Hi,
Anyone using this script like documented in the Wiki ?
https://wiki.mikrotik.com/wiki/Monitor_ ... run_script
I'm running 6.47.x and wanted to try the script because it would be good to get some notification for example if a port-knock sequence was performed etc.
So I've copy-pasted the script, adapted some variables as per Wiki and scheduled it (every 5 min)
Altough it works, it always mails me the same line of logging and does not provide me the logging-lines I want to see.
# BEGIN SETUP
:local scheduleName "Log-Keyword-Parser"
:local emailAddress "mymail@mydomain"
:local startBuf [:toarray [/log find message~"logged in" || message~"login failure" || message~"changed" || message~"IP4-IN-PORTKNOCK"]]
:local removeThese {"telnet";"whatever string you want"}
# END SETUP
As you see, I've added/extended the "startBuf" to include a tagline that is present when Portknock-stuff happens. The "tilde" char means "contains" I guess ???? Because there is characters behind the "PORTKNOCK" string but I think it should include that. The Wiki stated I could extende the filter to capture more messages of interest.
When I SSH into my box and issue a print command with such "where message~"logged in" || message~"login failure" || message~"changed" || message~"IP4-IN-PORTKNOCK" I get multiple lines of output, so syntax-wise it seems OK.
The reason I want to perform it via script is because I use a free-license of SPLUNK (Enterprise) so notification-alerts are not possible ;-( Otherwise I would have fires alerting via my Splunk platform.
So yeah, not really sure why it's not mailing me more info then each time the line containing "changed" keyword.
The script "updates" the script and updates the date-time stamp in there, hence each time the line in the log stating "script has changed" so that is expected.