📌 Tool: Using Splunk to analyse MikroTik logs 3.6 (Graphing everything) 💾 🛠 💻 📊

Jotne · Tue Nov 02, 2021 11:50 am

Version 3.6 05.05.2022

Top_logo.jpg

Using Splunk to monitor and graph various data from our MikroTik Routers is a nice and free way to help you showing what is going on in your network.
Splunk is free to use for logging up to 500MB pr day.
You can request a 10GB/day developer license here: https://dev.splunk.com/enterprise/dev_license/

NB logging large amount of Accouning, DNS or firewall rules quickly eats up license, so I do recommend to turn off Accouning/DNS logging to start with.

Splunk can be used to monitor multiple devices. No ports needs to be opened (like with SNMP monitoring). All data are sent from the device to the Splunk monitor (using sctipt and syslog). Devices could be all around the world.

PS:
Traffic monitoring does not work correctly while fast track is enabled (and its removed in v7.x of RouterOS. Changed to Kid control). Turn fast track off and you may loose throughput, so its something you should consider when using this type of monitoring. How to disable fast track: https://www.youtube.com/watch?v=6LaqhDm6PHI

latest changes
# 3.6 (05.05.2022)
# NB Delete old app (copy custom made config) before install v3.6
# Change data to store in Mikrotik index, instead of default index
# Change how rsyslog handles data. Did fail if there was more than one type of input
# Updeted script in "MikroTik DHCP to Static"
# Uses new Index, important to look at macros.conf and set correct index.
# Added colors to "MikroTik Admin user login"

Installation
On your PC
1) Works on Windows and Linux, but use Linux (clearly the best choice and also used in all post here)
-----------------------------------
1a) Download and install Splunk (Windows or Linux(Ubuntu recommended))
PS you need an account to download. It's free to create.
https://www.splunk.com/en_us/download/s ... prise.html
PS you need to create an account to download the file. Free to download and use (up to 500MB/day)
PS remember to set timezone on Windows/Linux, or else logging time will be wrong.

1b) PS: To install Splunk as a non root user, recommended. (needs an external syslog reciver)
Splunk setup:
viewtopic.php?t=179960#p888802
rsyslog setup
viewtopic.php?t=179960#p888803

Splunk can run as root user, but not recommended.

1c) Change to free license group. Very important to do before 30 day of use. !!!!!!!!!!!!!!!!!!!!
Web gui:
1d) Settings->licensing->Change license group->Free licnse->Save

1e) Open Windows Firewall for UDP on Windows (On linux its not blocked)
Web gui:
Start->type "adv"->Select:Widows Firewall with Advanced Security->Sect Inbound rules->Right Click "Inbound Rules">New Rule-Port-Next->UDP->Specific local ports->514->Next->Next->Next->Name "syslog"

1f) Allow UDP 514 (syslog), only if you run Splunk as root and not using rsyslog server. (rsyslog can be used when splunk runs as root or as non-root user.)
If running Splunk as non ROOT user or like to use external syslog reciever, see 1b for non-root)
Web gui:
Setting->Datainputs->Add new (behind the UDP)->Port 514->Next->Sourcetype type syslog and select syslog->Next-Submit

1g) Download the Splunk spl file:

MikroTik3.6.rar

1h) Extract the spl file
From Start page in Splunk, click the gear behind Apps or
from top meny click Apps->Manage Apps
Then select Install app from file and select the spl file

1i) A restart of Splunk may be needed.
Web gui:
Settings->Server controls->Restart Splunk

1j) Upgrade form previous version.
Some time files are renamed, so if you have not change any original files, just delete the MikroTik folder.
No logged data will be deleted.
If you have custom dashboards, menus, saved search (reports) etc, you need to merge the configuration files.
They are normal stored in "local" folder.

2) On Your MikroTik Router
-----------------------------
Before you setup logging, you should make an unique identifier of your route. Important if you have more than one router to monitor.

/system identity set name=Router-London-22

2a) Syslog
You need to make your Router able to send Syslog messages.
Web gui:
System->Logging->Action->Add New->Name (your server name)->Type:Remote->Remote Address:ip your syslog->Ok
Cli

/system logging action add name=logserver target=remote remote=192.168.1.50 remote-port=514

PS Do NOT select BSD Syslog. It will mess up the logging format.

2b) Then select what modules to log.
I do suggest that you send all DHCP logs including debug and all other logs that are not debug.
It is very important to name the prefix like this "MikroTik" and not "mikrotik" or some other.
Splunk uses the MikroTik prefix to find out what type of syslog data that is coming to it.
Uppercase T and uppercase M, rest are lowercase
Web gui:

System->Logging->Rules->Add new->Topics:dhcp->Prefix:MikroTik->action:your syslog server->Ok
System->Logging->Rules->Add new->Topics:!debug,!packet,!snmp->Prefix:MikroTik->action:your syslog server->Ok

Cli:

/system logging add action=logserver prefix=MikroTik topics=dhcp
/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp
/system logging add action=logserver prefix=MikroTik topics=hotspot

To not fill up internal logs with firwall logs etc, remove firewall from memory logs

/system logging set [find topics="info"] topics=info,!firewall

PS Hotspot is not needed if you do not use it.

2c) Select what rules to log
NB Do not use more than 20 charters, or else it start to clip other part of the log!!!!!!!!!!!
To log the Firewall and Nat rules, you need to turn on logging and add Log Prefix (under action).
Do not log more than needed. Logging rules like defconf: accept established,related rules will flod your log,
Below is a sample on how to name the log rules. You do not need to follow this rule, but it makes it more uniform.

Rule name logging
==================

Format:
x_y_z

x=<where and direction>
y=<what to do>
z=<name/info>

Example
-------
Filter Rule Forard allow HTTP
FF_A_Http

Filter Route Input Drop ICMP
FI_D_Icmp

Nat HTTP
ND_DE_Http

Mangle Mark HTTP packets
MF_MP_Http


Filter Rule
------------------
x=
FF Filter Forward
FI Filter Input
FO Filter Output
FX Filter Custom list

y=
A  Accept
AD Add to dst address list
AS Add to src address list
D  Dropp
F  Fast track
J  Jump
L  Log
P  Passthrough
RJ Reject
RT Return
T  Tarpit

Nat Rule
------------------
x=
ND Dest nat
NS Source nat

y=
A  Accept
AD Add to dst address list
AS Add to src address list
DE Dst-nat
J  Jump
L  Log
M  Masquerade
N  Netmap
P  Passthrough
RE Redirect
RT Return
SA same
S  Src-nat

Raw
------------------
x=
RP Filter Raw Prerouting
RO Filter Raw Output

y=
A  Accept
AD Add to dst address list
AS Add to src address list
F  Fast track
D  Dropp
J  Jump
L  Log
N  No track
P  Passthrough
RT Return

Mangle
------------------
x=
MF Mangle Forward
MI Mangle Input
MP Mangle Postrouing
MR Mangle Prerouting

y=
A  Accept
AD Add to address list
AS Add to dst address list
CD Change DSCP
CM Change MSS
CT Change TTL
CL Clear DF
F  Fast track
J  Jump
L  Log
MC Marc connection
MP Mark packets
MR Mark routing
P  Passthrough
RT Return
RO Route
S  Set proirity
SP Sniff PC
ST Sniff TZSP
SI Strip IPv4 options

2d) You should at least log this rule "defconf: drop all not coming from LAN" with this prefix: FI_D_port-test
Web gui:
IP->Firewall->selec:defconf: drop all not coming from LAN->Log:v->Log Prefix:FI_D_port-test
This will populate the MikroTik Live attack view.

