Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

📌 Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) 💾 🛠 💻 📊

Tue Nov 02, 2021 11:50 am

Version 3.6 05.05.2022
Top_logo.jpg
Using Splunk to monitor and graph various data from our MikroTik Routers is a nice and free way to help you showing what is going on in your network.
Splunk is free to use for logging up to 500MB pr day.
You can request a 10GB/day developer license here: https://dev.splunk.com/enterprise/dev_license/

NB logging large amount of Accouning, DNS or firewall rules quickly eats up license, so I do recommend to turn off Accouning/DNS logging to start with.

Splunk can be used to monitor multiple devices. No ports needs to be opened (like with SNMP monitoring). All data are sent from the device to the Splunk monitor (using sctipt and syslog). Devices could be all around the world.

PS:
Traffic monitoring does not work correctly while fast track is enabled (and its removed in v7.x of RouterOS). Turn fast track off and you may loose throughput, so its something you should consider when using this type of monitoring. How to disable fast track: https://www.youtube.com/watch?v=6LaqhDm6PHI

latest changes
# 3.6 (05.05.2022)
# NB Delete old app (copy custom made config) before install v3.6
# Change data to store in Mikrotik index, instead of default index
# Change how rsyslog handles data. Did fail if there was more than one type of input
# Updeted script in "MikroTik DHCP to Static"
# Uses new Index, important to look at macros.conf and set correct index.
# Added colors to "MikroTik Admin user login"


Installation
1) On your PC Works on Windows and Linux, but use Linux (clearly the best choice and also used in all post here)
-----------------------------------
1a) Download and install Splunk (Windows or Linux(Ubuntu recommended))
PS you need an account to download. It's free to create.
https://www.splunk.com/en_us/download/s ... prise.html
PS you need to create an account to download the file. Free to download and use (up to 500MB/day)
PS remember to set timezone on Windows/Linux, or else logging time will be wrong.


1b) PS: To install Splunk as a non root user, recommended. (needs an external syslog reciver)
Splunk setup:
viewtopic.php?t=179960#p888802
rsyslog setup
viewtopic.php?t=179960#p888803

Splunk can run as root user, but not recommended.

1c) Change to free license group. Very important to do before 30 day of use. !!!!!!!!!!!!!!!!!!!!
Web gui:
1d) Settings->licensing->Change license group->Free licnse->Save

1e) Open Windows Firewall for UDP on Windows (On linux its not blocked)
Web gui:
Start->type "adv"->Select:Widows Firewall with Advanced Security->Sect Inbound rules->Right Click "Inbound Rules">New Rule-Port-Next->UDP->Specific local ports->514->Next->Next->Next->Name "syslog"

1f) Allow UDP 514 (syslog), only if you run Splunk as root and not using rsyslog server. (rsyslog can be used when splunk runs as root or as non-root user.)
If running Splunk as non ROOT user or like to use external syslog reciever, see 1b for non-root)
Web gui:
Setting->Datainputs->Add new (behind the UDP)->Port 514->Next->Sourcetype type syslog and select syslog->Next-Submit

1g) Download the Splunk spl file:
MikroTik3.6.rar
1h) Extract the spl file
From Start page in Splunk, click the gear behind Apps or
from top meny click Apps->Manage Apps
Then select Install app from file and select the spl file

1i) A restart of Splunk may be needed.
Web gui:
Settings->Server controls->Restart Splunk

1j) Upgrade form previous version.
Some time files are renamed, so if you have not change any original files, just delete the MikroTik folder.
No logged data will be deleted.
If you have custom dashboards, menus, saved search (reports) etc, you need to merge the configuration files.
They are normal stored in "local" folder.


2) On Your MikroTik Router
-----------------------------
Before you setup logging, you should make an unique identifier of your route. Important if you have more than one router to monitor.
/system identity set name=Router-London-22

2a) Syslog
You need to make your Router able to send Syslog messages.
Web gui:
System->Logging->Action->Add New->Name (your server name)->Type:Remote->Remote Address:ip your syslog->Ok
Cli
/system logging action add name=logserver target=remote remote=192.168.1.50 remote-port=514
PS Do NOT select BSD Syslog. It will mess up the logging format.


2b) Then select what modules to log.
I do suggest that you send all DHCP logs including debug and all other logs that are not debug.
It is very important to name the prefix like this "MikroTik" and not "mikrotik" or some other.
Splunk uses the MikroTik prefix to find out what type of syslog data that is coming to it.
Uppercase T and uppercase M, rest are lowercase
Web gui:
System->Logging->Rules->Add new->Topics:dhcp->Prefix:MikroTik->action:your syslog server->Ok
System->Logging->Rules->Add new->Topics:!debug,!packet,!snmp->Prefix:MikroTik->action:your syslog server->Ok
Cli:
/system logging add action=logserver prefix=MikroTik topics=dhcp
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp
/system logging add action=logserver prefix=MikroTik topics=hotspot
To not fill up internal logs with firwall logs etc, remove firewall from memory logs
/system logging set [find topics="info"] topics=info,!firewall
PS Hotspot is not needed if you do not use it.


2c) Select what rules to log
NB Do not use more than 20 charters, or else it start to clip other part of the log!!!!!!!!!!!
To log the Firewall and Nat rules, you need to turn on logging and add Log Prefix (under action).
Do not log more than needed. Logging rules like defconf: accept established,related rules will flod your log,
Below is a sample on how to name the log rules. You do not need to follow this rule, but it makes it more uniform.
Rule name logging
==================

Format:
x_y_z

x=<where and direction>
y=<what to do>
z=<name/info>

Example
-------
Filter Rule Forard allow HTTP
FF_A_Http

Filter Route Input Drop ICMP
FI_D_Icmp

Nat HTTP
ND_DE_Http

Mangle Mark HTTP packets
MF_MP_Http


Filter Rule
------------------
x=
FF Filter Forward
FI Filter Input
FO Filter Output
FX Filter Custom list

y=
A  Accept
AD Add to dst address list
AS Add to src address list
D  Dropp
F  Fast track
J  Jump
L  Log
P  Passthrough
RJ Reject
RT Return
T  Tarpit

Nat Rule
------------------
x=
ND Dest nat
NS Source nat

y=
A  Accept
AD Add to dst address list
AS Add to src address list
DE Dst-nat
J  Jump
L  Log
M  Masquerade
N  Netmap
P  Passthrough
RE Redirect
RT Return
SA same
S  Src-nat

Raw
------------------
x=
RP Filter Raw Prerouting
RO Filter Raw Output

y=
A  Accept
AD Add to dst address list
AS Add to src address list
F  Fast track
D  Dropp
J  Jump
L  Log
N  No track
P  Passthrough
RT Return

Mangle
------------------
x=
MF Mangle Forward
MI Mangle Input
MP Mangle Postrouing
MR Mangle Prerouting

y=
A  Accept
AD Add to address list
AS Add to dst address list
CD Change DSCP
CM Change MSS
CT Change TTL
CL Clear DF
F  Fast track
J  Jump
L  Log
MC Marc connection
MP Mark packets
MR Mark routing
P  Passthrough
RT Return
RO Route
S  Set proirity
SP Sniff PC
ST Sniff TZSP
SI Strip IPv4 options

2d) You should at least log this rule "defconf: drop all not coming from LAN" with this prefix: FI_D_port-test
Web gui:
IP->Firewall->selec:defconf: drop all not coming from LAN->Log:v->Log Prefix:FI_D_port-test
This will populate the MikroTik Live attack view.


2e) Accounting (new version in 3.5)
To get accounting data, you need to turn on Kid Control on the MikroTik router. (MikroTik Traffic dashboard)
Cli:
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d

2f) Main Collector Script
To get all the other data like Traffic accounting, uPnP, System health, System resources and DHCP pool information you need this script on the MikroTik. Create this script with name Data_to_Splunk_using_Syslog and cut and past code using gui.
In the top of the script, you can set a module to true/false. If you do not use wifi, set :local Wireless false



# Collect information from Mikrotik RouterOS
# Jotne 2021
:log info message="script=version ver=4.8"
# ----------------------------------


# What data to collect.  Set to false to skip the section 
# ----------------------------------
:local SystemResource true
:local SystemInformation true
:local SystemHealth true
:local TrafficData true
:local AccuntData true
:local uPnP true
:local Wireless true
:local AddressLists true
:local DHCP true
:local Neighbor true
:local InterfaceData true
:local CmdHistory true
:local CAPsMANN false


# Collect system resource
# ----------------------------------
:if ($SystemResource) do={
	/system resource
	:local cpuload [get cpu-load]
	:local freemem ([get free-memory]/1048576)
	:local totmem ([get total-memory]/1048576)
	:local freehddspace ([get free-hdd-space]/1048576)
	:local totalhddspace ([get total-hdd-space]/1048576)
	:local up [get uptime]
	:local sector [get write-sect-total]
	:log info message="script=resource free_memory=$freemem MB total_memory=$totmem MB free_hdd_space=$freehddspace MB total_hdd_space=$totalhddspace MB cpu_load=$cpuload uptime=$up write-sect-total=$sector"
}


# Make some part only run every hours
# ----------------------------------
:global Hour
:local run false
:local hour [:pick [/system clock get time] 0 2]
:if ($Hour != $hour) do={
	:global Hour $hour
	:set run true
}


# Get NTP status
# ----------------------------------
:local ntpstatus ""
:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [:tonum [:pick [/system resource get version] 0 1]] > 6) do={
    :set ntpstatus [/system ntp client get status]
} else={
    :if ([:typeof [/system ntp client get last-update-from]] = "nil") do={
        :set ntpstatus "using-local-clock"
    } else={
        :set ntpstatus "synchronized"
    }
}
:log info message="script=ntp status=$ntpstatus" 


# Get interface traffic data for all interface
# ----------------------------------
:if ($TrafficData) do={
	:foreach id in=[/interface find] do={
		:local output "$[/interface print stats as-value where .id=$id]"
		:set ( "$output"->"script" ) "if_traffic"
		:log info message="$output"
	}
}


# Get traffic data v2 (Kid Control)
# ----------------------------------
:if ($AccuntData) do={
	:foreach logline in=[/ip kid-control device find] do={
		:local output "$[/ip kid-control device get $logline]"
		:set ( "$output"->"script" ) "kids"
		:log info message="$output"
	}
}


# Finding dynmaic lines used in uPnP
# ----------------------------------
:if ($uPnP) do={
	:foreach logline in=[/ip firewall nat find where dynamic=yes and comment~"^upnp "] do={
		:local output "$[/ip firewall nat print as-value from=$logline]"
		:set ( "$output"->"script" ) "upnp"
		:log info message="$output" 
	}
}


# Collect system information
# ----------------------------------
:local model na
:local serial na
:local ffirmware na
:local cfirmware na
:local ufirmware na
:if ($SystemInformation and $run) do={
	:local version ([/system resource get version])
	:local board ([/system resource get board-name])
	:if ($board!="CHR") do={
		/system routerboard
		:set model ([get model])
		:set serial ([get serial-number])
		:set ffirmware ([get factory-firmware])
		:set cfirmware ([get current-firmware])
		:set ufirmware ([get upgrade-firmware])
	}
	:local identity ([/system identity get name])
	:log info message="script=sysinfo version=\"$version\" board-name=\"$board\" model=\"$model\" serial=$serial identity=\"$identity\" factory-firmware=\"$ffirmware\" current-firmware=\"$cfirmware\" upgrade-firmware=\"$ufirmware\""
}


# Collect system health
# ----------------------------------
:if ($SystemHealth) do={
	:do {
		# New version
		:foreach id in=[/system health find] do={
			:local health "$[/system health get $id]"
			:set ( "$health"->"script" ) "health"
			:log info message="$health"
		}
	} on-error={
		# Old version
		:if (!([/system health get]~"(state=disabled|^\$)")) do={
			:local health "$[/system health get]"
			:set ( "$health"->"script" ) "health"
			:log info message="$health"
		}
	}
}


# Sends wireless client data to log server 
# ----------------------------------
:if ($Wireless && [:len [/int find where type=wlan]]>0) do={
	/interface wireless registration-table
	:foreach i in=[find] do={
		:log info message=".id=$i;ap=$([get $i ap]);interface=$([get $i interface]);mac-address=$([get $i mac-address]);signal-strength=$([get $i signal-strength]);tx-rate=$([get $i tx-rate]);uptime=$([get $i uptime]);script=wifi"
	}
}


# Count IP in address-lists
#----------------------------------
:if ($AddressLists) do={
	:local array [ :toarray "" ]
	:local addrcntdyn [:toarray ""] 
	:local addrcntstat [:toarray ""] 
	:local test
	:foreach id in=[/ip firewall address-list find] do={
		:local rec [/ip firewall address-list get $id]
		:local listname ($rec->"list")
		:local listdynamic ($rec->"dynamic")
		:if (!($array ~ $listname)) do={ :set array ($array , $listname) }
		:if ($listdynamic = true) do={
			:set ($addrcntdyn->$listname) ($addrcntdyn->$listname+1)
		} else={
			:set ($addrcntstat->$listname) ($addrcntstat->$listname+1)}
	}
	:foreach k in=$array do={
		:log info message=("script=address_lists list=$k dynamic=".(($addrcntdyn->$k)+0)." static=".(($addrcntstat->$k)+0))}
}


