
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
doneware
Trainer
Trainer
Posts: 541
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Sending output of script commands to syslog

Mon Jul 16, 2018 4:37 pm

My question is: How to send output from a script to syslog?

Example:
I would like a script to show the dynamic nat and send that to my external syslog server.
/ip firewall nat print dynamic
try this:
:log info message=[/ip firewall nat print dynamic as-value ]
it will log the rules line-by-line in an easy to parse format (AV-pairs are delimited by semicolon ';')
#TR0359
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Sending output of script commands to syslog

Mon Jul 16, 2018 11:34 pm

Thanks.

Its very close, but I do get some difference in the output.

Here is from the syslog
script,info MikroTik: orrent (TCP);dst-address=92.220.197.134;dst-port=28816;in-interface=ether1-Wan;protocol=tcp;to-addresses=10.10.10.32;to-ports=28816;.id=*1a9c;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uTorrent (UDP);dst-address=92.220.197.134;dst-port=28816;in-

script,info MikroTik: .id=*1a57;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: Teredo;dst-address=92.220.197.134;dst-port=49290;in-interface=ether1-Wan;protocol=udp;to-addresses=10.10.10.32;to-ports=49290;.id=*1a9b;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uT
Here is the output on the router.
/ip firewall nat print dynamic
Flags: X - disabled, I - invalid, D - dynamic
 0  D ;;; upnp 10.10.10.32: Teredo
      chain=dstnat action=dst-nat to-addresses=10.10.10.32 to-ports=49290 protocol=udp
      dst-address=92.220.197.134 in-interface=ether1-Wan dst-port=49290

 1  D ;;; upnp 10.10.10.32: uTorrent (TCP)
      chain=dstnat action=dst-nat to-addresses=10.10.10.32 to-ports=28816 protocol=tcp
      dst-address=92.220.197.134 in-interface=ether1-Wan dst-port=28816

 2  D ;;; upnp 10.10.10.32: uTorrent (UDP)
      chain=dstnat action=dst-nat to-addresses=10.10.10.32 to-ports=28816 protocol=udp
      dst-address=92.220.197.134 in-interface=ether1-Wan dst-port=28816
In the syslog, it only shows two line, not 3.
In line 1, it shows orrent, not uTorrent. Seems that the missing uT is found at the end of line 2
I guess it is the Splunk that wraps things wrong, so the lines get wrongly indexed.
Is there a way to tell MikroTik to send a newline between each output line?

Best would be that output to syslog is 100% equal the one in the console.
Each line needs to be send as one and one line, so output above should be 3 lines.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
dasiu
Trainer
Trainer
Posts: 232
Joined: Fri Jan 30, 2009 11:41 am
Location: Reading, UK
Contact:

Re: Sending output of script commands to syslog

Tue Jul 17, 2018 1:29 pm

You see the lines split, as the result of "print as-value" shows all entries in one string, and MikroTik splits the logged strings to 256-byte elements (256 bytes is the max length of what it can log).
To send separate log for each line, try:
:foreach logline in=[/ip firewall nat find dynamic=yes] do={:log info message="$[/ip firewall nat print as-value from=$logline]"}
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Sending output of script commands to syslog

Tue Jul 17, 2018 4:31 pm

Perfect.

Output in Splunk now looks like this (3 separate lines):
script,info MikroTik: .nextid=*ffffffff;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uTorrent (UDP);dst-address=92.220.197.134;dst-port=28816;in-interface=ether1-Wan;protocol=udp;to-addresses=10.10.10.32;to-ports=28816
script,info MikroTik: .nextid=*1b04;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: uTorrent (TCP);dst-address=92.220.197.134;dst-port=28816;in-interface=ether1-Wan;protocol=tcp;to-addresses=10.10.10.32;to-ports=28816
script,info MikroTik: .nextid=*1b03;action=dst-nat;chain=dstnat;comment=upnp 10.10.10.32: Teredo;dst-address=92.220.197.134;dst-port=49290;in-interface=ether1-Wan;protocol=udp;to-addresses=10.10.10.32;to-ports=49290

Could you also be so kind to show how I could do the same with:
/ip accounting snapshot print
I tried this, but it only showed up local:
:foreach logline in=[/ip accounting snapshot print] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
This does not give any output:
foreach logline in=[/ip accounting snapshot find dynamic=yes] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"} 
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Sending output of script commands to syslog

Thu Jul 19, 2018 11:48 am

Problem solved.
This give me what I want
foreach logline in=[/ip accounting snapshot find] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
If you do not specify anything behind find, it takes all lines.

It even comes in better format for Splunk to handle.
This is how it shows up in console (SSH/Winbox/Web)
 # SRC-ADDRESS     DST-ADDRESS        PACKETS      BYTES SRC-USER                         DST-USER
 0 193.212.207.247 10.10.10.32             41      47011
 1 37.247.52.130   10.10.10.32             31      32623
 2 10.10.10.32     193.212.207.247         33       3077
 3 31.13.72.8      10.10.10.128             4        349
This is how it looks like in the Splunk view.
script,info MikroTik: .id=*56;bytes=291;dst-address=10.10.10.80;packets=6;src-address=109.74.9.62
script,info MikroTik: .id=*55;bytes=612;dst-address=10.10.10.128;packets=7;src-address=31.13.72.38
script,info MikroTik: .id=*54;bytes=99891;dst-address=31.13.72.49;packets=706;src-address=10.10.10.241
script,info MikroTik: .id=*53;bytes=285;dst-address=31.13.72.32;packets=5;src-address=10.10.10.128
script,info MikroTik: .id=*52;bytes=1131;dst-address=10.10.10.128;packets=9;src-address=162.125.18.133
script,info MikroTik: .id=*51;bytes=1077;dst-address=10.10.10.50;packets=14;src-address=125.209.235.182
Since all filed has a name, I do not need any regex or other stuff to extract the data.
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 1314
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: Sending output of script commands to syslog

Mon Jul 23, 2018 11:33 am

Scripting is not my best side :)

I do get what I want from:
foreach logline in=[/ip accounting snapshot find] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}
But I want to add some more to each line, so I did try to add the text test in front of the log line:
foreach logline in=[/ip accounting snapshot find] do={:log info message="test $[/ip accounting snapshot print as-value from=$logline]"}
foreach logline in=[/ip accounting snapshot find] do={:log info message="test"."$[/ip accounting snapshot print as-value from=$logline]"}
: local line
:foreach logline in=[/ip accounting snapshot find] do={
   :set line ("test")
   :set line ($line . "$[/ip accounting snapshot print as-value from=$logline]")
:log info message="$line"}
None of them is printing anything, just blank lines on last example
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 21 guests