2e) Accounting (new version in 3.5)
To get accounting data, you need to turn on Kid Control on the MikroTik router. (MikroTik Traffic dashboard)
Cli:

/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d

2f) Main Collector Script
To get all the other data like Traffic accounting, uPnP, System health, System resources and DHCP pool information you need this script on the MikroTik. Create this script with name Data_to_Splunk_using_Syslog and cut and past code using gui.
In the top of the script, you can set a module to true/false. If you do not use wifi, set :local Wireless false



# Collect information from Mikrotik RouterOS
# Jotne 2021
:log info message="script=version ver=4.8"
# ----------------------------------


# What data to collect.  Set to false to skip the section 
# ----------------------------------
:local SystemResource true
:local SystemInformation true
:local SystemHealth true
:local TrafficData true
:local AccuntData true
:local uPnP true
:local Wireless true
:local AddressLists true
:local DHCP true
:local Neighbor true
:local InterfaceData true
:local CmdHistory true
:local CAPsMANN false


# Collect system resource
# ----------------------------------
:if ($SystemResource) do={
	/system resource
	:local cpuload [get cpu-load]
	:local freemem ([get free-memory]/1048576)
	:local totmem ([get total-memory]/1048576)
	:local freehddspace ([get free-hdd-space]/1048576)
	:local totalhddspace ([get total-hdd-space]/1048576)
	:local up [get uptime]
	:local sector [get write-sect-total]
	:log info message="script=resource free_memory=$freemem MB total_memory=$totmem MB free_hdd_space=$freehddspace MB total_hdd_space=$totalhddspace MB cpu_load=$cpuload uptime=$up write-sect-total=$sector"
}


# Make some part only run every hours
# ----------------------------------
:global Hour
:local run false
:local hour [:pick [/system clock get time] 0 2]
:if ($Hour != $hour) do={
	:global Hour $hour
	:set run true
}


# Get NTP status
# ----------------------------------
:local ntpstatus ""
:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [:tonum [:pick [/system resource get version] 0 1]] > 6) do={
    :set ntpstatus [/system ntp client get status]
} else={
    :if ([:typeof [/system ntp client get last-update-from]] = "nil") do={
        :set ntpstatus "using-local-clock"
    } else={
        :set ntpstatus "synchronized"
    }
}
:log info message="script=ntp status=$ntpstatus" 


# Get interface traffic data for all interface
# ----------------------------------
:if ($TrafficData) do={
	:foreach id in=[/interface find] do={
		:local output "$[/interface print stats as-value where .id=$id]"
		:set ( "$output"->"script" ) "if_traffic"
		:log info message="$output"
	}
}


# Get traffic data v2 (Kid Control)
# ----------------------------------
:if ($AccuntData) do={
	:foreach logline in=[/ip kid-control device find] do={
		:local output "$[/ip kid-control device get $logline]"
		:set ( "$output"->"script" ) "kids"
		:log info message="$output"
	}
}


# Finding dynmaic lines used in uPnP
# ----------------------------------
:if ($uPnP) do={
	:foreach logline in=[/ip firewall nat find where dynamic=yes and comment~"^upnp "] do={
		:local output "$[/ip firewall nat print as-value from=$logline]"
		:set ( "$output"->"script" ) "upnp"
		:log info message="$output" 
	}
}


# Collect system information
# ----------------------------------
:local model na
:local serial na
:local ffirmware na
:local cfirmware na
:local ufirmware na
:if ($SystemInformation and $run) do={
	:local version ([/system resource get version])
	:local board ([/system resource get board-name])
	:if ($board!="CHR") do={
		/system routerboard
		:set model ([get model])
		:set serial ([get serial-number])
		:set ffirmware ([get factory-firmware])
		:set cfirmware ([get current-firmware])
		:set ufirmware ([get upgrade-firmware])
	}
	:local identity ([/system identity get name])
	:log info message="script=sysinfo version=\"$version\" board-name=\"$board\" model=\"$model\" serial=$serial identity=\"$identity\" factory-firmware=\"$ffirmware\" current-firmware=\"$cfirmware\" upgrade-firmware=\"$ufirmware\""
}


# Collect system health
# ----------------------------------
:if ($SystemHealth) do={
	:do {
		# New version
		:foreach id in=[/system health find] do={
			:local health "$[/system health get $id]"
			:set ( "$health"->"script" ) "health"
			:log info message="$health"
		}
	} on-error={
		# Old version
		:if (!([/system health get]~"(state=disabled|^\$)")) do={
			:local health "$[/system health get]"
			:set ( "$health"->"script" ) "health"
			:log info message="$health"
		}
	}
}


# Sends wireless client data to log server 
# ----------------------------------
:if ($Wireless && [:len [/int find where type=wlan]]>0) do={
	/interface wireless registration-table
	:foreach i in=[find] do={
		:log info message=".id=$i;ap=$([get $i ap]);interface=$([get $i interface]);mac-address=$([get $i mac-address]);signal-strength=$([get $i signal-strength]);tx-rate=$([get $i tx-rate]);uptime=$([get $i uptime]);script=wifi"
	}
}


# Count IP in address-lists
#----------------------------------
:if ($AddressLists) do={
	:local array [ :toarray "" ]
	:local addrcntdyn [:toarray ""] 
	:local addrcntstat [:toarray ""] 
	:local test
	:foreach id in=[/ip firewall address-list find] do={
		:local rec [/ip firewall address-list get $id]
		:local listname ($rec->"list")
		:local listdynamic ($rec->"dynamic")
		:if (!($array ~ $listname)) do={ :set array ($array , $listname) }
		:if ($listdynamic = true) do={
			:set ($addrcntdyn->$listname) ($addrcntdyn->$listname+1)
		} else={
			:set ($addrcntstat->$listname) ($addrcntstat->$listname+1)}
	}
	:foreach k in=$array do={
		:log info message=("script=address_lists list=$k dynamic=".(($addrcntdyn->$k)+0)." static=".(($addrcntstat->$k)+0))}
}


# Get MNDP (CDP) Neighbors
# ----------------------------------
:if ($Neighbor and $run) do={
	:foreach neighborID in=[/ip neighbor find] do={
		:local nb [/ip neighbor get $neighborID]
		:local id [:pick ("$nb"->".id") 1 99]
		:foreach key,value in=$nb do={
			:local newline [:find $value "\n"]
			:if ([$newline]>0) do={
				:set value [:pick $value 0 $newline]
			}
			:log info message="script=neighbor nid=$id $key=\"$value\""
		}
	}
}


# Collect DHCP Pool information
# ----------------------------------
:if ($DHCP and $run) do={
	/ip pool {
		:local poolname
		:local pooladdresses
		:local poolused
		:local minaddress
		:local maxaddress
		:local findindex

# Iterate through IP Pools
		:foreach pool in=[find] do={
			:set poolname [get $pool name]
			:set pooladdresses 0
			:set poolused 0