# Get MNDP (CDP) Neighbors
# ----------------------------------
:if ($Neighbor and $run) do={
	:foreach neighborID in=[/ip neighbor find] do={
		:local nb [/ip neighbor get $neighborID]
		:local id [:pick ("$nb"->".id") 1 99]
		:foreach key,value in=$nb do={
			:local newline [:find $value "\n"]
			:if ([$newline]>0) do={
				:set value [:pick $value 0 $newline]
			}
			:log info message="script=neighbor nid=$id $key=\"$value\""
		}
	}
}


# Collect DHCP Pool information
# ----------------------------------
:if ($DHCP and $run) do={
	/ip pool {
		:local poolname
		:local pooladdresses
		:local poolused
		:local minaddress
		:local maxaddress
		:local findindex

# Iterate through IP Pools
		:foreach pool in=[find] do={
			:set poolname [get $pool name]
			:set pooladdresses 0
			:set poolused 0

# Iterate through current pool's IP ranges
			:foreach range in=[:toarray [get $pool range]] do={

# Get min and max addresses
				:set findindex [:find [:tostr $range] "-"]
				:if ([:len $findindex] > 0) do={
					:set minaddress [:pick [:tostr $range] 0 $findindex]
					:set maxaddress [:pick [:tostr $range] ($findindex + 1) [:len [:tostr $range]]]
				} else={
					:set minaddress [:tostr $range]
					:set maxaddress [:tostr $range]
				}

# Calculate number of ip in one range
				:set pooladdresses ($maxaddress - $minaddress)

# /foreach range
			}

# Test if pools is used in DHCP or VPN and show leases used
			:local dname [/ip dhcp-server find where address-pool=$poolname]
			:if ([:len $dname] = 0) do={
# No DHCP server found, assume VPN
				:set poolused [:len [used find pool=[:tostr $poolname]]]
			} else={
# DHCP server found, count leases
				:local dname [/ip dhcp-server get [find where address-pool=$poolname] name]
				:set poolused [:len [/ip dhcp-server lease find where server=$dname]]}

# Send data
			:log info message=("script=pool pool=$poolname used=$poolused total=$pooladdresses")

# /foreach pool
		}
# /ip pool
	}
}


# Get detailed command history RouterOS >= v7
# ----------------------------------
:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and $CmdHistory) do={
	:global cmd
	:local f 0
	:foreach i in=[/system history find] do={
		:if ($i = $cmd) do={ :set f 1 }
		:if ($f != 1) do={
			:log info message="StartCMD"
			:log info message=[/system history get $i]
			:log info message="EndCMD"
		}
	}
	:global cmd  [:pick [/system history find] 0]
}


# Test if CAPsMANN is installed, if yes, run capsmann script.
# ----------------------------------
:if ( ([:len [/interface find where type="cap"]] > 0) and $CAPsMANN) do={ /system script run capsman }


# End Script



2g) Then schedule the script to run every 5 minutes:
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog

3) Starting up
3a) Startup information
Some parts of the scripts runs only every hour, and some jobs in Splunk runs once a day.
So it will take time before all devices er named correctly. To speed things up some, do this:
After running for some hour and you see that data are coming, in Splunk go to:
Apps->Mikrotik->Reports and run both Device table updater and DHCP table updater by clicking on Open In Search behind the app


4) Debugging
4a) See if any data are comming inn to splunk at all. Do a search in Splunk for:
index=*
4b). Test if data has correct tag "MikroTik" (Capital M & T) Do a search in Splunk for:
index=* | table _time sourcetype _raw
You should see correct time, sourcetype should show "mikrotik" and _raw should show data

4c). See that _raw does contain only data and not time and other info. Do a search in Splunk for:
index=* | table  _raw
dns MikroTik: done query: #640030 adservice.google.no 216.58.211.2
dhcp,debug,packet MikroTik:     Client-Id = 01-6C-3B-6B-88-34-3F
firewall,info MikroTik: FI_D_port-test input: in:ether1 out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 47.118.40.92:52503->92.220.205.91:2376, len 40
If you see date, format of packet from Mikrotik has BDS set or Rsyslog is not setup correctly.

4d). Verify that all files has same user:group (root:root or splunk:splunk if run as non-root user)

4e). Look for error written in file or error in file name. inputs.conf not input.conf

4f). Read trough all steps on how to install if some does not work

4g). License problems.
Not convert license to Free license before 30 days or indexing more than 500MB/day?
The Free license will prevent searching if there are 3 license warnings in a rolling 30 day window. If that happens, Splunk Free continues to index your data but disables search functionality. You will regain search when you are below 3 license violation warnings in a 30 day period. See About license violations.
How to solve this+
1. Convert to free and wait 30 days if you did not convert it.
2. Passing 3 times? Reduce license <500MB and wait 30 days.
3. Reintall Splunk
4. Get a Free 10GB/day developer license ( https://dev.splunk.com/enterprise/dev_license )

4h) Limit inout. Data comes from two sources in Splunk.
1. The log setup. DNS and other stuff. To remove DNS change to
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns
2. From the logging script: Data_to_Splunk_using_Syslog
Change true to false each block you like to stop.

4x). Still problems: ask here :)
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Tue May 17, 2022 11:21 pm, edited 27 times in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:50 am

1Mikrotik Firewall.jpg
2DNS Live view.jpg
3Volt_temperature.jpg
4Resources.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Tue Nov 02, 2021 1:27 pm, edited 1 time in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:51 am

Netwatch

This part shows how to use the MikroTik Netwatch dashboard.
Idea with this part are to monitor one or many IP and get a good logging information of up/down time of a watched IP.

Setup.
Lets say you like to monitor a WireGuard VPN tunnel. There are noe traces of up down status for WireGuard in the RouterOS, so using Netwarch to see if remote IP is up or down is a way to see status of it.

Script
System->Scripts->Add script.
Name: Netwatch
Script:
####################################
# Netwatch script
#
# Used as both up and down script
# Created Jotne 2021 v1.5
#
####################################
:local Host $host
/tool netwatch
:local Status [get [find where host="$Host"] status]
:local Comment [get [find where host="$Host"] comment]
:local Interval [get [find where host="$Host"] interval]
:local Since [get [find where host="$Host"] since]
:log info "script=netwatch watch_host=$Host comment=\"$Comment\" status=$Status interval=$Interval since=\"$Since\""

Tools->Netwatch
Add Host ip. For WireGuard, that would be ip on the other side of the tunnel.
Host: 10.0.0.2
Up: Netwatch
Down: Netwatch
Comment: WG-Tunnel-22 (This name is important to set, since this will identify what this Netwatch do watch.)
/tool netwatch
add comment=WG-Tunnel-22 down-script=Netwatch host=10.0.0.2 up-script=Netwatch

You can ass as many netwatch IP as you like. It will take resource from the router, so do not add to many that test to often.
.
Netwatch.jpg
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Thu Mar 31, 2022 8:32 am, edited 7 times in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:51 am

Placeholder p1
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:52 am

How to install Splunk as a non root user.
Its a security risk to run everything as a root user, so if you can, you should use a dedicated user for your program.

This tutorial will show how to install Splunk as a user with name splunk on your Ubuntu server (may work on other as well)

Download latest Splunk Enterprise to you /tmp folder

Create the splunk user:
sudo useradd -c "splunk user" -m -s /bin/bash -U -d /opt/splunk splunk
Log in a the splunk user:
sudo su - splunk
Download Splunk Linux tgz file to /tmp folder

Extract the Splunk software to /opt folder (name of file will change with new version):
tar xvzf /tmp/splunk-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt
Start your Splunk server (accept license agrement and set a password for Spkunk admin user):
~/bin/splunk start
Add a user/password to login to Splunk.

As a root user, make Splunk autostart with user splunk as a startup script:
sudo /opt/splunk/bin/splunk enable boot-start -user splunk
You should now be up and running on port 8000 (can be changed)
Remember to use splunk user whenever you change/add files or do anything else with Splunk from the CLI
sudo su - splunk
PS:
If you run Splunk as a non root user then you can not use UDP/514 as a syslog receiver port in Splunk.
Since all port below 1024 need root permission to work.

Workarounds.
1. Send syslog to other port above 1023, like 1514 for UDP syslog. (need to change many routers to send to correct port)
2. Set up a local syslog server like r-syslog and let Splunk read the r-syslog log files.
viewtopic.php?p=677233#p793342
Last edited by Jotne on Tue Nov 02, 2021 12:40 pm, edited 3 times in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:53 am

If you do use Splunk as a non root (recomended) user, you need an external Syslog server.

This is how to set it up using Ubuntu server. Should work on most version.

rsyslog comes default with Ubuntu so no need to install any extra software.


PS do not modify these file to use other location. If you do so you will need to modify udp.conf rsyslog and inputs.conf splunk for every upgrade.

Copy these two files to /etc/rsyslog.d/

udp.conf (sets up rsyslog to accept Sylog on udp/514)
# rsyslog.d/udp.conf
#
# This receives UDP syslog on port 514 and stores it in a reliable format
# in /data/syslog/udp/:
#
#  - A subdirectory is created for each logging host.
#    The directory name is the source IP address of the received log message.
#    The log filename is made up of date and hour of file creation.
#    A new log file is created for each logging host every hour.
#
#  - Each log message is prefixed with a locally generated timestamp.
#
#  - Then the raw, undecoded text of the incoming syslog message is written.
#    If the message is missing <PRI> then a default <PRI> is prepended.
#    This ensures that both old tyle (RFC-3164) and new style (RFC-5424)
#    syslog messages can be recognised and parsed from the log files without
#    risk of loosing information. The raw messages also include the original
#    host name and time stamp from the sender.
#
#  - Each written log message is guaranteed to end in a single newline
#    character.
#

# Stupidly this is set to "on" in the default rsyslog.conf file
# Do our best to negate the effect.
$RepeatedMsgReduction off

module(load="imudp")


# format
template(name="RawFormat" type="list") {
  property(name="timegenerated" dateformat="rfc3339")
  constant(value=" ")
  constant(value="<")
  property(name="pri")
  constant(value=">")
  property(name="rawmsg-after-pri" droplastlf="on")
  constant(value="\n")
}

# file name
template(name="udp_split_filename" type="list") {
  constant(value="/data/syslog/udp/")
  property(name="fromhost-ip")
  constant(value="/")
  property(name="$year")
  property(name="$month")
  property(name="$day")
  constant(value="-")
  property(name="$hour")
  #property(name="$minute")
  constant(value=".log")
}

# rule set
ruleset(name="udp_split") {
  action(type="omfile"
    template="RawFormat"
    createDirs="on"
    dirCreateMode="0755"
    fileCreateMode="0644"
    dynaFile="udp_split_filename"
  )
}

# setting
input(type="imudp" port="514" ruleset="udp_split")

tcp.conf (sets up rsyslog to accept Syslog on tcp/1514) PS MikroTik only sends UDP syslog, so this part is not needed
# rsyslog.d/tcp.conf
#
# This receives TCP syslog on port 1514 and stores it in a reliable format
# in /data/syslog/tcp/:
#
#  - A subdirectory is created for each logging host.
#    The directory name is the source IP address of the received log message.
#    The log filename is made up of date and hour of file creation.
#    A new log file is created for each logging host every hour.
#
#  - Each log message is prefixed with a locally generated timestamp.
#
#  - Then the raw, undecoded text of the incoming syslog message is written.
#    If the message is missing <PRI> then a default <PRI> is prepended.
#    This ensures that both old tyle (RFC-3164) and new style (RFC-5424)
#    syslog messages can be recognised and parsed from the log files without
#    risk of loosing information. The raw messages also include the original
#    host name and time stamp from the sender.
#
#  - Each written log message is guaranteed to end in a single newline
#    character.
#

# Stupidly this is set to "on" in the default rsyslog.conf file
# Do our best to negate the effect.
$RepeatedMsgReduction off

module(load="imtcp")


# format
template(name="RawFormat" type="list") {
  property(name="timegenerated" dateformat="rfc3339")
  constant(value=" ")
  constant(value="<")
  property(name="pri")
  constant(value=">")
  property(name="rawmsg-after-pri" droplastlf="on")
  constant(value="\n")
}

# file name
template(name="tcp_split_filename" type="list") {
  constant(value="/data/syslog/tcp/")
  property(name="fromhost-ip")
  constant(value="/")
  property(name="$year")
  property(name="$month")
  property(name="$day")
  constant(value="-")
  property(name="$hour")
  #property(name="$minute")
  constant(value=".log")
}

# rule set
ruleset(name="tcp_split") {
  action(type="omfile"
    template="RawFormat"
    createDirs="on"
    dirCreateMode="0755"
    fileCreateMode="0644"
    dynaFile="tcp_split_filename"
  )
}

# settings
input(type="imtcp" port="1514" ruleset="tcp_split")

Create the following folders
mkdir /data
mkdir /data/syslog
mkdir /data/syslog/tcp
mkdir /data/syslog/udp
Change folder rights to syslog and restart rsyslog
chown -R syslog:syslog /data/syslog
service rsyslog restart
run ss or netstat as root user to see that rsylog is running
ss -pultn | grep syslog
udp   UNCONN 0      0                                0.0.0.0:514        0.0.0.0:*     users:(("rsyslogd",pid=5532,fd=8))
udp   UNCONN 0      0                                   [::]:514           [::]:*     users:(("rsyslogd",pid=5532,fd=9))
tcp   LISTEN 0      25                               0.0.0.0:1514       0.0.0.0:*     users:(("rsyslogd",pid=5532,fd=6))
tcp   LISTEN 0      25                                  [::]:1514          [::]:*     users:(("rsyslogd",pid=5532,fd=7))
netstat -pultn | grep rsyslog
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      1459/rsyslogd
tcp6       0      0 :::1514                 :::*                    LISTEN      1459/rsyslogd
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1459/rsyslogd
udp6       0      0 :::514                  :::*                                1459/rsyslogd
To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/inputs.conf
[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4
Test your server:
echo '<14>sourcehost message text' | nc -v -u -w 0 127.0.0.1 514
This should create a folder /data/syslog/udp/127.0.0.1 with a *.log file

Clean UP
Since rsyslog does not delete anything, you need a script that delete old files

Create file /etc/cron.d/rsyslog_cleanup with:
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

UDPLOGDIR=/data/syslog/udp/.
TCPLOGDIR=/data/syslog/tcp/.

