Community discussions

MikroTik App
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Topic Author
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Monitor-logs-send-mail-alert (Wiki script)

Wed May 26, 2021 6:03 pm

Hi,
Anyone using this script like documented in the Wiki ?

https://wiki.mikrotik.com/wiki/Monitor_ ... run_script


I'm running 6.47.x and wanted to try the script because it would be good to get some notification for example if a port-knock sequence was performed etc.
So I've copy-pasted the script, adapted some variables as per Wiki and scheduled it (every 5 min)

Altough it works, it always mails me the same line of logging and does not provide me the logging-lines I want to see.

# BEGIN SETUP
:local scheduleName "Log-Keyword-Parser"
:local emailAddress "mymail@mydomain"
:local startBuf [:toarray [/log find message~"logged in" || message~"login failure" || message~"changed" || message~"IP4-IN-PORTKNOCK"]]
:local removeThese {"telnet";"whatever string you want"}
# END SETUP

As you see, I've added/extended the "startBuf" to include a tagline that is present when Portknock-stuff happens. The "tilde" char means "contains" I guess ???? Because there is characters behind the "PORTKNOCK" string but I think it should include that. The Wiki stated I could extende the filter to capture more messages of interest.
When I SSH into my box and issue a print command with such "where message~"logged in" || message~"login failure" || message~"changed" || message~"IP4-IN-PORTKNOCK" I get multiple lines of output, so syntax-wise it seems OK.

The reason I want to perform it via script is because I use a free-license of SPLUNK (Enterprise) so notification-alerts are not possible ;-( Otherwise I would have fires alerting via my Splunk platform.

So yeah, not really sure why it's not mailing me more info then each time the line containing "changed" keyword.
The script "updates" the script and updates the date-time stamp in there, hence each time the line in the log stating "script has changed" so that is expected.
 
User avatar
jvanhambelgium
Forum Veteran
Forum Veteran
Topic Author
Posts: 985
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: Monitor-logs-send-mail-alert (Wiki script)

Wed May 26, 2021 6:34 pm

Hmm, ok, it seems to work now. I've reduced the timer to run it every 1 minute. Perhaps there is limitation of logging-entry that you can into the array. I do have other scripts running that also generate output in the logging...I might exceed 4096 bytes or something for the local/global variables limit.
 
User avatar
eworm
Forum Guru
Forum Guru
Posts: 1070
Joined: Wed Oct 22, 2014 9:23 am
Location: Oberhausen, Germany
Contact:

Re: Monitor-logs-send-mail-alert (Wiki script)

Wed Jun 09, 2021 4:29 pm

You could try my script Forward log messages via notification, guess it is more advanced compared to what can be found in the wiki. For example it can notify via e-mail, matrix and telegram, it does not write to the config on every invocation, it tries to avoid notification floods, ...)

By default it forwards everything with severity warning and up, but can be configured. Something like this in configuration should meet your needs:
:global LogForwardInclude "account";
:global LogForwardIncludeMessage "(changed|IP4-IN-PORTKNOCK)";
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Monitor-logs-send-mail-alert (Wiki script)

Wed Jun 09, 2021 5:44 pm

this for me do not have any sense:

:local startBuf [:toarray [/log find message~"logged in" || message~"login failure"]]
:local removeThese {"telnet";"whatever string you want"}

is better set only what I need and STOP like:
:local startBuf [/log find where message~"IP4-IN-PORTKNOCK"]
and the results everytime is an array and is useless re-convert it

or if must excluded something, for some reason, must be like:
:local startBuf [/log find where message~"IP4-IN-PORTKNOCK" and (!(message~"TIMEOUT-IP4-IN-PORTKNOCK")) ]

or multiple choice for both

:local startBuf [/log find where message~"(IP4-IN-PORTKNOCK|also this|this|and this)" and (!(message~"(TIMEOUT-IP4-IN-PORTKNOCK|also neither this|neither tis|and neither this)")) ]

Who is online

Users browsing this forum: No registered users and 18 guests