# Iterate through current pool's IP ranges
			:foreach range in=[:toarray [get $pool range]] do={

# Get min and max addresses
				:set findindex [:find [:tostr $range] "-"]
				:if ([:len $findindex] > 0) do={
					:set minaddress [:pick [:tostr $range] 0 $findindex]
					:set maxaddress [:pick [:tostr $range] ($findindex + 1) [:len [:tostr $range]]]
				} else={
					:set minaddress [:tostr $range]
					:set maxaddress [:tostr $range]
				}

# Calculate number of ip in one range
				:set pooladdresses ($maxaddress - $minaddress)

# /foreach range
			}

# Test if pools is used in DHCP or VPN and show leases used
			:local dname [/ip dhcp-server find where address-pool=$poolname]
			:if ([:len $dname] = 0) do={
# No DHCP server found, assume VPN
				:set poolused [:len [used find pool=[:tostr $poolname]]]
			} else={
# DHCP server found, count leases
				:local dname [/ip dhcp-server get [find where address-pool=$poolname] name]
				:set poolused [:len [/ip dhcp-server lease find where server=$dname]]}

# Send data
			:log info message=("script=pool pool=$poolname used=$poolused total=$pooladdresses")

# /foreach pool
		}
# /ip pool
	}
}


# Get detailed command history RouterOS >= v7
# ----------------------------------
:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and $CmdHistory) do={
	:global cmd
	:local f 0
	:foreach i in=[/system history find] do={
		:if ($i = $cmd) do={ :set f 1 }
		:if ($f != 1) do={
			:log info message="StartCMD"
			:log info message=[/system history get $i]
			:log info message="EndCMD"
		}
	}
	:global cmd  [:pick [/system history find] 0]
}


# Test if CAPsMANN is installed, if yes, run capsmann script.
# ----------------------------------
:if ( ([:len [/interface find where type="cap"]] > 0) and $CAPsMANN) do={ /system script run capsman }


# End Script

2g) Then schedule the script to run every 5 minutes:

/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog

3) Starting up
3a) Startup information
Some parts of the scripts runs only every hour, and some jobs in Splunk runs once a day.
So it will take time before all devices er named correctly. To speed things up some, do this:
After running for some hour and you see that data are coming, in Splunk go to:
Apps->Mikrotik->Reports and run both Device table updater and DHCP table updater by clicking on Open In Search behind the app

4) Debugging
4a) See if any data are comming inn to splunk at all. Do a search in Splunk for:

index=*

4b). Test if data has correct tag "MikroTik" (Capital M & T) Do a search in Splunk for:

index=* | table _time sourcetype _raw

You should see correct time, sourcetype should show "mikrotik" and _raw should show data

4c). See that _raw does contain only data and not time and other info. Do a search in Splunk for:

index=* | table  _raw
dns MikroTik: done query: #640030 adservice.google.no 216.58.211.2
dhcp,debug,packet MikroTik:     Client-Id = 01-6C-3B-6B-88-34-3F
firewall,info MikroTik: FI_D_port-test input: in:ether1 out:(unknown 0), src-mac 00:05:00:01:00:01, proto TCP (SYN), 47.118.40.92:52503->92.220.205.91:2376, len 40

If you see date, format of packet from Mikrotik has BDS set or Rsyslog is not setup correctly.

4d). Verify that all files has same user:group (root:root or splunk:splunk if run as non-root user)

4e). Look for error written in file or error in file name. inputs.conf not input.conf

4f). Read trough all steps on how to install if some does not work

4g). License problems.
Not convert license to Free license before 30 days or indexing more than 500MB/day?
The Free license will prevent searching if there are 3 license warnings in a rolling 30 day window. If that happens, Splunk Free continues to index your data but disables search functionality. You will regain search when you are below 3 license violation warnings in a 30 day period. See About license violations.
How to solve this+
1. Convert to free and wait 30 days if you did not convert it.
2. Passing 3 times? Reduce license <500MB and wait 30 days.
3. Reintall Splunk
4. Get a Free 10GB/day developer license ( https://dev.splunk.com/enterprise/dev_license )

4h) Limit inout. Data comes from two sources in Splunk.
1. The log setup. DNS and other stuff. To remove DNS change to

/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns

2. From the logging script: Data_to_Splunk_using_Syslog
Change true to false each block you like to stop.

4i) 1. You see you get Duplicate Values under host. This may be that you did change name on one device ore have multiple host with same name.
Install Lookup Editor (a Splunk addon app) in Splunk if you do not already have done. Got to Apps -> Lookup Editor, select device_kvstore and open it. Remove the duplicate/old items.

4x). Still problems: ask here

Jotne · Tue Nov 02, 2021 11:50 am

1Mikrotik Firewall.jpg

2DNS Live view.jpg

3Volt_temperature.jpg

4Resources.jpg

Jotne · Tue Nov 02, 2021 11:51 am

Netwatch

This part shows how to use the MikroTik Netwatch dashboard.
Idea with this part are to monitor one or many IP and get a good logging information of up/down time of a watched IP.

Setup.
Lets say you like to monitor a WireGuard VPN tunnel. There are noe traces of up down status for WireGuard in the RouterOS, so using Netwarch to see if remote IP is up or down is a way to see status of it.

Script
System->Scripts->Add script.
Name: Netwatch
Script:

####################################
# Netwatch script
#
# Used as both up and down script
# Created Jotne 2021 v1.5
#
####################################
:local Host $host
/tool netwatch
:local Status [get [find where host="$Host"] status]
:local Comment [get [find where host="$Host"] comment]
:local Interval [get [find where host="$Host"] interval]
:local Since [get [find where host="$Host"] since]
:log info "script=netwatch watch_host=$Host comment=\"$Comment\" status=$Status interval=$Interval since=\"$Since\""

Tools->Netwatch
Add Host ip. For WireGuard, that would be ip on the other side of the tunnel.
Host: 10.0.0.2
Up: Netwatch
Down: Netwatch
Comment: WG-Tunnel-22 (This name is important to set, since this will identify what this Netwatch do watch.)

/tool netwatch
add comment=WG-Tunnel-22 down-script=Netwatch host=10.0.0.2 up-script=Netwatch

You can ass as many netwatch IP as you like. It will take resource from the router, so do not add to many that test to often.
.

Netwatch.jpg

Jotne · Tue Nov 02, 2021 11:51 am

Placeholder p1

Jotne · Tue Nov 02, 2021 11:52 am

How to install Splunk as a non root user.
Its a security risk to run everything as a root user, so if you can, you should use a dedicated user for your program.

This tutorial will show how to install Splunk as a user with name splunk on your Ubuntu server (may work on other as well)

Download latest Splunk Enterprise to you /tmp folder

Create the splunk user:

sudo useradd -c "splunk user" -m -s /bin/bash -U -d /opt/splunk splunk

Log in a the splunk user:

sudo su - splunk

Download Splunk Linux tgz file to /tmp folder

Extract the Splunk software to /opt folder (name of file will change with new version):

tar xvzf /tmp/splunk-8.0.3-a6754d8441bf-Linux-x86_64.tgz -C /opt

Start your Splunk server (accept license agrement and set a password for Spkunk admin user):

~/bin/splunk start

Add a user/password to login to Splunk.

As a root user, make Splunk autostart with user splunk as a startup script:

sudo /opt/splunk/bin/splunk enable boot-start -user splunk

You should now be up and running on port 8000 (can be changed)

http://you-server.ip:8000

Remember to use splunk user whenever you change/add files or do anything else with Splunk from the CLI

sudo su - splunk

PS:
If you run Splunk as a non root user then you can not use UDP/514 as a syslog receiver port in Splunk.
Since all port below 1024 need root permission to work.