# Age are n+1 days
DELETE_AGE=2

# Every hour, as user syslog, clean out ancient log files
00 * * * *  root /usr/bin/find ${UDPLOGDIR} -mtime +${DELETE_AGE} \( -name \*.log -o -name \*.log.gz \) -print -delete 2>&1
00 * * * *  root /usr/bin/find ${TCPLOGDIR} -mtime +${DELETE_AGE} \( -name \*.log -o -name \*.log.gz \) -print -delete 2>&1
Last edited by Jotne on Mon May 16, 2022 11:15 pm, edited 9 times in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:55 am

Placeholder P2
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 11:57 am

Placeholder P3
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 02, 2021 12:18 pm

Hi Jotne,
Are you working on / thinking about incorporating Netflow into your app/dashboard design already ? It can be right next to all the existing stuff anyway.
Offcourse there is also the question about the backend ingesting netflow data from Mikrotik device.
Because today I have 2 separate pages with some Netflow pages found on Github, might be interesting to start including it in the general design ?
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Nov 06, 2021 10:45 pm

Yes I have been thinking about netflow, since MT is removing IP accounting.
Will see how much time I find to do some testing.

IP accounting are sent over Syslog, so no need for extra setup anywhere. Scripts take care of sending data.
Netflow on the other hand, need some server to receive data and an extra port (can not be sent over syslog port).
Netflow server also needs to be stup and communicate with Splunk.
Netflow plugins for Splunk also seems to cost money... https://splunkbase.splunk.com/app/489/
So there will be a more complex solution using Netflow.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Nov 06, 2021 11:17 pm

I'm using the Splunk App for Stream, which is capable of many things including netflow-decoding.
Its free as far as I know, I've been using is more then 1 year, actually never failed on me. But I agree installation + adapting config-file was not click-click-click ready ;-) but certainly not overly complex.

https://splunkbase.splunk.com/app/1809/

-------
Targeted full packet capture to NAS for forensic investigation of raw packets. Aggregate data using familiar SPL aggregation methods to reduce the volume of data indexed. Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering and aggregation.
-------
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 07, 2021 12:27 am

That seems to look better.
Could you give me a quick guide on how to get netflow in on 9995 to Splunk, I could update the app to show the data.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 07, 2021 10:14 am

Ok,
Let's start with some github-references where I downloaded some dashboards. You probably will have to pick & match what you want to include in your own dashboard

https://github.com/JohnnyMirza/Splunk_Netflow
https://github.com/danucalovj/Splunk-Netflow-Analyzer
https://github.com/lucas-alados/netflow ... dashboards

I followed the guides on Splunkbase itself for installing the Stream_TA package, its not that complex.

https://docs.splunk.com/Documentation/S ... dIPFIXdata

Contents of my /opt/splunk/etc/apps/Splunk_TA_stream/default/streamfwd.conf
(not too sure why I added the customs with their flow-id, I think it was during the time I wanted IPFIX to work (which is buggy on 6.x ROS) but v5 works fine.
I agree you miss out on some field, but "the basics" are there.

[streamfwd]
port = 8889
ipAddr = 127.0.0.1

netflowReceiver.0.ip = X.X.X.X (=IP of the sending interface on the Mikrotik)
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow


netflowElement.0.enterpriseid = 14988
netflowElement.0.id = 225
netflowElement.0.termid = netflow.postNATSourceIPAddress

netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress

netflowElement.2.enterpriseid = 14988
netflowElement.2.id = 227
netflowElement.2.termid = netflow.postNAPTSourceTransportPort

netflowElement.3.enterpriseid = 14988
netflowElement.3.id = 228
netflowElement.3.termid = netflow.postNAPTDestinationTransportPort




And I think that this should be about it. The binary is started also with the rest of Splunk
(I'm running it as root, not the smartest thing to do I guess ;-)
(needed to reboot my NAS on October 12 hence te low uptime)

root 1748 1023 0 Oct12 ? 00:00:00 /bin/sh -c /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd
root 1749 1748 0 Oct12 ? 01:14:27 /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd


Hope this helps already a bit...

On the Mikrotik, under IP > Flows I've enabled it, selected all possible field.
I have 1 "target" (=IP of the listener Streams/Splunk) and selected "v5"
That's it...
 
eddieb
Member Candidate
Member Candidate
Posts: 260
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 07, 2021 11:01 am

Hi, I try to upgrade from 3.2 and reading the instructions says :

1j) Upgrade form previous version.
Some time files are renamed, so if you have not change any original files, just delete the MikroTik folder.
No logged data will be deleted.
If you have custom dashboards, menus, saved search (reports) etc, you need to merge the configuration files.
They are normal stored in "local" folder.

HOW do I delete "the MikroTik folder" thru the splunk interface ???
I am running splunk in docker on synology, not that familiar with splunk, it just works here ;-)
6.49.4 (stable) on :
CCR1009-8G-1S, CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT, RB931-2nD, RB951G-2HnD, RB750GL ,RB2011UAS-RM, PWR-LINE-AP, RBwAPGR-5HacD2HnD, RB750Gr3 (dude)
feeding ADSBExchange https://www.adsbexchange.com/how-to-feed/
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 07, 2021 4:52 pm

HOW do I delete "the MikroTik folder" thru the splunk interface ???
It can not be deleted trough Splunk, you need to delete the folder maualy:
~/etc/apps/MikroTik
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 07, 2021 9:26 pm


netflowReceiver.0.ip = X.X.X.X (=IP of the sending interface on the Mikrotik)
What if you have many devices sending netflow?
Can you open it so it listen for any IP?
netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress
What are these section?
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 07, 2021 9:38 pm


netflowReceiver.0.ip = X.X.X.X (=IP of the sending interface on the Mikrotik)
What if you have many devices sending netflow?
Can you open it so it listen for any IP?
netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress
What are these section?
I think you can add multiple , like netflowReceiver.0.ip=X.X.X.X
netflowReceiver.1.ip=Y.Y.Y.Y

As each of these instances has fields for IP, port etc , I think its purpose it to be able to add multiple.
Never tried it ;-) I only have 1 Mikrotik

These sections on
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress
etc..

I think I added them while playing to get IPFIX working (IPFIX works with periodic templates of fields being transmitted).
I believe the *default* "dictionary" did not recognise certain Netflow field, hence the possibility to add new ones.
To be honest I don't know anymore. They are not present in the "default" files so for sure some custom work.

Perhaps it something to do with this thread viewtopic.php?t=99152
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 8:19 am

I think you can add multiple , like netflowReceiver.0.ip=X.X.X.X
I did hope for a solution where you have a netflow listener, and that it does not care about where data is coming from.
Would be hard to maintain and setup if you have a lot of routers.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 8:56 am

I think you can add multiple , like netflowReceiver.0.ip=X.X.X.X
I did hope for a solution where you have a netflow listener, and that it does not care about where data is coming from.
Would be hard to maintain and setup if you have a lot of routers.
I quickly tested and it seems not to like 0.0.0.0 ;-)
I agree this add some task to the admin, but I'm not even sure this Stream-plugin would "scale" well if you have hundreds of routers sending Netflow data to it.
Then you probably have to run it on a separate box and not on the same "Splunk" host that like I do.
As an "ip accounting" replacement, I would enable netflow only on the Internet-facing devices or some centralized Internet breakout boxes.
Enabling netflow for all internal interfaces on a larger network will generate quite some flows.
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 9:21 am

I re-tested and 0.0.0.0 seems to work.
Because Splunk is running on my NAS I really need to be patient, it's quite heavy ;-)

Anyway, I've adapted my config to

netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow


And then killed the streamfwd-processes and restarted Splunk. Since then, events seems to arrive just fine.
The "exporter_ip" field indicates which element is sending the Netflow data.
 
eddieb
Member Candidate
Member Candidate
Posts: 260
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 5:47 pm

So I upgraded to this latest version.
I am not familiar enough with splukt to tune this, but it is getting really sloooooooow
Any hints in how to get better performance ?
removing old data ?
some indexing and how ?
getting a warning :

Storage engine migration recommended

If your instance uses the MMAPv1 storage engine,

how do I find out if my docker instance uses this ??
free splunk license btw
6.49.4 (stable) on :
CCR1009-8G-1S, CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT, RB931-2nD, RB951G-2HnD, RB750GL ,RB2011UAS-RM, PWR-LINE-AP, RBwAPGR-5HacD2HnD, RB750Gr3 (dude)
feeding ADSBExchange https://www.adsbexchange.com/how-to-feed/
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 9:22 pm

There a LOT of interesting documents on Splunk that are easy to read.
Including some to limit the retention for example. I only keep about 30days I believe. I'm running it on a NAS, together with 5 other VM's and 15+ containers so I have to make choices consuming nearly all 16GB that is in my NAS.


Concerning the storage-engine, see for example below

https://docs.splunk.com/Documentation/S ... ateKVstore

It seems I'm also using the "old" MMAPv1 but I don't have such messages. I'm running 8.2.0 (I'm not updating to release 8.2.3 since the fixes are not interesting to me)

For licensing, go to "Settings" (on the top menu) , then "Licensing" en there you'll see what you have, what volume of the 500MB/day you've used etc.
 
eddieb
Member Candidate
Member Candidate
Posts: 260
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 9:30 pm

tnx,

I am using docker on synology. Splunk has 2GB out of 4GB availiable RAM ...

running portainer to manage and watchtower to automaticly upgrade docker images when they are availiable ...

I surely would like some options to autoclean log if older than xx days ...
It would probably make splunk a lot faster here
6.49.4 (stable) on :
CCR1009-8G-1S, CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT, RB931-2nD, RB951G-2HnD, RB750GL ,RB2011UAS-RM, PWR-LINE-AP, RBwAPGR-5HacD2HnD, RB750Gr3 (dude)
feeding ADSBExchange https://www.adsbexchange.com/how-to-feed/
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 9:39 pm

In the bin-folder where the splunk binaries are, issue #./splunk show kvstore-status
It will provide the type of store.

This member:
backupRestoreStatus : Ready
date : Mon Nov 8 20:15:19 2021
dateSec : 1636398919.648
disabled : 0
guid : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
oplogEndTimestamp : Mon Nov 8 20:15:17 2021
oplogEndTimestampSec : 1636398917
oplogStartTimestamp : Mon Oct 4 06:20:29 2021
oplogStartTimestampSec : 1633321229
port : 8191
replicaSet : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
replicationStatus : KV store captain
standalone : 1
status : ready
storageEngine : mmapv1


I quickly performed migration to wiredTiger using the document-link earlier. It took only few minutes without issues.Just follow the procedure.


backupRestoreStatus : Ready
date : Mon Nov 8 20:39:04 2021
dateSec : 1636400344.346
disabled : 0
guid : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
oplogEndTimestamp : Mon Nov 8 20:39:01 2021
oplogEndTimestampSec : 1636400341
oplogStartTimestamp : Mon Nov 8 20:32:08 2021
oplogStartTimestampSec : 1636399928
port : 8191
replicaSet : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
replicationStatus : KV store captain
standalone : 1
status : ready
storageEngine : wiredTiger
 
eddieb
Member Candidate
Member Candidate
Posts: 260
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 9:45 pm

Upgraded here too ;-)

and now try to find a way to limit and auto clean data to speedup things
6.49.4 (stable) on :
CCR1009-8G-1S, CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT, RB931-2nD, RB951G-2HnD, RB750GL ,RB2011UAS-RM, PWR-LINE-AP, RBwAPGR-5HacD2HnD, RB750Gr3 (dude)
feeding ADSBExchange https://www.adsbexchange.com/how-to-feed/
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 08, 2021 10:31 pm

Upgraded here too ;-)

and now try to find a way to limit and auto clean data to speedup things
Splunk community has tons of information.

https://community.splunk.com/t5/Getting ... m-p/495331

I'll think you'll find answers there to set some limits.
 
eddieb
Member Candidate
Member Candidate
Posts: 260
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Nov 09, 2021 4:15 pm

Ok, I am trying to find the correct indexes.conf...
I tried to do so in the webinterface but no luck thru setting reduction on 90 days ...

finally found it in /opt/splunk/etc/system/local/indexes.conf
needed to restart splunk to get this active
6.49.4 (stable) on :
CCR1009-8G-1S, CRS125-24G-1S, RB1100, RB962UiGS-5HacT2HnT, RB931-2nD, RB951G-2HnD, RB750GL ,RB2011UAS-RM, PWR-LINE-AP, RBwAPGR-5HacD2HnD, RB750Gr3 (dude)
feeding ADSBExchange https://www.adsbexchange.com/how-to-feed/
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 14, 2021 8:49 pm

Seems to be that there will be a working Traffic accounting for v7.x without need to use netflow.
Will be out in next version if all is ok:
viewtopic.php?p=890978#p890978
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Nov 14, 2021 10:42 pm

Seems to be that there will be a working Traffic accounting for v7.x without need to use netflow.
Will be out in next version if all is ok:
viewtopic.php?p=890978#p890978
With the netflow you do have some more insight in the port-usage too and not just IP's.
Ideal to possibly pick up certain abnormal "flows"
I agree there is a lot TCP/443 these days but still...
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 15, 2021 9:18 am

I know NetFlow is a much more in depth analyze tool and gives information about every packet.
My goal is to deliver some that is simple and many can use to monitor their routers.
Kid Control and IP Accounting, gives information about who is downloading/uploading, how much and when.
Should be enough for most small/medium network admins.