Workarounds.
1. Send syslog to other port above 1023, like 1514 for UDP syslog. (need to change many routers to send to correct port)
2. Set up a local syslog server like r-syslog and let Splunk read the r-syslog log files.
viewtopic.php?p=677233#p793342

Jotne · Tue Nov 02, 2021 11:53 am

How to install RSyslog for Linux

If you do use Splunk as a non root (recomended) user, you need an external Syslog server.

This is how to set it up using Ubuntu server. Should work on most version.

rsyslog comes default with Ubuntu so no need to install any extra software.

PS do not modify these file to use other location. If you do so you will need to modify udp.conf rsyslog and inputs.conf splunk for every upgrade.

Copy these two files to /etc/rsyslog.d/

udp.conf (sets up rsyslog to accept Sylog on udp/514)

# rsyslog.d/udp.conf
#
# This receives UDP syslog on port 514 and stores it in a reliable format
# in /data/syslog/udp/:
#
#  - A subdirectory is created for each logging host.
#    The directory name is the source IP address of the received log message.
#    The log filename is made up of date and hour of file creation.
#    A new log file is created for each logging host every hour.
#
#  - Each log message is prefixed with a locally generated timestamp.
#
#  - Then the raw, undecoded text of the incoming syslog message is written.
#    If the message is missing <PRI> then a default <PRI> is prepended.
#    This ensures that both old tyle (RFC-3164) and new style (RFC-5424)
#    syslog messages can be recognised and parsed from the log files without
#    risk of loosing information. The raw messages also include the original
#    host name and time stamp from the sender.
#
#  - Each written log message is guaranteed to end in a single newline
#    character.
#

# Stupidly this is set to "on" in the default rsyslog.conf file
# Do our best to negate the effect.
$RepeatedMsgReduction off

module(load="imudp")


# format
template(name="RawFormat" type="list") {
  property(name="timegenerated" dateformat="rfc3339")
  constant(value=" ")
  constant(value="<")
  property(name="pri")
  constant(value=">")
  property(name="rawmsg-after-pri" droplastlf="on")
  constant(value="\n")
}

# file name
template(name="udp_split_filename" type="list") {
  constant(value="/data/syslog/udp/")
  property(name="fromhost-ip")
  constant(value="/")
  property(name="$year")
  property(name="$month")
  property(name="$day")
  constant(value="-")
  property(name="$hour")
  #property(name="$minute")
  constant(value=".log")
}

# rule set
ruleset(name="udp_split") {
  action(type="omfile"
    template="RawFormat"
    createDirs="on"
    dirCreateMode="0755"
    fileCreateMode="0644"
    dynaFile="udp_split_filename"
  )
}

# setting
input(type="imudp" port="514" ruleset="udp_split")

tcp.conf (sets up rsyslog to accept Syslog on tcp/1514) PS MikroTik only sends UDP syslog, so this part is not needed

# rsyslog.d/tcp.conf
#
# This receives TCP syslog on port 1514 and stores it in a reliable format
# in /data/syslog/tcp/:
#
#  - A subdirectory is created for each logging host.
#    The directory name is the source IP address of the received log message.
#    The log filename is made up of date and hour of file creation.
#    A new log file is created for each logging host every hour.
#
#  - Each log message is prefixed with a locally generated timestamp.
#
#  - Then the raw, undecoded text of the incoming syslog message is written.
#    If the message is missing <PRI> then a default <PRI> is prepended.
#    This ensures that both old tyle (RFC-3164) and new style (RFC-5424)
#    syslog messages can be recognised and parsed from the log files without
#    risk of loosing information. The raw messages also include the original
#    host name and time stamp from the sender.
#
#  - Each written log message is guaranteed to end in a single newline
#    character.
#

# Stupidly this is set to "on" in the default rsyslog.conf file
# Do our best to negate the effect.
$RepeatedMsgReduction off

module(load="imtcp")


# format
template(name="RawFormat" type="list") {
  property(name="timegenerated" dateformat="rfc3339")
  constant(value=" ")
  constant(value="<")
  property(name="pri")
  constant(value=">")
  property(name="rawmsg-after-pri" droplastlf="on")
  constant(value="\n")
}

# file name
template(name="tcp_split_filename" type="list") {
  constant(value="/data/syslog/tcp/")
  property(name="fromhost-ip")
  constant(value="/")
  property(name="$year")
  property(name="$month")
  property(name="$day")
  constant(value="-")
  property(name="$hour")
  #property(name="$minute")
  constant(value=".log")
}

# rule set
ruleset(name="tcp_split") {
  action(type="omfile"
    template="RawFormat"
    createDirs="on"
    dirCreateMode="0755"
    fileCreateMode="0644"
    dynaFile="tcp_split_filename"
  )
}

# settings
input(type="imtcp" port="1514" ruleset="tcp_split")

Create the following folders

mkdir /data
mkdir /data/syslog
mkdir /data/syslog/tcp
mkdir /data/syslog/udp

Change folder rights to syslog and restart rsyslog

chown -R syslog:syslog /data/syslog
service rsyslog restart

run ss or netstat as root user to see that rsylog is running

ss -pultn | grep syslog
udp   UNCONN 0      0                                0.0.0.0:514        0.0.0.0:*     users:(("rsyslogd",pid=5532,fd=8))
udp   UNCONN 0      0                                   [::]:514           [::]:*     users:(("rsyslogd",pid=5532,fd=9))
tcp   LISTEN 0      25                               0.0.0.0:1514       0.0.0.0:*     users:(("rsyslogd",pid=5532,fd=6))
tcp   LISTEN 0      25                                  [::]:1514          [::]:*     users:(("rsyslogd",pid=5532,fd=7))

netstat -pultn | grep rsyslog
tcp        0      0 0.0.0.0:1514            0.0.0.0:*               LISTEN      1459/rsyslogd
tcp6       0      0 :::1514                 :::*                    LISTEN      1459/rsyslogd
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1459/rsyslogd
udp6       0      0 :::514                  :::*                                1459/rsyslogd

To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/inputs.conf

[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4

Test your server:

echo '<14>sourcehost message text' | nc -v -u -w 0 127.0.0.1 514

This should create a folder /data/syslog/udp/127.0.0.1 with a *.log file

Clean UP
Since rsyslog does not delete anything, you need a script that delete old files

Create file /etc/cron.d/rsyslog_cleanup with:

SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

UDPLOGDIR=/data/syslog/udp/.
TCPLOGDIR=/data/syslog/tcp/.

# Age are n+1 days
DELETE_AGE=2

# Every hour, as user syslog, clean out ancient log files
00 * * * *  root /usr/bin/find ${UDPLOGDIR} -mtime +${DELETE_AGE} \( -name \*.log -o -name \*.log.gz \) -print -delete 2>&1
00 * * * *  root /usr/bin/find ${TCPLOGDIR} -mtime +${DELETE_AGE} \( -name \*.log -o -name \*.log.gz \) -print -delete 2>&1

Jotne · Tue Nov 02, 2021 11:55 am

Placeholder P2

Jotne · Tue Nov 02, 2021 11:57 am

Placeholder P3

jvanhambelgium · Tue Nov 02, 2021 12:18 pm

Hi Jotne,
Are you working on / thinking about incorporating Netflow into your app/dashboard design already ? It can be right next to all the existing stuff anyway.
Offcourse there is also the question about the backend ingesting netflow data from Mikrotik device.
Because today I have 2 separate pages with some Netflow pages found on Github, might be interesting to start including it in the general design ?

Jotne · Sat Nov 06, 2021 10:45 pm

Yes I have been thinking about netflow, since MT is removing IP accounting.
Will see how much time I find to do some testing.

IP accounting are sent over Syslog, so no need for extra setup anywhere. Scripts take care of sending data.
Netflow on the other hand, need some server to receive data and an extra port (can not be sent over syslog port).
Netflow server also needs to be stup and communicate with Splunk.
Netflow plugins for Splunk also seems to cost money... https://splunkbase.splunk.com/app/489/
So there will be a more complex solution using Netflow.

jvanhambelgium · Sat Nov 06, 2021 11:17 pm

I'm using the Splunk App for Stream, which is capable of many things including netflow-decoding.
Its free as far as I know, I've been using is more then 1 year, actually never failed on me. But I agree installation + adapting config-file was not click-click-click ready

but certainly not overly complex.

https://splunkbase.splunk.com/app/1809/

-------
Targeted full packet capture to NAS for forensic investigation of raw packets. Aggregate data using familiar SPL aggregation methods to reduce the volume of data indexed. Capture Flow-type records, including NetFlow v5, v9, jFlow, and sFlow, and IPFIX, and send Flow Records directly into your Indexers, with optional filtering and aggregation.
-------

Jotne · Sun Nov 07, 2021 12:27 am

That seems to look better.
Could you give me a quick guide on how to get netflow in on 9995 to Splunk, I could update the app to show the data.

jvanhambelgium · Sun Nov 07, 2021 10:14 am

Ok,
Let's start with some github-references where I downloaded some dashboards. You probably will have to pick & match what you want to include in your own dashboard

https://github.com/JohnnyMirza/Splunk_Netflow
https://github.com/danucalovj/Splunk-Netflow-Analyzer
https://github.com/lucas-alados/netflow ... dashboards

I followed the guides on Splunkbase itself for installing the Stream_TA package, its not that complex.

https://docs.splunk.com/Documentation/S ... dIPFIXdata

Contents of my /opt/splunk/etc/apps/Splunk_TA_stream/default/streamfwd.conf
(not too sure why I added the customs with their flow-id, I think it was during the time I wanted IPFIX to work (which is buggy on 6.x ROS) but v5 works fine.
I agree you miss out on some field, but "the basics" are there.

[streamfwd]
port = 8889
ipAddr = 127.0.0.1

netflowReceiver.0.ip = X.X.X.X (=IP of the sending interface on the Mikrotik)
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

netflowElement.0.enterpriseid = 14988
netflowElement.0.id = 225
netflowElement.0.termid = netflow.postNATSourceIPAddress

netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress

netflowElement.2.enterpriseid = 14988
netflowElement.2.id = 227
netflowElement.2.termid = netflow.postNAPTSourceTransportPort

netflowElement.3.enterpriseid = 14988
netflowElement.3.id = 228
netflowElement.3.termid = netflow.postNAPTDestinationTransportPort

And I think that this should be about it. The binary is started also with the rest of Splunk
(I'm running it as root, not the smartest thing to do I guess

(needed to reboot my NAS on October 12 hence te low uptime)

root 1748 1023 0 Oct12 ? 00:00:00 /bin/sh -c /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd
root 1749 1748 0 Oct12 ? 01:14:27 /opt/splunk/etc/apps/Splunk_TA_stream/linux_x86_64/bin/streamfwd

Hope this helps already a bit...

On the Mikrotik, under IP > Flows I've enabled it, selected all possible field.
I have 1 "target" (=IP of the listener Streams/Splunk) and selected "v5"
That's it...

eddieb · Sun Nov 07, 2021 11:01 am

Hi, I try to upgrade from 3.2 and reading the instructions says :

1j) Upgrade form previous version.
Some time files are renamed, so if you have not change any original files, just delete the MikroTik folder.
No logged data will be deleted.
If you have custom dashboards, menus, saved search (reports) etc, you need to merge the configuration files.
They are normal stored in "local" folder.

HOW do I delete "the MikroTik folder" thru the splunk interface ???
I am running splunk in docker on synology, not that familiar with splunk, it just works here

Jotne · Sun Nov 07, 2021 4:52 pm

HOW do I delete "the MikroTik folder" thru the splunk interface ???

It can not be deleted trough Splunk, you need to delete the folder maualy:
~/etc/apps/MikroTik

Jotne · Sun Nov 07, 2021 9:26 pm

netflowReceiver.0.ip = X.X.X.X (=IP of the sending interface on the Mikrotik)

What if you have many devices sending netflow?
Can you open it so it listen for any IP?

netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress

What are these section?

jvanhambelgium · Sun Nov 07, 2021 9:38 pm

netflowReceiver.0.ip = X.X.X.X (=IP of the sending interface on the Mikrotik)
What if you have many devices sending netflow?
Can you open it so it listen for any IP?

netflowElement.1.enterpriseid = 14988
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress
What are these section?

I think you can add multiple , like netflowReceiver.0.ip=X.X.X.X
netflowReceiver.1.ip=Y.Y.Y.Y

As each of these instances has fields for IP, port etc , I think its purpose it to be able to add multiple.
Never tried it

I only have 1 Mikrotik

These sections on
netflowElement.1.id = 226
netflowElement.1.termid = netflow.postNATDestinationIPAddress
etc..

I think I added them while playing to get IPFIX working (IPFIX works with periodic templates of fields being transmitted).
I believe the *default* "dictionary" did not recognise certain Netflow field, hence the possibility to add new ones.
To be honest I don't know anymore. They are not present in the "default" files so for sure some custom work.

Perhaps it something to do with this thread viewtopic.php?t=99152

Jotne · Mon Nov 08, 2021 8:19 am

I think you can add multiple , like netflowReceiver.0.ip=X.X.X.X

I did hope for a solution where you have a netflow listener, and that it does not care about where data is coming from.
Would be hard to maintain and setup if you have a lot of routers.

jvanhambelgium · Mon Nov 08, 2021 8:56 am

I think you can add multiple , like netflowReceiver.0.ip=X.X.X.X
I did hope for a solution where you have a netflow listener, and that it does not care about where data is coming from.
Would be hard to maintain and setup if you have a lot of routers.