Will have a look at NetFlow later to see if I can get it to work in a simple way with Splunk.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 15, 2021 2:18 pm

Here is a view that combine accounting with kid control.
You can see how much data my Chromecast downloads. 18MB last 4 hour (backgrround images).
At the same time it shows device (kid) control status. If its not in any group, its just used to monitor traffic (dynamic). It can be set to a group with various status, open, blocked manually, blocked due to time limit, blocked due to rate limit etc.

PS Kid Control should be renamed to Device traffic control, since its not just kids you like to block, it may be other devices as well.

.
Kid Accounting2.jpg
You do not have the required permissions to view the files attached to this post.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
mducharme
Trainer
Trainer
Posts: 1740
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Nov 15, 2021 8:30 pm

I agree, there are many uses of this device tracking and control that extend beyond kids. I can also see potential for enhancing it even more with a few more features - just a few useful ones I have thought of:

- The ability to be able to create a simple queue per host that includes the IPv4 address and IPv6 addresses - since "Devices" in kid control tracks this, there could easily be a "rate limit" setting in there. Note this is different from rate limiting per kid because sometimes you might want to limit per device like this.
- The ability to dynamically place the IPv4 and IPv6 addresses for a single device or kid into an address list, that way they could be flexibly used in firewall rules.
- Groups of "kids" could be created for things like departments of a company and used to populate address lists to allow creation of firewall rules based on department

Companies could use these features to restrict what some employees can do compared to others, and to provide an audit log of who had what IPv4 and IPv6 addresses at a given time. Kid-control has many practical use cases outside of restricting kids.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Dec 11, 2021 5:22 pm

Next version will have better health and works better with 7.1

Here is an example on Routers giving PSU State
.
psu_state.jpg
You do not have the required permissions to view the files attached to this post.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.4 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Dec 20, 2021 9:21 am

# Script version 4.8
# Change to kid kontroll for accounting (needs to be fixed)
# Fixed possibility to turn off account data
# Updated health section to get all health info on old and new system to work better with 7.x

To upgrade, just cut/past the script to all router. (script found in first post)

NB If you do use accounting from 6.x, do not upgrade this script with also update the main Splunk version to minimum 3.5
This is due to change from accounting to kid control, since accounting does not work in RouterOS 7.x
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Dec 20, 2021 2:39 pm

Upgraded to 3.5

Happy Xmas 🎄 🎁

# 3.5 (20.12.2021)
# Changed from IP Accounting to Kid Control to get accounting data to work with 7.x RouterOS
# Renamed "MikroTik Volt/Temperature" to "MikroTik Health"
# Added more info to "Mikrotik Health"

Since the new app now uses Kid control to collect accounting data, you need to know the following.
1. To use accounting, you need at Script at least on v4.8 or larger.
2. You will no longer see historical data from old accounting.
3. To get Kid Control data see section 2e) in first post.

Upgrade can be done by just replacing old files and restart Splunk
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu Dec 23, 2021 1:58 pm

Next version will have a dashboard for Netwatch. With that you can keep track of when devices goes up and down.
It can also be used to monitor the stateless Wireguard VPN that can not be monitored as normal VPN can.
.
netwatch.jpg
You do not have the required permissions to view the files attached to this post.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu Dec 23, 2021 3:15 pm

Thanks Jotne!
Also usable for example to monitor ZeroTier participants on your "cloud" LAN.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu Dec 23, 2021 3:40 pm

Also usable for example to monitor ZeroTier participants on your "cloud" LAN.
Do ZeroTier work more or less like Wireguard with no logging on connecting/up/down etc?
If yes, this can be used for ZeroTier as well.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu Dec 23, 2021 5:45 pm

Also usable for example to monitor ZeroTier participants on your "cloud" LAN.
Do ZeroTier work more or less like Wireguard with no logging on connecting/up/down etc?
If yes, this can be used for ZeroTier as well.
So it seems, my "interface" "zerotier1" is always UP ,but with Netwatch I can ping/test "remote endpoints" that also participate in the ZeroTier network.
I get "up / down" notifications through Netwatch the moment I switch on the ZeroTier VPN app on my Android phone
Off course conceptually ZeroTier is a bit different from WireGuard
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Jan 02, 2022 6:32 pm

There are many solution.

With Splunk you have 100% control of everything. You server, your setup. And free (up to 500MB/day)
Store as much data as long as you like.
If ISPApp get hacked (more likely to get attacked since it stores many customers), your data may get exposed.

PS create your ovn thread for advertising for your products.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
maga79
just joined
Posts: 6
Joined: Fri Mar 01, 2019 11:57 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Jan 11, 2022 8:45 am

NB logging large amount of Accouning, DNS or firewall rules quickly eats up license, so I do recommend to turn off Accouning/DNS logging to start with.
How to turn off DNS logging ? When I disable Accounting function , log server still receive the dns request .
Thanks.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Jan 11, 2022 10:57 pm

DNS logs comes from the Router log, so to stop it change from:
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp
to
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
maga79
just joined
Posts: 6
Joined: Fri Mar 01, 2019 11:57 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Jan 18, 2022 6:03 pm

Splunk versino : 8.2.4
License Type :Free license group
Volume used today 3 MB (0.524% of quota)
Mikrotik schedule : 5 minutes
When I login in the Mikrotik logs on Splunk , running search mikrotik on splunk ,There is no log record in splunk server.
After I restart Splunk service on web . splunk server will received the log from RB4011.
I need manually estart Splunk service after splunk server running 15 minutes everyday.
Why splunk need do that ? Is there something wrong with splunk server?How can i check the splunk server is running normally?
Thanks
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue Jan 18, 2022 10:19 pm

Mine never needs to be restarted.
Have one version where Splunk listen on port 514 (not recommended as it needs to be root)
Other version have rsyslog server as input and Splunk reads rsyslog logs.
Both running fine.'

Do you pass any firewall on the way from MikroTik to the Splunk server?
What do you run Splunk on? Linux (recommend Ubuntu) on a dedicated (pri 1) server or vmware (pri 2) are the best options.
Avoid using Splunk on Windows.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
maga79
just joined
Posts: 6
Joined: Fri Mar 01, 2019 11:57 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed Jan 19, 2022 5:02 am

Mine never needs to be restarted.
Have one version where Splunk listen on port 514 (not recommended as it needs to be root)
Other version have rsyslog server as input and Splunk reads rsyslog logs.
Both running fine.'

Do you pass any firewall on the way from MikroTik to the Splunk server?
What do you run Splunk on? Linux (recommend Ubuntu) on a dedicated (pri 1) server or vmware (pri 2) are the best options.
Avoid using Splunk on Windows.
Port 514 and port 8000
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("splunkd",pid=364916,fd=57))
tcp LISTEN 0 128 0.0.0.0:8000 0.0.0.0:* users:(("splunkd",pid=364916,fd=138))

Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
514 ALLOW Server IP address
8000/tcp ALLOW Anywhere
8090/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
8000/tcp (v6) ALLOW Anywhere (v6)
8090/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

Splunk run on the Ubuntu 20.04 server version which was build on ESXi 6.7.0.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed Jan 19, 2022 8:06 am

Should work.
Only comment is that you should not run splunk as root user, and use rsyslog to listen on port 514.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed Jan 19, 2022 8:36 am

My Splunk is also running for some years now. Only goes down when I apply Splunk updates of some sort. Rock solid!
I'm running on Ubuntu 18.0.4.5 LTS
I suggest you start digging in the LOG-directory of you Splunk.

/opt/splunk/var/log

From there you have folders "watchdog" and "splunk"

You could investigate watchdog.log and in the spluink-folder many logfile reside like health.log , splunkd.log , web_access.log etc,etc

Splunk-specific troubleshooting might be slightly outside the scope of this forum ;-)
The Splunk community-forums are a better place for that.
 
maga79
just joined
Posts: 6
Joined: Fri Mar 01, 2019 11:57 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Jan 22, 2022 7:04 pm

Thanks for help Jotne and jvanhambelgium.
After I reinstall the Splunk server, all the things works well .
But Some graph in APP didn't work.
i can get the graph for Mikrotik CAPsMAN Wifi Connection and "Mikrotik CAPsMAN Number of Clients pr AP" , but there is no graph for"Mikrotik CAPsMAN Channel Usage"
I also setup the ":local CAPsMANN true" but did no work.
Did i miss some configration on Mikrotik script?

Our customer always want to know which client PC or mobile phone take maximum flow in specified time range ,with destination IP and protocol.
How can I the traffice flow graph in app?
If I could define the application data type , maybe the traffic flow grapy would be more visualble.
Thanks.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Jan 22, 2022 10:20 pm

Some times MT do change stuff, so it does not work. Since I do not have capsman, I need some help to debug it.
Can you post a list of log line here?

Example output of:
index=* "caps,info"
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
norooznoroozi85
just joined
Posts: 3
Joined: Sun Feb 06, 2022 8:25 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Feb 07, 2022 1:45 pm

hi
I added MikroTik logs 3.5 in my Splunk & done all configuration

in search tab in main splunk i can see my log from my mikrotik with host="192.168.XX.XX" command
but in app "MikroTik logs 3.5" I can not see any information or log

does this app listen on port:514??
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Feb 07, 2022 5:57 pm

Did you see the debug section 2h-2?

2h) Debugging
1. See if any data are coming inn to splunk at all.
index=*
2. Test if data has correct tag "MikroTik" (Capital M & T)
index=* | table _time sourcetype _raw
Follow this section 100%
2b) Then select what modules to log.

Splunk can listen on port 514, but not recommended since it need to run as root.
Use Rsyslog to listen on 514.
Just follow to tutorial step by step.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
norooznoroozi85
just joined
Posts: 3
Joined: Sun Feb 06, 2022 8:25 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed Feb 09, 2022 1:02 pm

hi again
I have see the log but i wnat to see the log in your dashboard "Miktotik loge 3.5"
thanks for your answer
I receive log from Mikrtotik in search , with command line index=* , but, I donot have any data in "Miktotik loge 3.5"

this item is ok "Test if data has correct tag "MikroTik" (Capital M & T)"

if possible i can send you a photo
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed Feb 09, 2022 1:33 pm

Can you post some line output of
index=* | fillnull value="-" | table _time index sourcetype _raw
That do contains some data from router?

Do you run as this:
Splunk as root and port 514 open to Splunk
or
Splunk as non root, Splunk getting data from rsyslog that listen in 514
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
norooznoroozi85
just joined
Posts: 3
Joined: Sun Feb 06, 2022 8:25 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Feb 14, 2022 8:00 am

excuse me I confuse a lot
what do you mean by "slunk as root"??
I used Splunk 8.2 on windows server 2022 and my MikroTik Router is CCR1036 , V6.48.6

if possible , I will send you picture!!

I have my MikroTik log in my splunk but I want to see my log in your dashboard "MikroTik log 3.5"
Last edited by norooznoroozi85 on Mon Feb 14, 2022 9:01 am, edited 1 time in total.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Feb 14, 2022 8:22 am

You did not post output of my command above. With that I can see if logs looks like what I expect.

I did forget to ask on what platform you do run Splunk.

Some of my first information in my first post:
Installation
1) On your PC Works on Windows and Linux, but use Linux (clearly the best choice and also used in all post here)
It should work, but I may not be able to help with windows version on the same lever as on Linux (recommended)
Linux has normal user and root user.

If you only have one server, I would suggest to install VmWare Workstation, then setup a Linux server (example Ubuntu 20.04)
Follow all steps in post above to get Splunk installed.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun Feb 27, 2022 5:50 pm

New version with Netwatch logging is not the way. See this post in this thread on how it works:
viewtopic.php?p=888800#p888800
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
thebulgarian
just joined
Posts: 1
Joined: Fri Mar 20, 2015 5:42 am
Location: Plovdiv

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Mar 07, 2022 10:12 pm

Hello everyone!