I quickly tested and it seems not to like 0.0.0.0

I agree this add some task to the admin, but I'm not even sure this Stream-plugin would "scale" well if you have hundreds of routers sending Netflow data to it.
Then you probably have to run it on a separate box and not on the same "Splunk" host that like I do.
As an "ip accounting" replacement, I would enable netflow only on the Internet-facing devices or some centralized Internet breakout boxes.
Enabling netflow for all internal interfaces on a larger network will generate quite some flows.

jvanhambelgium · Mon Nov 08, 2021 9:21 am

I re-tested and 0.0.0.0 seems to work.
Because Splunk is running on my NAS I really need to be patient, it's quite heavy

Anyway, I've adapted my config to

netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 9995
netflowReceiver.0.decoder = netflow

And then killed the streamfwd-processes and restarted Splunk. Since then, events seems to arrive just fine.
The "exporter_ip" field indicates which element is sending the Netflow data.

eddieb · Mon Nov 08, 2021 5:47 pm

So I upgraded to this latest version.
I am not familiar enough with splukt to tune this, but it is getting really sloooooooow
Any hints in how to get better performance ?
removing old data ?
some indexing and how ?
getting a warning :

Storage engine migration recommended

If your instance uses the MMAPv1 storage engine,

how do I find out if my docker instance uses this ??
free splunk license btw

jvanhambelgium · Mon Nov 08, 2021 9:22 pm

There a LOT of interesting documents on Splunk that are easy to read.
Including some to limit the retention for example. I only keep about 30days I believe. I'm running it on a NAS, together with 5 other VM's and 15+ containers so I have to make choices consuming nearly all 16GB that is in my NAS.

Concerning the storage-engine, see for example below

https://docs.splunk.com/Documentation/S ... ateKVstore

It seems I'm also using the "old" MMAPv1 but I don't have such messages. I'm running 8.2.0 (I'm not updating to release 8.2.3 since the fixes are not interesting to me)

For licensing, go to "Settings" (on the top menu) , then "Licensing" en there you'll see what you have, what volume of the 500MB/day you've used etc.

eddieb · Mon Nov 08, 2021 9:30 pm

tnx,

I am using docker on synology. Splunk has 2GB out of 4GB availiable RAM ...

running portainer to manage and watchtower to automaticly upgrade docker images when they are availiable ...

I surely would like some options to autoclean log if older than xx days ...
It would probably make splunk a lot faster here

jvanhambelgium · Mon Nov 08, 2021 9:39 pm

In the bin-folder where the splunk binaries are, issue #./splunk show kvstore-status
It will provide the type of store.

This member:
backupRestoreStatus : Ready
date : Mon Nov 8 20:15:19 2021
dateSec : 1636398919.648
disabled : 0
guid : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
oplogEndTimestamp : Mon Nov 8 20:15:17 2021
oplogEndTimestampSec : 1636398917
oplogStartTimestamp : Mon Oct 4 06:20:29 2021
oplogStartTimestampSec : 1633321229
port : 8191
replicaSet : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
replicationStatus : KV store captain
standalone : 1
status : ready
storageEngine : mmapv1

I quickly performed migration to wiredTiger using the document-link earlier. It took only few minutes without issues.Just follow the procedure.

backupRestoreStatus : Ready
date : Mon Nov 8 20:39:04 2021
dateSec : 1636400344.346
disabled : 0
guid : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
oplogEndTimestamp : Mon Nov 8 20:39:01 2021
oplogEndTimestampSec : 1636400341
oplogStartTimestamp : Mon Nov 8 20:32:08 2021
oplogStartTimestampSec : 1636399928
port : 8191
replicaSet : 6D5FAC74-4CDC-4F5C-AEA7-16B04EB7F9AE
replicationStatus : KV store captain
standalone : 1
status : ready
storageEngine : wiredTiger

eddieb · Mon Nov 08, 2021 9:45 pm

Upgraded here too

and now try to find a way to limit and auto clean data to speedup things

jvanhambelgium · Mon Nov 08, 2021 10:31 pm

Upgraded here too

and now try to find a way to limit and auto clean data to speedup things

Splunk community has tons of information.

https://community.splunk.com/t5/Getting ... m-p/495331

I'll think you'll find answers there to set some limits.

eddieb · Tue Nov 09, 2021 4:15 pm

Ok, I am trying to find the correct indexes.conf...
I tried to do so in the webinterface but no luck thru setting reduction on 90 days ...

finally found it in /opt/splunk/etc/system/local/indexes.conf
needed to restart splunk to get this active

Jotne · Sun Nov 14, 2021 8:49 pm

Seems to be that there will be a working Traffic accounting for v7.x without need to use netflow.
Will be out in next version if all is ok:
viewtopic.php?p=890978#p890978

jvanhambelgium · Sun Nov 14, 2021 10:42 pm

Seems to be that there will be a working Traffic accounting for v7.x without need to use netflow.
Will be out in next version if all is ok:
viewtopic.php?p=890978#p890978

With the netflow you do have some more insight in the port-usage too and not just IP's.
Ideal to possibly pick up certain abnormal "flows"
I agree there is a lot TCP/443 these days but still...

Jotne · Mon Nov 15, 2021 9:18 am

I know NetFlow is a much more in depth analyze tool and gives information about every packet.
My goal is to deliver some that is simple and many can use to monitor their routers.
Kid Control and IP Accounting, gives information about who is downloading/uploading, how much and when.
Should be enough for most small/medium network admins.

Will have a look at NetFlow later to see if I can get it to work in a simple way with Splunk.

Jotne · Mon Nov 15, 2021 2:18 pm

Here is a view that combine accounting with kid control.
You can see how much data my Chromecast downloads. 18MB last 4 hour (backgrround images).
At the same time it shows device (kid) control status. If its not in any group, its just used to monitor traffic (dynamic). It can be set to a group with various status, open, blocked manually, blocked due to time limit, blocked due to rate limit etc.

PS Kid Control should be renamed to Device traffic control, since its not just kids you like to block, it may be other devices as well.

.

Kid Accounting2.jpg

mducharme · Mon Nov 15, 2021 8:30 pm

I agree, there are many uses of this device tracking and control that extend beyond kids. I can also see potential for enhancing it even more with a few more features - just a few useful ones I have thought of:

- The ability to be able to create a simple queue per host that includes the IPv4 address and IPv6 addresses - since "Devices" in kid control tracks this, there could easily be a "rate limit" setting in there. Note this is different from rate limiting per kid because sometimes you might want to limit per device like this.
- The ability to dynamically place the IPv4 and IPv6 addresses for a single device or kid into an address list, that way they could be flexibly used in firewall rules.
- Groups of "kids" could be created for things like departments of a company and used to populate address lists to allow creation of firewall rules based on department

Companies could use these features to restrict what some employees can do compared to others, and to provide an audit log of who had what IPv4 and IPv6 addresses at a given time. Kid-control has many practical use cases outside of restricting kids.

Jotne · Sat Dec 11, 2021 5:22 pm

Next version will have better health and works better with 7.1

Here is an example on Routers giving PSU State
.

psu_state.jpg

Jotne · Mon Dec 20, 2021 9:21 am

# Script version 4.8
# Change to kid kontroll for accounting (needs to be fixed)
# Fixed possibility to turn off account data
# Updated health section to get all health info on old and new system to work better with 7.x

To upgrade, just cut/past the script to all router. (script found in first post)

NB If you do use accounting from 6.x, do not upgrade this script with also update the main Splunk version to minimum 3.5
This is due to change from accounting to kid control, since accounting does not work in RouterOS 7.x

Jotne · Mon Dec 20, 2021 2:39 pm

Upgraded to 3.5

Happy Xmas

# 3.5 (20.12.2021)
# Changed from IP Accounting to Kid Control to get accounting data to work with 7.x RouterOS
# Renamed "MikroTik Volt/Temperature" to "MikroTik Health"
# Added more info to "Mikrotik Health"

Since the new app now uses Kid control to collect accounting data, you need to know the following.
1. To use accounting, you need at Script at least on v4.8 or larger.
2. You will no longer see historical data from old accounting.
3. To get Kid Control data see section 2e) in first post.

Upgrade can be done by just replacing old files and restart Splunk

Jotne · Thu Dec 23, 2021 1:58 pm

Next version will have a dashboard for Netwatch. With that you can keep track of when devices goes up and down.
It can also be used to monitor the stateless Wireguard VPN that can not be monitored as normal VPN can.
.

netwatch.jpg

jvanhambelgium · Thu Dec 23, 2021 3:15 pm

Thanks Jotne!
Also usable for example to monitor ZeroTier participants on your "cloud" LAN.

Jotne · Thu Dec 23, 2021 3:40 pm

Also usable for example to monitor ZeroTier participants on your "cloud" LAN.

Do ZeroTier work more or less like Wireguard with no logging on connecting/up/down etc?
If yes, this can be used for ZeroTier as well.

jvanhambelgium · Thu Dec 23, 2021 5:45 pm

Also usable for example to monitor ZeroTier participants on your "cloud" LAN.
Do ZeroTier work more or less like Wireguard with no logging on connecting/up/down etc?
If yes, this can be used for ZeroTier as well.

So it seems, my "interface" "zerotier1" is always UP ,but with Netwatch I can ping/test "remote endpoints" that also participate in the ZeroTier network.
I get "up / down" notifications through Netwatch the moment I switch on the ZeroTier VPN app on my Android phone
Off course conceptually ZeroTier is a bit different from WireGuard

Jotne · Sun Jan 02, 2022 6:32 pm

There are many solution.

With Splunk you have 100% control of everything. You server, your setup. And free (up to 500MB/day)
Store as much data as long as you like.

maga79 · Tue Jan 11, 2022 8:45 am

NB logging large amount of Accouning, DNS or firewall rules quickly eats up license, so I do recommend to turn off Accouning/DNS logging to start with.
How to turn off DNS logging ? When I disable Accounting function , log server still receive the dns request .
Thanks.

Jotne · Tue Jan 11, 2022 10:57 pm

DNS logs comes from the Router log, so to stop it change from:

/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp

to

/system logging add action=logserver prefix=MikroTik topics=!debug,!packet,!snmp,!dns

maga79 · Tue Jan 18, 2022 6:03 pm

Splunk versino : 8.2.4
License Type :Free license group
Volume used today 3 MB (0.524% of quota)
Mikrotik schedule : 5 minutes
When I login in the Mikrotik logs on Splunk , running search mikrotik on splunk ,There is no log record in splunk server.
After I restart Splunk service on web . splunk server will received the log from RB4011.
I need manually estart Splunk service after splunk server running 15 minutes everyday.
Why splunk need do that ? Is there something wrong with splunk server？How can i check the splunk server is running normally?
Thanks

Jotne · Tue Jan 18, 2022 10:19 pm

Mine never needs to be restarted.
Have one version where Splunk listen on port 514 (not recommended as it needs to be root)
Other version have rsyslog server as input and Splunk reads rsyslog logs.
Both running fine.'

Do you pass any firewall on the way from MikroTik to the Splunk server?
What do you run Splunk on? Linux (recommend Ubuntu) on a dedicated (pri 1) server or vmware (pri 2) are the best options.
Avoid using Splunk on Windows.

maga79 · Wed Jan 19, 2022 5:02 am

Mine never needs to be restarted.
Have one version where Splunk listen on port 514 (not recommended as it needs to be root)
Other version have rsyslog server as input and Splunk reads rsyslog logs.
Both running fine.'

Do you pass any firewall on the way from MikroTik to the Splunk server?
What do you run Splunk on? Linux (recommend Ubuntu) on a dedicated (pri 1) server or vmware (pri 2) are the best options.
Avoid using Splunk on Windows.

Port 514 and port 8000
udp UNCONN 0 0 0.0.0.0:514 0.0.0.0:* users:(("splunkd",pid=364916,fd=57))
tcp LISTEN 0 128 0.0.0.0:8000 0.0.0.0:* users:(("splunkd",pid=364916,fd=138))

Status: active

To Action From
-- ------ ----
22/tcp ALLOW Anywhere
514 ALLOW Server IP address
8000/tcp ALLOW Anywhere
8090/tcp ALLOW Anywhere
443/tcp ALLOW Anywhere
22/tcp (v6) ALLOW Anywhere (v6)
8000/tcp (v6) ALLOW Anywhere (v6)
8090/tcp (v6) ALLOW Anywhere (v6)
443/tcp (v6) ALLOW Anywhere (v6)

Splunk run on the Ubuntu 20.04 server version which was build on ESXi 6.7.0.

Jotne · Wed Jan 19, 2022 8:06 am

Should work.
Only comment is that you should not run splunk as root user, and use rsyslog to listen on port 514.

jvanhambelgium · Wed Jan 19, 2022 8:36 am

My Splunk is also running for some years now. Only goes down when I apply Splunk updates of some sort. Rock solid!
I'm running on Ubuntu 18.0.4.5 LTS
I suggest you start digging in the LOG-directory of you Splunk.

/opt/splunk/var/log

From there you have folders "watchdog" and "splunk"

You could investigate watchdog.log and in the spluink-folder many logfile reside like health.log , splunkd.log , web_access.log etc,etc

Splunk-specific troubleshooting might be slightly outside the scope of this forum

The Splunk community-forums are a better place for that.

maga79 · Sat Jan 22, 2022 7:04 pm

Thanks for help Jotne and jvanhambelgium.
After I reinstall the Splunk server, all the things works well .
But Some graph in APP didn't work.
i can get the graph for Mikrotik CAPsMAN Wifi Connection and "Mikrotik CAPsMAN Number of Clients pr AP" , but there is no graph for"Mikrotik CAPsMAN Channel Usage"
I also setup the ":local CAPsMANN true" but did no work.
Did i miss some configration on Mikrotik script?

Our customer always want to know which client PC or mobile phone take maximum flow in specified time range ,with destination IP and protocol.
How can I the traffice flow graph in app?
If I could define the application data type , maybe the traffic flow grapy would be more visualble.
Thanks.

Jotne · Sat Jan 22, 2022 10:20 pm

Some times MT do change stuff, so it does not work. Since I do not have capsman, I need some help to debug it.
Can you post a list of log line here?

Example output of:

index=* "caps,info"

norooznoroozi85 · Mon Feb 07, 2022 1:45 pm

hi
I added MikroTik logs 3.5 in my Splunk & done all configuration

in search tab in main splunk i can see my log from my mikrotik with host="192.168.XX.XX" command
but in app "MikroTik logs 3.5" I can not see any information or log

does this app listen on port:514??

Jotne · Mon Feb 07, 2022 5:57 pm

Did you see the debug section 2h-2?

2h) Debugging
1. See if any data are coming inn to splunk at all.

index=*

2. Test if data has correct tag "MikroTik" (Capital M & T)

index=* | table _time sourcetype _raw

Follow this section 100%
2b) Then select what modules to log.

Splunk can listen on port 514, but not recommended since it need to run as root.
Use Rsyslog to listen on 514.
Just follow to tutorial step by step.

norooznoroozi85 · Wed Feb 09, 2022 1:02 pm

hi again
I have see the log but i wnat to see the log in your dashboard "Miktotik loge 3.5"
thanks for your answer
I receive log from Mikrtotik in search , with command line index=* , but, I donot have any data in "Miktotik loge 3.5"

this item is ok "Test if data has correct tag "MikroTik" (Capital M & T)"

if possible i can send you a photo

Jotne · Wed Feb 09, 2022 1:33 pm

Can you post some line output of

index=* | fillnull value="-" | table _time index sourcetype _raw

That do contains some data from router?