First of all thanks for this excellent tool @Jotne, I love it!

I have a little problem, I'm unable to get my CHR to visualize on my dashboard. All my other Mikrotik devices are showing correct except CHR. I have 2 CHR - 1 is 6.49.4 and the other is 7.1.3
My Splunk is recieving data, I can search for 10.0.0.56 and 10.0.0.57 and i have data, but I dont see it on the Dashboard
Here is export of my configurations in case you want and have time to help.

CHRv7.1.3:
/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=72 remote=10.0.0.72 src-address=10.0.0.57 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
/ipv6 settings
set disable-ipv6=yes
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge1
/system hardware
set allow-x86-64=yes
/system identity
set name=CHRv7_x86_64
/system logging
add action=72 prefix=MikroTik topics=!debug,!packet,!snmp
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.1
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/07/2022 start-time=19:08:47
/system script
add dont-require-permissions=no name=Data_to_Splunk_using_Syslog owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# Collect information from Mikrotik RouterOS\r\
    \n# Jotne 2021\r\
    \n:log info message=\"script=version ver=4.8\"\r\
    \n# ----------------------------------\r\
    \n\r\
    \n\r\
    \n# What data to collect.  Set to false to skip the section \r\
    \n# ----------------------------------\r\
    \n:local SystemResource true\r\
    \n:local SystemInformation true\r\
    \n:local SystemHealth true\r\
    \n:local TrafficData true\r\
    \n:local AccuntData true\r\
    \n:local uPnP true\r\
    \n:local Wireless false\r\
    \n:local AddressLists true\r\
    \n:local DHCP true\r\
    \n:local Neighbor true\r\
    \n:local InterfaceData true\r\
    \n:local CmdHistory true\r\
    \n:local CAPsMANN false\r\
    \n\r\
    \n\r\
    \n# Collect system resource\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemResource) do={\r\
    \n\t/system resource\r\
    \n\t:local cpuload [get cpu-load]\r\
    \n\t:local freemem ([get free-memory]/1048576)\r\
    \n\t:local totmem ([get total-memory]/1048576)\r\
    \n\t:local freehddspace ([get free-hdd-space]/1048576)\r\
    \n\t:local totalhddspace ([get total-hdd-space]/1048576)\r\
    \n\t:local up [get uptime]\r\
    \n\t:local sector [get write-sect-total]\r\
    \n\t:log info message=\"script=resource free_memory=\$freemem MB total_mem\
    ory=\$totmem MB free_hdd_space=\$freehddspace MB total_hdd_space=\$totalhd\
    dspace MB cpu_load=\$cpuload uptime=\$up write-sect-total=\$sector\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Make some part only run every hours\r\
    \n# ----------------------------------\r\
    \n:global Hour\r\
    \n:local run false\r\
    \n:local hour [:pick [/system clock get time] 0 2]\r\
    \n:if (\$Hour != \$hour) do={\r\
    \n\t:global Hour \$hour\r\
    \n\t:set run true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get NTP status\r\
    \n# ----------------------------------\r\
    \n:local ntpstatus \"\"\r\
    \n:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [\
    :tonum [:pick [/system resource get version] 0 1]] > 6) do={\r\
    \n    :set ntpstatus [/system ntp client get status]\r\
    \n} else={\r\
    \n    :if ([:typeof [/system ntp client get last-update-from]] = \"nil\") \
    do={\r\
    \n        :set ntpstatus \"using-local-clock\"\r\
    \n    } else={\r\
    \n        :set ntpstatus \"synchronized\"\r\
    \n    }\r\
    \n}\r\
    \n:log info message=\"script=ntp status=\$ntpstatus\" \r\
    \n\r\
    \n\r\
    \n# Get interface traffic data for all interface\r\
    \n# ----------------------------------\r\
    \n:if (\$TrafficData) do={\r\
    \n\t:foreach id in=[/interface find] do={\r\
    \n\t\t:local output \"\$[/interface print stats as-value where .id=\$id]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"if_traffic\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get traffic data v2 (Kid Control)\r\
    \n# ----------------------------------\r\
    \n:if (\$AccuntData) do={\r\
    \n\t:foreach logline in=[/ip kid-control device find] do={\r\
    \n\t\t:local output \"\$[/ip kid-control device get \$logline]\"\r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"kids\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Finding dynmaic lines used in uPnP\r\
    \n# ----------------------------------\r\
    \n:if (\$uPnP) do={\r\
    \n\t:foreach logline in=[/ip firewall nat find where dynamic=yes and comme\
    nt~\"^upnp \"] do={\r\
    \n\t\t:local output \"\$[/ip firewall nat print as-value from=\$logline]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"upnp\"\r\
    \n\t\t:log info message=\"\$output\" \r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system information\r\
    \n# ----------------------------------\r\
    \n:local model na\r\
    \n:local serial na\r\
    \n:local ffirmware na\r\
    \n:local cfirmware na\r\
    \n:local ufirmware na\r\
    \n:if (\$SystemInformation and \$run) do={\r\
    \n\t:local version ([/system resource get version])\r\
    \n\t:local board ([/system resource get board-name])\r\
    \n\t:if (\$board!=\"CHR\") do={\r\
    \n\t\t/system routerboard\r\
    \n\t\t:set model ([get model])\r\
    \n\t\t:set serial ([get serial-number])\r\
    \n\t\t:set ffirmware ([get factory-firmware])\r\
    \n\t\t:set cfirmware ([get current-firmware])\r\
    \n\t\t:set ufirmware ([get upgrade-firmware])\r\
    \n\t}\r\
    \n\t:local identity ([/system identity get name])\r\
    \n\t:log info message=\"script=sysinfo version=\\\"\$version\\\" board-nam\
    e=\\\"\$board\\\" model=\\\"\$model\\\" serial=\$serial identity=\\\"\$ide\
    ntity\\\" factory-firmware=\\\"\$ffirmware\\\" current-firmware=\\\"\$cfir\
    mware\\\" upgrade-firmware=\\\"\$ufirmware\\\"\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system health\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemHealth) do={\r\
    \n\t:do {\r\
    \n\t\t# New version\r\
    \n\t\t:foreach id in=[/system health find] do={\r\
    \n\t\t\t:local health \"\$[/system health get \$id]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t} on-error={\r\
    \n\t\t# Old version\r\
    \n\t\t:if (!([/system health get]~\"(state=disabled|^\\\$)\")) do={\r\
    \n\t\t\t:local health \"\$[/system health get]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Sends wireless client data to log server \r\
    \n# ----------------------------------\r\
    \n:if (\$Wireless && [:len [/int find where type=wlan]]>0) do={\r\
    \n\t/interface wireless registration-table\r\
    \n\t:foreach i in=[find] do={\r\
    \n\t\t:log info message=\".id=\$i;ap=\$([get \$i ap]);interface=\$([get \$\
    i interface]);mac-address=\$([get \$i mac-address]);signal-strength=\$([ge\
    t \$i signal-strength]);tx-rate=\$([get \$i tx-rate]);uptime=\$([get \$i u\
    ptime]);script=wifi\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Count IP in address-lists\r\
    \n#----------------------------------\r\
    \n:if (\$AddressLists) do={\r\
    \n\t:local array [ :toarray \"\" ]\r\
    \n\t:local addrcntdyn [:toarray \"\"] \r\
    \n\t:local addrcntstat [:toarray \"\"] \r\
    \n\t:local test\r\
    \n\t:foreach id in=[/ip firewall address-list find] do={\r\
    \n\t\t:local rec [/ip firewall address-list get \$id]\r\
    \n\t\t:local listname (\$rec->\"list\")\r\
    \n\t\t:local listdynamic (\$rec->\"dynamic\")\r\
    \n\t\t:if (!(\$array ~ \$listname)) do={ :set array (\$array , \$listname)\
    \_}\r\
    \n\t\t:if (\$listdynamic = true) do={\r\
    \n\t\t\t:set (\$addrcntdyn->\$listname) (\$addrcntdyn->\$listname+1)\r\
    \n\t\t} else={\r\
    \n\t\t\t:set (\$addrcntstat->\$listname) (\$addrcntstat->\$listname+1)}\r\
    \n\t}\r\
    \n\t:foreach k in=\$array do={\r\
    \n\t\t:log info message=(\"script=address_lists list=\$k dynamic=\".((\$ad\
    drcntdyn->\$k)+0).\" static=\".((\$addrcntstat->\$k)+0))}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get MNDP (CDP) Neighbors\r\
    \n# ----------------------------------\r\
    \n:if (\$Neighbor and \$run) do={\r\
    \n\t:foreach neighborID in=[/ip neighbor find] do={\r\
    \n\t\t:local nb [/ip neighbor get \$neighborID]\r\
    \n\t\t:local id [:pick (\"\$nb\"->\".id\") 1 99]\r\
    \n\t\t:foreach key,value in=\$nb do={\r\
    \n\t\t\t:local newline [:find \$value \"\\n\"]\r\
    \n\t\t\t:if ([\$newline]>0) do={\r\
    \n\t\t\t\t:set value [:pick \$value 0 \$newline]\r\
    \n\t\t\t}\r\
    \n\t\t\t:log info message=\"script=neighbor nid=\$id \$key=\\\"\$value\\\"\
    \"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect DHCP Pool information\r\
    \n# ----------------------------------\r\
    \n:if (\$DHCP and \$run) do={\r\
    \n\t/ip pool {\r\
    \n\t\t:local poolname\r\
    \n\t\t:local pooladdresses\r\
    \n\t\t:local poolused\r\
    \n\t\t:local minaddress\r\
    \n\t\t:local maxaddress\r\
    \n\t\t:local findindex\r\
    \n\r\
    \n# Iterate through IP Pools\r\
    \n\t\t:foreach pool in=[find] do={\r\
    \n\t\t\t:set poolname [get \$pool name]\r\
    \n\t\t\t:set pooladdresses 0\r\
    \n\t\t\t:set poolused 0\r\
    \n\r\
    \n# Iterate through current pool's IP ranges\r\
    \n\t\t\t:foreach range in=[:toarray [get \$pool range]] do={\r\
    \n\r\
    \n# Get min and max addresses\r\
    \n\t\t\t\t:set findindex [:find [:tostr \$range] \"-\"]\r\
    \n\t\t\t\t:if ([:len \$findindex] > 0) do={\r\
    \n\t\t\t\t\t:set minaddress [:pick [:tostr \$range] 0 \$findindex]\r\
    \n\t\t\t\t\t:set maxaddress [:pick [:tostr \$range] (\$findindex + 1) [:le\
    n [:tostr \$range]]]\r\
    \n\t\t\t\t} else={\r\
    \n\t\t\t\t\t:set minaddress [:tostr \$range]\r\
    \n\t\t\t\t\t:set maxaddress [:tostr \$range]\r\
    \n\t\t\t\t}\r\
    \n\r\
    \n# Calculate number of ip in one range\r\
    \n\t\t\t\t:set pooladdresses (\$maxaddress - \$minaddress)\r\
    \n\r\
    \n# /foreach range\r\
    \n\t\t\t}\r\
    \n\r\
    \n# Test if pools is used in DHCP or VPN and show leases used\r\
    \n\t\t\t:local dname [/ip dhcp-server find where address-pool=\$poolname]\
    \r\
    \n\t\t\t:if ([:len \$dname] = 0) do={\r\
    \n# No DHCP server found, assume VPN\r\
    \n\t\t\t\t:set poolused [:len [used find pool=[:tostr \$poolname]]]\r\
    \n\t\t\t} else={\r\
    \n# DHCP server found, count leases\r\
    \n\t\t\t\t:local dname [/ip dhcp-server get [find where address-pool=\$poo\
    lname] name]\r\
    \n\t\t\t\t:set poolused [:len [/ip dhcp-server lease find where server=\$d\
    name]]}\r\
    \n\r\
    \n# Send data\r\
    \n\t\t\t:log info message=(\"script=pool pool=\$poolname used=\$poolused t\
    otal=\$pooladdresses\")\r\
    \n\r\
    \n# /foreach pool\r\
    \n\t\t}\r\
    \n# /ip pool\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get detailed command history RouterOS >= v7\r\
    \n# ----------------------------------\r\
    \n:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and \$CmdHi\
    story) do={\r\
    \n\t:global cmd\r\
    \n\t:local f 0\r\
    \n\t:foreach i in=[/system history find] do={\r\
    \n\t\t:if (\$i = \$cmd) do={ :set f 1 }\r\
    \n\t\t:if (\$f != 1) do={\r\
    \n\t\t\t:log info message=\"StartCMD\"\r\
    \n\t\t\t:log info message=[/system history get \$i]\r\
    \n\t\t\t:log info message=\"EndCMD\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n\t:global cmd  [:pick [/system history find] 0]\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Test if CAPsMANN is installed, if yes, run capsmann script.\r\
    \n# ----------------------------------\r\
    \n:if ( ([:len [/interface find where type=\"cap\"]] > 0) and \$CAPsMANN) \
    do={ /system script run capsman }\r\
    \n\r\
    \n\r\
    \n# End Script"
/tool romon
set enabled=yes

CHRv6.49.4
/interface bridge
add name=bridge1 protocol-mode=none
/system logging action
add name=72 remote=10.0.0.72 src-address=10.0.0.56 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=bridge1
/system clock manual
set time-zone=+02:00
/system identity
set name=CHR_x86_64
/system logging
add action=72 disabled=yes prefix=MikroTik topics=critical
add action=72 disabled=yes prefix=MikroTik topics=account
add action=72 disabled=yes prefix=MikroTik topics=health
add action=72 disabled=yes prefix=MikroTik topics=interface
add action=72 disabled=yes prefix=MikroTik topics=info
add action=72 prefix=MikroTik topics=!debug,!packet,!snmp
/system note
set note="\r\
    \n   _____ _    _ _____     __ _  _   \r\
    \n  / ____| |  | |  __ \\   / /| || |  \r\
    \n | |    | |__| | |__) | / /_| || |_ \r\
    \n | |    |  __  |  _  / | '_ \\__   _|\r\
    \n | |____| |  | | | \\ \\ | (_) | | |  \r\
    \n  \\_____|_|  |_|_|  \\_\\ \\___/  |_|  \r\
    \n                    ______          \r\
    \n                   |______|         \r\
    \n"
/system ntp client
set enabled=yes primary-ntp=10.0.0.1 secondary-ntp=10.0.200.0
/system ntp server
set enabled=yes
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/03/2022 start-time=14:56:37
/system script
add dont-require-permissions=no name=Data_to_Splunk_using_Syslog owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# Collect information from Mikrotik RouterOS\r\
    \n# Jotne 2021\r\
    \n:log info message=\"script=version ver=4.8\"\r\
    \n# ----------------------------------\r\
    \n\r\
    \n\r\
    \n# What data to collect.  Set to false to skip the section \r\
    \n# ----------------------------------\r\
    \n:local SystemResource true\r\
    \n:local SystemInformation true\r\
    \n:local SystemHealth true\r\
    \n:local TrafficData true\r\
    \n:local AccuntData true\r\
    \n:local uPnP true\r\
    \n:local Wireless false\r\
    \n:local AddressLists true\r\
    \n:local DHCP true\r\
    \n:local Neighbor true\r\
    \n:local InterfaceData true\r\
    \n:local CmdHistory true\r\
    \n:local CAPsMANN false\r\
    \n\r\
    \n\r\
    \n# Collect system resource\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemResource) do={\r\
    \n\t/system resource\r\
    \n\t:local cpuload [get cpu-load]\r\
    \n\t:local freemem ([get free-memory]/1048576)\r\
    \n\t:local totmem ([get total-memory]/1048576)\r\
    \n\t:local freehddspace ([get free-hdd-space]/1048576)\r\
    \n\t:local totalhddspace ([get total-hdd-space]/1048576)\r\
    \n\t:local up [get uptime]\r\
    \n\t:local sector [get write-sect-total]\r\
    \n\t:log info message=\"script=resource free_memory=\$freemem MB total_mem\
    ory=\$totmem MB free_hdd_space=\$freehddspace MB total_hdd_space=\$totalhd\
    dspace MB cpu_load=\$cpuload uptime=\$up write-sect-total=\$sector\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Make some part only run every hours\r\
    \n# ----------------------------------\r\
    \n:global Hour\r\
    \n:local run false\r\
    \n:local hour [:pick [/system clock get time] 0 2]\r\
    \n:if (\$Hour != \$hour) do={\r\
    \n\t:global Hour \$hour\r\
    \n\t:set run true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get NTP status\r\
    \n# ----------------------------------\r\
    \n:local ntpstatus \"\"\r\
    \n:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [\
    :tonum [:pick [/system resource get version] 0 1]] > 6) do={\r\
    \n    :set ntpstatus [/system ntp client get status]\r\
    \n} else={\r\
    \n    :if ([:typeof [/system ntp client get last-update-from]] = \"nil\") \
    do={\r\
    \n        :set ntpstatus \"using-local-clock\"\r\
    \n    } else={\r\
    \n        :set ntpstatus \"synchronized\"\r\
    \n    }\r\
    \n}\r\
    \n:log info message=\"script=ntp status=\$ntpstatus\" \r\
    \n\r\
    \n\r\
    \n# Get interface traffic data for all interface\r\
    \n# ----------------------------------\r\
    \n:if (\$TrafficData) do={\r\
    \n\t:foreach id in=[/interface find] do={\r\
    \n\t\t:local output \"\$[/interface print stats as-value where .id=\$id]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"if_traffic\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get traffic data v2 (Kid Control)\r\
    \n# ----------------------------------\r\
    \n:if (\$AccuntData) do={\r\
    \n\t:foreach logline in=[/ip kid-control device find] do={\r\
    \n\t\t:local output \"\$[/ip kid-control device get \$logline]\"\r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"kids\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Finding dynmaic lines used in uPnP\r\
    \n# ----------------------------------\r\
    \n:if (\$uPnP) do={\r\
    \n\t:foreach logline in=[/ip firewall nat find where dynamic=yes and comme\
    nt~\"^upnp \"] do={\r\
    \n\t\t:local output \"\$[/ip firewall nat print as-value from=\$logline]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"upnp\"\r\
    \n\t\t:log info message=\"\$output\" \r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system information\r\
    \n# ----------------------------------\r\
    \n:local model na\r\
    \n:local serial na\r\
    \n:local ffirmware na\r\
    \n:local cfirmware na\r\
    \n:local ufirmware na\r\
    \n:if (\$SystemInformation and \$run) do={\r\
    \n\t:local version ([/system resource get version])\r\
    \n\t:local board ([/system resource get board-name])\r\
    \n\t:if (\$board!=\"CHR\") do={\r\
    \n\t\t/system routerboard\r\
    \n\t\t:set model ([get model])\r\
    \n\t\t:set serial ([get serial-number])\r\
    \n\t\t:set ffirmware ([get factory-firmware])\r\
    \n\t\t:set cfirmware ([get current-firmware])\r\
    \n\t\t:set ufirmware ([get upgrade-firmware])\r\
    \n\t}\r\
    \n\t:local identity ([/system identity get name])\r\
    \n\t:log info message=\"script=sysinfo version=\\\"\$version\\\" board-nam\
    e=\\\"\$board\\\" model=\\\"\$model\\\" serial=\$serial identity=\\\"\$ide\
    ntity\\\" factory-firmware=\\\"\$ffirmware\\\" current-firmware=\\\"\$cfir\
    mware\\\" upgrade-firmware=\\\"\$ufirmware\\\"\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system health\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemHealth) do={\r\
    \n\t:do {\r\
    \n\t\t# New version\r\
    \n\t\t:foreach id in=[/system health find] do={\r\
    \n\t\t\t:local health \"\$[/system health get \$id]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t} on-error={\r\
    \n\t\t# Old version\r\
    \n\t\t:if (!([/system health get]~\"(state=disabled|^\\\$)\")) do={\r\
    \n\t\t\t:local health \"\$[/system health get]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Sends wireless client data to log server \r\
    \n# ----------------------------------\r\
    \n:if (\$Wireless && [:len [/int find where type=wlan]]>0) do={\r\
    \n\t/interface wireless registration-table\r\
    \n\t:foreach i in=[find] do={\r\
    \n\t\t:log info message=\".id=\$i;ap=\$([get \$i ap]);interface=\$([get \$\
    i interface]);mac-address=\$([get \$i mac-address]);signal-strength=\$([ge\
    t \$i signal-strength]);tx-rate=\$([get \$i tx-rate]);uptime=\$([get \$i u\
    ptime]);script=wifi\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Count IP in address-lists\r\
    \n#----------------------------------\r\
    \n:if (\$AddressLists) do={\r\
    \n\t:local array [ :toarray \"\" ]\r\
    \n\t:local addrcntdyn [:toarray \"\"] \r\
    \n\t:local addrcntstat [:toarray \"\"] \r\
    \n\t:local test\r\
    \n\t:foreach id in=[/ip firewall address-list find] do={\r\
    \n\t\t:local rec [/ip firewall address-list get \$id]\r\
    \n\t\t:local listname (\$rec->\"list\")\r\
    \n\t\t:local listdynamic (\$rec->\"dynamic\")\r\
    \n\t\t:if (!(\$array ~ \$listname)) do={ :set array (\$array , \$listname)\
    \_}\r\
    \n\t\t:if (\$listdynamic = true) do={\r\
    \n\t\t\t:set (\$addrcntdyn->\$listname) (\$addrcntdyn->\$listname+1)\r\
    \n\t\t} else={\r\
    \n\t\t\t:set (\$addrcntstat->\$listname) (\$addrcntstat->\$listname+1)}\r\
    \n\t}\r\
    \n\t:foreach k in=\$array do={\r\
    \n\t\t:log info message=(\"script=address_lists list=\$k dynamic=\".((\$ad\
    drcntdyn->\$k)+0).\" static=\".((\$addrcntstat->\$k)+0))}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get MNDP (CDP) Neighbors\r\
    \n# ----------------------------------\r\
    \n:if (\$Neighbor and \$run) do={\r\
    \n\t:foreach neighborID in=[/ip neighbor find] do={\r\
    \n\t\t:local nb [/ip neighbor get \$neighborID]\r\
    \n\t\t:local id [:pick (\"\$nb\"->\".id\") 1 99]\r\
    \n\t\t:foreach key,value in=\$nb do={\r\
    \n\t\t\t:local newline [:find \$value \"\\n\"]\r\
    \n\t\t\t:if ([\$newline]>0) do={\r\
    \n\t\t\t\t:set value [:pick \$value 0 \$newline]\r\
    \n\t\t\t}\r\
    \n\t\t\t:log info message=\"script=neighbor nid=\$id \$key=\\\"\$value\\\"\
    \"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect DHCP Pool information\r\
    \n# ----------------------------------\r\
    \n:if (\$DHCP and \$run) do={\r\
    \n\t/ip pool {\r\
    \n\t\t:local poolname\r\
    \n\t\t:local pooladdresses\r\
    \n\t\t:local poolused\r\
    \n\t\t:local minaddress\r\
    \n\t\t:local maxaddress\r\
    \n\t\t:local findindex\r\
    \n\r\
    \n# Iterate through IP Pools\r\
    \n\t\t:foreach pool in=[find] do={\r\
    \n\t\t\t:set poolname [get \$pool name]\r\
    \n\t\t\t:set pooladdresses 0\r\
    \n\t\t\t:set poolused 0\r\
    \n\r\
    \n# Iterate through current pool's IP ranges\r\
    \n\t\t\t:foreach range in=[:toarray [get \$pool range]] do={\r\
    \n\r\
    \n# Get min and max addresses\r\
    \n\t\t\t\t:set findindex [:find [:tostr \$range] \"-\"]\r\
    \n\t\t\t\t:if ([:len \$findindex] > 0) do={\r\
    \n\t\t\t\t\t:set minaddress [:pick [:tostr \$range] 0 \$findindex]\r\
    \n\t\t\t\t\t:set maxaddress [:pick [:tostr \$range] (\$findindex + 1) [:le\
    n [:tostr \$range]]]\r\
    \n\t\t\t\t} else={\r\
    \n\t\t\t\t\t:set minaddress [:tostr \$range]\r\
    \n\t\t\t\t\t:set maxaddress [:tostr \$range]\r\
    \n\t\t\t\t}\r\
    \n\r\
    \n# Calculate number of ip in one range\r\
    \n\t\t\t\t:set pooladdresses (\$maxaddress - \$minaddress)\r\
    \n\r\
    \n# /foreach range\r\
    \n\t\t\t}\r\
    \n\r\
    \n# Test if pools is used in DHCP or VPN and show leases used\r\
    \n\t\t\t:local dname [/ip dhcp-server find where address-pool=\$poolname]\
    \r\
    \n\t\t\t:if ([:len \$dname] = 0) do={\r\
    \n# No DHCP server found, assume VPN\r\
    \n\t\t\t\t:set poolused [:len [used find pool=[:tostr \$poolname]]]\r\
    \n\t\t\t} else={\r\
    \n# DHCP server found, count leases\r\
    \n\t\t\t\t:local dname [/ip dhcp-server get [find where address-pool=\$poo\
    lname] name]\r\
    \n\t\t\t\t:set poolused [:len [/ip dhcp-server lease find where server=\$d\
    name]]}\r\
    \n\r\
    \n# Send data\r\
    \n\t\t\t:log info message=(\"script=pool pool=\$poolname used=\$poolused t\
    otal=\$pooladdresses\")\r\
    \n\r\
    \n# /foreach pool\r\
    \n\t\t}\r\
    \n# /ip pool\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get detailed command history RouterOS >= v7\r\
    \n# ----------------------------------\r\
    \n:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and \$CmdHi\
    story) do={\r\
    \n\t:global cmd\r\
    \n\t:local f 0\r\
    \n\t:foreach i in=[/system history find] do={\r\
    \n\t\t:if (\$i = \$cmd) do={ :set f 1 }\r\
    \n\t\t:if (\$f != 1) do={\r\
    \n\t\t\t:log info message=\"StartCMD\"\r\
    \n\t\t\t:log info message=[/system history get \$i]\r\
    \n\t\t\t:log info message=\"EndCMD\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n\t:global cmd  [:pick [/system history find] 0]\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Test if CAPsMANN is installed, if yes, run capsmann script.\r\
    \n# ----------------------------------\r\
    \n:if ( ([:len [/interface find where type=\"cap\"]] > 0) and \$CAPsMANN) \
    do={ /system script run capsman }\r\
    \n\r\
    \n\r\
    \n# End Script\r\
    \n"
Thanks!
 
mducharme
Trainer
Trainer
Posts: 1740
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu Mar 17, 2022 8:12 am

@jotne

I've never used Splunk before but thought I would give it a try for home.

Under MikroTik Device Traffic (although I properly have kid-control enabled), the hostname is blank for all entries, even though I can see in kid-control devices the hostname is shown for some of those. Also instead of showing all IP addresses the device has, it only shows the first one in the list. Other than that most features seem to work.

I am using CAPsMAN as well but there is no data displayed there.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu Mar 17, 2022 8:39 am

Let it run for least on day. Some script are just run every 24 hours.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
gpmendive
just joined
Posts: 2
Joined: Sun Mar 27, 2022 3:47 pm
Location: Ciudad de Buenos Aires

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Apr 02, 2022 7:47 pm

Thanks a lot Jotne for your App for Splunk!
It´s my first installation of Splunk and your guide proved to be very helpful.

I first installed both on Ubuntu server running on a physical PC. I tried it for several days and in performed great.
Then I installed on same OS but running in a ProxmoxVE Virtual Machine; great performance also!
I will stick to the latter configuration.

Thanks again to you, and also to the other members who contributed to this topic.
 
LogicalNZ
Frequent Visitor
Frequent Visitor
Posts: 57
Joined: Sat Oct 19, 2013 6:35 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Apr 16, 2022 11:03 am

I’m really interested in Splunk.

I have been using GreyLog for a couple of years for Syslog management on my Tiks. Can someone help me understand when using Splunk with a Tik, what would be the advantage over GreyLog?
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon Apr 18, 2022 5:09 pm

My 2 cents,
I don't think there are any advantages. In theory with GreyLog you can do the same (or should be able to do so), but obviously the key is that for Mikrotik Jotne has provided some nice app/dashboards to work with.
 
MeMB
just joined
Posts: 1
Joined: Fri Mar 25, 2022 8:48 am

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed Apr 20, 2022 1:21 pm

Do i need to add any apps to Splunk before proceeding so that V3.5 can communicate with Splunk.
I have followed the start of the tutorial, however my Mik does not even show in the device list.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Apr 23, 2022 12:40 pm

What do you get when search for
index=*
Do you use rsyslog or are you running Splunk as root and listen on port 514?
See section
3b) Debugging
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat Apr 23, 2022 12:44 pm

I have been using GreyLog for a couple of years for Syslog management on my Tiks. Can someone help me understand when using Splunk with a Tik, what would be the advantage over GreyLog?
GreyLog and Splunk are the two mayor log receiving system.
One is 100% free, other is free up to 500MB log / day.

Do a google for
graylog vs splunk
I do like Splunk, since its what I can :)
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
siscom
Member Candidate
Member Candidate
Posts: 188
Joined: Tue May 26, 2009 6:37 pm
Location: Malta, EU.

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue May 03, 2022 10:59 am

Hi Jotne,

1 - Thank you for this app - very clean and useful.
2 - Problem - VPN Connections not working well

This was all working ok until I introduced a 2FA solution. What happens is that on a user accessing the L2TP/IPsec server, a request is sent to a radius server that sends a request to a service which then sends a request to the users's mobile for auth. Once this happens, the service sends a reply back to radius which in turn advises the router to admit the user. All this takes time which means the logging is not within the same few seconds it usually is. This seems to cause Splunk/Mikrotik app to lose the login.

If I log in using the same user without 2FA (tried with both PPTP & L2TP/IPsec), Splunk logs it 100% and if you look at the router log, only the timing is the difference.

I tried to modify the MAX_TIMESTAMP_LOOKAHEAD value in the props.conf in the Mikrotik app directory (restarted Splunk) but this made no difference.
Any idea what could be causing this?

Rgds,
Mark
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue May 03, 2022 8:29 pm

Do you see the logs in splunk?
index=*
Can you post some example line?
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
juancipolletti
just joined
Posts: 2
Joined: Fri Jul 27, 2018 5:37 pm

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed May 04, 2022 8:33 pm

Hi Jotne,I'm new to the forum and to splunk, I have my lab upstairs with an ubuntu server with rsyslog and a mikrotik rb3011/6.42.9v router, the logs arrive in my rsyslog, but I can't see them in splunk. I would appreciate any help.
 
User avatar
siscom
Member Candidate
Member Candidate
Posts: 188
Joined: Tue May 26, 2009 6:37 pm
Location: Malta, EU.

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed May 04, 2022 9:37 pm

Hi,

Thank you for the reply. I tried to run the Search with the index=* parameter but there is too much data being displayed. Any way to get something only related to the logins?

Rgds,
Mark.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed May 04, 2022 9:56 pm

@siscom try some search like this.
index=* sourcetype=mikrotik  eventtype IN (*tp_connection_from,*tp_user_logged_in,ppp_authentication_failed,l2tp_user_logged_out)
or
index=* sourcetype=mikrotik  ppp
Without seeing what you get its not easy,
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.5 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed May 04, 2022 10:03 pm

Hi Jotne,I'm new to the forum and to splunk, I have my lab upstairs with an ubuntu server with rsyslog and a mikrotik rb3011/6.42.9v router, the logs arrive in my rsyslog, but I can't see them in splunk. I would appreciate any help.
Do this search give any Mikrotik data?
index=*
You have followed this part 100%
viewtopic.php?p=888803#p888803
Do this file exist:
%SplunkHome%/etc/system/local/inputs.conf
Under
Settings->Data Inputs->Files & Directories you should see rsyslog section and a number of files it sees.
udp.png
.
You do not have the required permissions to view the files attached to this post.
Last edited by Jotne on Mon May 16, 2022 11:16 pm, edited 1 time in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu May 05, 2022 11:44 am

Upgraded to 3.6
# 3.6 (05.05.2022)
# NB Delete old app (copy custom made config) before install v3.6
# Change data to store in Mikrotik index, instead of default index
# Change how rsyslog handles data. Did fail if there was more than one type of input
# Updeted script in "MikroTik DHCP to Static"
# Uses new Index, important to look at macros.conf and set correct index.
# Added colors to "MikroTik Admin user login"
This version no longer uses default index (main). It will create its own index name (mikrotik)
I do suggest that you remove old installed version before install the new version due to index change.
New data will be stored in new index and old data will remain in old main index. App will search both.

If you for some reason needs another custom index name, you can do that as well. Just edit the macros.conf to indicate what index to search,
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
tahir491
just joined
Posts: 1
Joined: Sat May 07, 2022 1:02 pm

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat May 07, 2022 1:19 pm

Hi Every one
I'm unable to find Mikrotik.spl file can someone please help for finding this file
 
zandhaas
Frequent Visitor
Frequent Visitor
Posts: 64
Joined: Tue Dec 11, 2018 11:02 pm
Location: The Netherlands

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat May 07, 2022 3:47 pm

The Mikrotik.SPL file is packaged as a RAR file and you can download this under paragraph 1G in the first post of this thread.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sat May 07, 2022 6:43 pm

File is find in section 1g) in the first post. And I did forget to upload 3.6 when I had written that it was upgraded. Fixed now.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue May 10, 2022 2:22 pm

Small bug found that will come in 3.7 if you do use rsyslog.

Quick fix to get it to work.

Change this part of props.conf from
[rsyslog]
TRUNCATE = 10000
TRANSFORMS-dns = remove_dns_query,remove_dns_answer
TRANSFORMS-force_mikrotik = force_mikrotik_st,force_mikrotik_ix

To
[rsyslog]
TRUNCATE = 10000
TRANSFORMS-dns = remove_dns_query,remove_dns_answer
TRANSFORMS-force_mikrotik = force_mikrotik_st,force_mikrotik_ix
SEDCMD-clean_header = s/\d{4}-\d\d-\d\d.*?<\d+>//
SEDCMD-clean_end = s/#015$//
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
jwshields
just joined
Posts: 6
Joined: Wed Aug 05, 2020 2:34 am
Location: Seattle, WA, USA
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue May 10, 2022 6:54 pm

I work with Splunk daily as part of my day job, managing a medium sized cluster of around ~50 nodes, consuming around 5TB of events per day. I absolutely love getting my hands dirty in apps and building things for Splunk.
Is this the same Mikrotik App that was out about 1.5-2 years ago, and has just been updated? Or a completely different app?

Are you interested in open-sourcing the app and hosting it on [your choice of a publicly hosted Git platform]? I would love to contribute and work on this app if at all possible, and if there is interest.
Let me know if you're open to open-sourcing the Splunk app, or collaborating together.
You should be able to DM me or email me on here, but if you're interested, let me know. Would love to chat more about this! Your screenshots look so beautiful!

- Jared
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Tue May 10, 2022 7:05 pm

I would have no problem to make this app better and working together :)
Yes its the same app that has been around since at least 2017.

My level of programming skill is not at a high level, but know some and also working with splunk as a main work.
We have 50+ Splunk server and 1+ TB a day from 3k+ servers +++
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
eaf
just joined
Posts: 3
Joined: Tue Apr 19, 2022 10:20 pm

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed May 11, 2022 10:53 pm

I have a question regarding the below snippet. What is [/ip kid-control device find] supposed to print/return? For me it prints nothing. And kid control has been enabled as per the instructions.

Also a couple of typos here: "$AccuntData" and "dynmaic".

:if ($AccuntData) do={
:foreach logline in=[/ip kid-control device find] do={
:local output "$[/ip kid-control device get $logline]"
:set ( "$output"->"script" ) "kids"
:log info message="$output"
}
}


# Finding dynmaic lines used in uPnP
# ----------------------------------
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Wed May 11, 2022 11:29 pm

Here is output of my settings
/ip/kid-control> export
# may/11/2022 22:25:17 by RouterOS 7.2.3
# software id = E4B6-AAAA
#
# model = RouterBOARD 750G r3
# serial number = xxxxx
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d

To see the actual data
 /ip kid-control device/print 
Flags: D, L - LIMITED; I - INACTIVE
Columns: NAME, MAC-ADDRESS, IDLE-TIME, RATE-DOWN, RATE-UP
 #    NAME                       MAC-ADDRESS        IDLE-TIME   RATE-DOWN  RATE-UP 
 0 D                             00:05:00:01:00:01  2s          0bps       0bps    
 1 D                             AC:CA:54:00:AA:CC  2s          0bps       0bps    
 2 D                             00:1D:EC:06:AA:83  2s          0bps       0bps    
 3 D  vuxxxx-xxx                00:1D:EC:AA:92:6D  1s          0bps       0bps    
 4 D                             00:40:8C:DF:AA:44  3m37s       0bps       0bps    
 5 D                             90:B1:1C:8E:AA:6E  0s          49.7kbps   32.6kbps
 6 D                             90:B1:1C:68:AA:D1  0s          29.9kbps   4.8kbps 
 7 D                             EE:9D:21:79:AA:CC  3m50s       0bps       0bps    
 8 D                             4C:5E:0C:0E:AA:F5  39s         0bps       0bps    
 9 D  HUAWEI_P_smart_Z-3006e00b  74:AA:09:53:A7:E9  5s          0bps       0bps    
10 D  ESP_4E46B6                 CC:50:E3:AA:46:B6  1s          0bps       0bps    
11 D  S21-pol-zovatela-rtes     BA:E8:4C:AA:DF:FD  31s         0bps       0bps    
12 D  Pulsecf129d87a0            A4:CF:12:AA:87:A0  3s          0bps       0bps    
13 D                             5C:83:8F:0C:AA:AC  11s         0bps       0bps    
14 D                             C4:AD:34:B1:AA:CE  49s         0bps       0bps    
15 D                             00:C0:B7:C2:AA:0F              0bps       0bps    
16 D  raspberrypi                00:13:EF:AA:2F:E3  1m54s       0bps       0bps 


If you do not see anything, I am not sure what is wrong.
Should work both on both RuterOS 6 and 7.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
eaf
just joined
Posts: 3
Joined: Tue Apr 19, 2022 10:20 pm

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu May 12, 2022 12:02 am

Ah, sorry, some major misunderstanding of MT scripting on my side. "/ip kid-control device find" isn't supposed to print anything. ":put [/ip kid-control device find]" will.

I was just trying to see what kind of log lines that snippet was supposed to produce. Apparently something like this:

.id=*1;activity=i.scdn.co;blocked=false;bytes-down=6980168;bytes-up=742091;disabled=false;dynamic=true;idle-time=00:00:01;inactive=false;ip-address=192.168.88.7;limited=false;mac-address=74:D6:37:70:58:41;name=amazon-cd1e20631;rate-down=504;rate-up=920;user=
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Thu May 12, 2022 10:56 pm

Hi Guys,

An interesting discussion is going on here. I have been looking for this type of solution for a while. However, I have few questions for @jotnet

1. Can a report be generated for the individual device?

2. Can the script log the address list so I can perform an audit on affected IPs.

3. I dont understand your naming convention...are you referring to the comment given to the rules?

4. What if the minimum requirement for the splunk and can any of the AWS t2 micro or nano be sufficient?

I look forward to your reply.

Regards
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
jvanhambelgium
Long time Member
Long time Member
Posts: 677
Joined: Thu Jul 14, 2016 9:29 pm
Location: Belgium

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Fri May 13, 2022 12:04 am

1. Can a report be generated for the individual device?

Sure, in the dashboard there is a "Host" selector if you have multiple Mikrotiks


2. Can the script log the address list so I can perform an audit on affected IPs.

"Log the address list" ? In the dashboard you'll see the IP-address of the device generating the traffic. So you, you can trace it back yes.


3. I dont understand your naming convention...are you referring to the comment given to the rules?

You can name the FW-rules how you want, but he gives a proposal that could be interesting.
I run completely different naming and this works fine, just make sure you do not exceed 20characters.



4. What if the minimum requirement for the splunk and can any of the AWS t2 micro or nano be sufficient?

Hmm, these are *very* lightweight ... t2 micro = 1vCPU and 1GBytes RAM and a t2 nano = 1vCPU and 512Mbytes RAM
That's gonna be a problem I think. I run Splunk on a VM (on my Synology NAS) with 1vCPU and 4Gbytes RAM and it is quite slow and collector only data from 1 Mikrotik.
Good enough for "hobby" but if I compare it to the performance of the Splunk systems I have access to professionally its a bit of a joke ;-)
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Fri May 13, 2022 8:18 am


1. Can a report be generated for the individual device?
Yes
2. Can the script log the address list so I can perform an audit on affected IPs.
Yes
3. I dont understand your naming convention...are you referring to the comment given to the rules?
Yes its the naming of filter/nat rules to make it easier to se what is what int the graphical view
4. What if the minimum requirement for the splunk and can any of the AWS t2 micro or nano be sufficient?
Not sure, but it depends on the amount of logged each day and how often you search the data.
Running the 500MB/day limit (lots of stuff logged) does run fine on and older linux PC (16GB ram)
Using SSD as storage speeds up the dashboard view.

If there are some function missing Splunk is very flexible and can add almost any thing you like.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Fri May 13, 2022 11:45 am

HI Guys,

Thank you for the brilliant response. I am a product manager and security expert. I love to deploy Mikrotik firewall and bandwidth management in the cooperate or enterprise environment, In most cases, some of our customers have replaced their Cisco ASA with our customized Mikrotik Security Boxes. However, one of the issues we keep having is a customized logging system for reporting, be it for regulatory compliance reasons or internal policies.

Splunk appears like software with such flexibility. I will like to work with someone with the experience on how to customize Splunk to suit the range of reporting required by our customers. One of such is having address-list on Splunk. We have various address-lists with captured src or dst address that violates certain policy and the administrator may want to do a drill-down.

e.g if we have the policy to capture the src ip of those using VPN to bypass content filtering, the admin will want to know the users and be able to take necessary actions to forestall such action. Mikrotik firewall can capture such IP in address-list for future evaluation on splunk.

Also, does Splunk provide domain names of destination hosts when generating reports?

I look forward to your usual brilliant contribution
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Fri May 13, 2022 1:40 pm

Splunk can do all you ask about and more. Nearly unlimited possibility. It do cost allot of money if you put it inn to a large scale company, but may be the best and most flexible solution out there.

For your IP address list, you can hav tem in a csv file that Splunk uses. This fil can be updated automatically if need.
You can then make alerts or reports that checks data logged against this table and send alerts of make graphs.

Domain name are normally part of your DNS solution, so you can just make Splunk do a lookup at your DSN servers for domain name,
Or you can add it as an identity to the router it self and make Splunk read it from there.

To use Splunk, you need to get data inn to it (File/Agents/Syslog/HTTP requests/Scripts +++++), then the next step is to graph it.
This can be an application you download (free or paid) or you can make dashboard your self.

I my organisation I am in charge og logging and using Splunk to handle it. We do get 1TB + of data a day from 3-4000 server, 1000+ switches/routers ++++++++. This shows a basic overview of our Splunk design (50+ Splunk dedicated servers).
.
splunk.png
You do not have the required permissions to view the files attached to this post.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Fri May 13, 2022 2:23 pm

Splunk can do all you ask about and more. Nearly unlimited possibility. It do cost allot of money if you put it inn to a large scale company, but may be the best and most flexible solution out there.

For your IP address list, you can hav tem in a csv file that Splunk uses. This fil can be updated automatically if need.
You can then make alerts or reports that checks data logged against this table and send alerts of make graphs.

Domain name are normally part of your DNS solution, so you can just make Splunk do a lookup at your DSN servers for domain name,
Or you can add it as an identity to the router it self and make Splunk read it from there.

To use Splunk, you need to get data inn to it (File/Agents/Syslog/HTTP requests/Scripts +++++), then the next step is to graph it.
This can be an application you download (free or paid) or you can make dashboard your self.

I my organisation I am in charge og logging and using Splunk to handle it. We do get 1TB + of data a day from 3-4000 server, 1000+ switches/routers ++++++++. This shows a basic overview of our Splunk design (50+ Splunk dedicated servers).
.
splunk.png
Wow!

I did a lookup your profile to see i could do you a DM. Mine is holler4eva@gmail.com. Lets take this further.

Regards

Abiola
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 1:34 pm

Hi Guys,

I have been able to launch an EC2 instance (on the free tier for testing purposes) on AWS and installed splunk successfully. However, I am having issues on the rsyslog section of the installation process. see my questions below:

Where is /etc/rsyslog drirectory ? - in the root user account or splunk (/opt/splunk) i couldnt locate it.

Where are the new syslog directory be created ? root user account or splunk ?

REgards
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 2:18 pm

Did try to send you an email, but did not get delivered, so did try one more just now.

I do use Ubuntu and there all rsyslog are installed as default in folder /etc/rsyslog.d/ and as user root.
In the config there are settings that points to where to store syslog data, udp.conf that points to folder /data/syslog/udp/ .

So rsyslog runs as root and Splunk runs as Splunk user.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 3:25 pm

HI,

I just replied your email. BTW, thank you for the clarification. I am already on it. I will revert incase of any issue.

Thank you

Regards
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 4:24 pm

I am getting error from splunk web interface...

The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. What does this mean?

I am using AWS t2micro. It comes with 8GB storage
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 4:51 pm

I am having error is adding UDP/514 to Data Inputs in Splunk. See attached
You do not have the required permissions to view the files attached to this post.
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 7:03 pm

Ahh, If you use rsyslog, it uses UDP port 514, so you can not add it to Splunk. Only one app can use one given port. And since you need to be root to use port 514 (<1024), the app needs to run as root. And since its not recommended to run Splunk as root, I let rsyslog get the data by it listen to port 514.
Splunk do get log data from Splunk by reading (following) folder
/data/syslog/udp/*
In file
splunk/etc/system/local/inputs.conf
there are a section that collects the rsyslog data.
[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment = 4
Or you can see it here:
Settings->Data Input->Files & Directories
/data/syslog/udp/.../*.log	
Segment
rsyslog
default
11711	
system
Enabled | Disable	Delete
Since this number 11711 do increase, it shows that it reads new data.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 9:48 pm

I followed your instrction based on steps 1b and 1f.

I installed splunk as non root and deploy rsyslog.

1f required we specify dns/514 for syslog as the the sourcetype.

Are you trying to say 1f is not required?

please reply
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Sun May 15, 2022 11:08 pm

Updated section 1f, to make clear your can not use UDP/514 in Splunk if Splunk is not run as root. You then need external rsyslog server.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 4:36 pm

Hey Guys,

I need your help. My dashboard isnt reading data despite my router keeps loggin data to splunk.

When I issued the command sudo vim /data/syslog/udp/41.X.X.193 (where 41.X.X.193) is my router's IP), see the output below

" ============================================================================
" Netrw Directory Listing (netrw v165)
" /data/syslog/udp/41.X.X.193
" Sorted by name
" Sort sequence: [\/]$,\<core\%(\.\d\+\)\=\>,\.h$,\.c$,\.cpp$,\~\=\*$,*,\.o$,\.obj$,\.info$,\.swp$,\.bak$,\~$
" Quick Help: <F1>:help -:go up dir D:delete R:rename s:sort-by x:special
" ==============================================================================
../
./
20220515-15.log
20220515-16.log
20220515-17.log
20220515-18.log
20220515-19.log
20220515-20.log
20220515-21.log
20220515-22.log
20220515-23.log
20220516-00.log
20220516-01.log
20220516-02.log
20220516-03.log
20220516-04.log
20220516-05.log
20220516-06.log
20220516-07.log
20220516-08.log
20220516-09.log
20220516-10.log
20220516-11.log
20220516-12.log
20220516-13.log

I believe this is a piece of evidence that my Mikrotik is logging data to Splunk. If yes, what could be the possible reason the dashboard is empty.

KIndly assist with your brilliant suggestion.
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 5:31 pm

Whats inn those files? paste some lines. See section 3b Debuging

If syslog folder has data, it could be one of two.
Not using MikroTik tag (Capital M and capital T)
Splunk not reading data.

What do search for
index=*
give
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 7:10 pm

Whats inn those files? paste some lines. See section 3b Debuging

If syslog folder has data, it could be one of two.
Not using MikroTik tag (Capital M and capital T)
Splunk not reading data.

What do search for
index=*
give
See the line from the syslog file
2022-05-16T16:00:00.259726+00:00 <13>firewall,info MikroTik: AT_Accpt_Https Allowed Traffic: in:BV-Br out:ether2-WAN, src-mac d8:b0:53:1b:97:a6, proto TCP (SYN), 192.168.10.81:50032->216.58.223.202:443, len 60
2022-05-16T16:00:00.259989+00:00 <13>firewall,info MikroTik: SrcNat_Masq srcnat: in:(unknown 0) out:ether2-WAN, src-mac d8:b0:53:1b:97:a6, proto TCP (SYN), 192.168.10.81:50032->216.58.223.202:443, len 60
2022-05-16T16:00:00.260448+00:00 <13>firewall,info MikroTik: RS_Drop_Youtube Restricted Site: in:BV-Br out:ether2-WAN, src-mac d8:b0:53:1b:97:a6, proto TCP (ACK,PSH), 192.168.10.81:50032->216.58.223.202:443, NAT (192.168.10.81:50032->41.X.X.193:50032)->216.58.223.202:443, len 569

About index=*, see below:
ubuntu@ip-172-31-28-110:~$ index=*
ubuntu@ip-172-31-28-110:~$ index=* | table _time sourcetype _raw

Command 'table' not found, did you mean:

command 'ptable' from deb xcrysden (1.6.2-3build1)
command 'tabble' from deb tabble (0.43-3)

Try: sudo apt install <deb name>

ubuntu@ip-172-31-28-110:~$

About caps for M & T. it is confirmed OK.

I am suspecting the right of Splunk. OR what do you think
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 7:22 pm

It seems that rsyslog data looks fine.
But to get the firewall data in firewall dashboard correctly, you should name the rule as in section. 2c

In splunk go to this setting:
Settings->Data Input->Files & Directories
Do you see a line starting with?
/data/syslog/udp/.../*.log

This command
index=* | table _time sourcetype _raw
should be run in Splunk search window, not in linux command line
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 8:02 pm

It seems that rsyslog data looks fine.
But to get the firewall data in firewall dashboard correctly, you should name the rule as in section. 2c

In splunk go to this setting:
Settings->Data Input->Files & Directories
Do you see a line starting with?
/data/syslog/udp/.../*.log

NO. there is no line like that

This command
index=* | table _time sourcetype _raw
should be run in Splunk search window, not in linux command line
I ran the command, it did not return any result
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 8:17 pm

Then you have skipped this part in rsyslog setup:

To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/inputs.conf
[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4
NB Splunk needs to restart to read new config file.

Its important to follow all steps and read all information, line by line.
Last edited by Jotne on Mon May 16, 2022 11:16 pm, edited 1 time in total.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 8:29 pm

Then you have skipped this part in rsyslog setup:

To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/input.conf
[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4
NB Splunk needs to restart to read new config file.

Its important to follow all steps and read all information, line by line.
splunk@ip-172-31-28-110:~$ cat /opt/splunk/etc/system/local/input.conf
[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 8:54 pm

In folder (in linux)
/opt/splunk/bin
run
./splunk btool inputs list | grep udp
You should see:
[monitor:///data/syslog/udp/.../*.log]
[udp]
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 
 
User avatar
bholler
Trainer
Trainer
Posts: 95
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 9:25 pm

In folder (in linux)
/opt/splunk/bin
run
./splunk btool inputs list | grep udp
You should see:
[monitor:///data/syslog/udp/.../*.log]
[udp]
Only saw [udp]

[monitor:///data/syslog/udp/.../*.log] isnt there.

Oops
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2831
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: &#128204; Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) &#128190; &#128736; &#128187; &#1282

Mon May 16, 2022 9:39 pm

Then splunk does not see the file.
/opt/splunk/etc/system/local/inputs.conf
It can be a permission settings, if its there.
If I do run Splunk a non-root user, f.eks as a splunk user, I make sure all files under /opt/splunk has same rights.
 
Use Splunk> to log/monitor your MikroTik Router(s). See link below. :mrgreen:

MikroTik->Splunk
 

Who is online

Users browsing this forum: AzDsL and 1 guest