Do you run as this:
Splunk as root and port 514 open to Splunk
or
Splunk as non root, Splunk getting data from rsyslog that listen in 514

norooznoroozi85 · Mon Feb 14, 2022 8:00 am

excuse me I confuse a lot
what do you mean by "slunk as root"??
I used Splunk 8.2 on windows server 2022 and my MikroTik Router is CCR1036 , V6.48.6

if possible , I will send you picture!!

I have my MikroTik log in my splunk but I want to see my log in your dashboard "MikroTik log 3.5"

Jotne · Mon Feb 14, 2022 8:22 am

You did not post output of my command above. With that I can see if logs looks like what I expect.

I did forget to ask on what platform you do run Splunk.

Some of my first information in my first post:

Installation
1) On your PC Works on Windows and Linux, but use Linux (clearly the best choice and also used in all post here)

It should work, but I may not be able to help with windows version on the same lever as on Linux (recommended)
Linux has normal user and root user.

If you only have one server, I would suggest to install VmWare Workstation, then setup a Linux server (example Ubuntu 20.04)
Follow all steps in post above to get Splunk installed.

Jotne · Sun Feb 27, 2022 5:50 pm

New version with Netwatch logging is not the way. See this post in this thread on how it works:
viewtopic.php?p=888800#p888800

thebulgarian · Mon Mar 07, 2022 10:12 pm

Hello everyone!

First of all thanks for this excellent tool @Jotne, I love it!

I have a little problem, I'm unable to get my CHR to visualize on my dashboard. All my other Mikrotik devices are showing correct except CHR. I have 2 CHR - 1 is 6.49.4 and the other is 7.1.3
My Splunk is recieving data, I can search for 10.0.0.56 and 10.0.0.57 and i have data, but I dont see it on the Dashboard
Here is export of my configurations in case you want and have time to help.

CHRv7.1.3:

/interface bridge
add name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
set 1 name=serial1
/system logging action
add name=72 remote=10.0.0.72 src-address=10.0.0.57 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
/ipv6 settings
set disable-ipv6=yes
/ip cloud
set update-time=no
/ip dhcp-client
add interface=bridge1
/system hardware
set allow-x86-64=yes
/system identity
set name=CHRv7_x86_64
/system logging
add action=72 prefix=MikroTik topics=!debug,!packet,!snmp
/system ntp client
set enabled=yes
/system ntp client servers
add address=10.0.0.1
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/07/2022 start-time=19:08:47
/system script
add dont-require-permissions=no name=Data_to_Splunk_using_Syslog owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# Collect information from Mikrotik RouterOS\r\
    \n# Jotne 2021\r\
    \n:log info message=\"script=version ver=4.8\"\r\
    \n# ----------------------------------\r\
    \n\r\
    \n\r\
    \n# What data to collect.  Set to false to skip the section \r\
    \n# ----------------------------------\r\
    \n:local SystemResource true\r\
    \n:local SystemInformation true\r\
    \n:local SystemHealth true\r\
    \n:local TrafficData true\r\
    \n:local AccuntData true\r\
    \n:local uPnP true\r\
    \n:local Wireless false\r\
    \n:local AddressLists true\r\
    \n:local DHCP true\r\
    \n:local Neighbor true\r\
    \n:local InterfaceData true\r\
    \n:local CmdHistory true\r\
    \n:local CAPsMANN false\r\
    \n\r\
    \n\r\
    \n# Collect system resource\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemResource) do={\r\
    \n\t/system resource\r\
    \n\t:local cpuload [get cpu-load]\r\
    \n\t:local freemem ([get free-memory]/1048576)\r\
    \n\t:local totmem ([get total-memory]/1048576)\r\
    \n\t:local freehddspace ([get free-hdd-space]/1048576)\r\
    \n\t:local totalhddspace ([get total-hdd-space]/1048576)\r\
    \n\t:local up [get uptime]\r\
    \n\t:local sector [get write-sect-total]\r\
    \n\t:log info message=\"script=resource free_memory=\$freemem MB total_mem\
    ory=\$totmem MB free_hdd_space=\$freehddspace MB total_hdd_space=\$totalhd\
    dspace MB cpu_load=\$cpuload uptime=\$up write-sect-total=\$sector\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Make some part only run every hours\r\
    \n# ----------------------------------\r\
    \n:global Hour\r\
    \n:local run false\r\
    \n:local hour [:pick [/system clock get time] 0 2]\r\
    \n:if (\$Hour != \$hour) do={\r\
    \n\t:global Hour \$hour\r\
    \n\t:set run true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get NTP status\r\
    \n# ----------------------------------\r\
    \n:local ntpstatus \"\"\r\
    \n:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [\
    :tonum [:pick [/system resource get version] 0 1]] > 6) do={\r\
    \n    :set ntpstatus [/system ntp client get status]\r\
    \n} else={\r\
    \n    :if ([:typeof [/system ntp client get last-update-from]] = \"nil\") \
    do={\r\
    \n        :set ntpstatus \"using-local-clock\"\r\
    \n    } else={\r\
    \n        :set ntpstatus \"synchronized\"\r\
    \n    }\r\
    \n}\r\
    \n:log info message=\"script=ntp status=\$ntpstatus\" \r\
    \n\r\
    \n\r\
    \n# Get interface traffic data for all interface\r\
    \n# ----------------------------------\r\
    \n:if (\$TrafficData) do={\r\
    \n\t:foreach id in=[/interface find] do={\r\
    \n\t\t:local output \"\$[/interface print stats as-value where .id=\$id]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"if_traffic\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get traffic data v2 (Kid Control)\r\
    \n# ----------------------------------\r\
    \n:if (\$AccuntData) do={\r\
    \n\t:foreach logline in=[/ip kid-control device find] do={\r\
    \n\t\t:local output \"\$[/ip kid-control device get \$logline]\"\r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"kids\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Finding dynmaic lines used in uPnP\r\
    \n# ----------------------------------\r\
    \n:if (\$uPnP) do={\r\
    \n\t:foreach logline in=[/ip firewall nat find where dynamic=yes and comme\
    nt~\"^upnp \"] do={\r\
    \n\t\t:local output \"\$[/ip firewall nat print as-value from=\$logline]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"upnp\"\r\
    \n\t\t:log info message=\"\$output\" \r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system information\r\
    \n# ----------------------------------\r\
    \n:local model na\r\
    \n:local serial na\r\
    \n:local ffirmware na\r\
    \n:local cfirmware na\r\
    \n:local ufirmware na\r\
    \n:if (\$SystemInformation and \$run) do={\r\
    \n\t:local version ([/system resource get version])\r\
    \n\t:local board ([/system resource get board-name])\r\
    \n\t:if (\$board!=\"CHR\") do={\r\
    \n\t\t/system routerboard\r\
    \n\t\t:set model ([get model])\r\
    \n\t\t:set serial ([get serial-number])\r\
    \n\t\t:set ffirmware ([get factory-firmware])\r\
    \n\t\t:set cfirmware ([get current-firmware])\r\
    \n\t\t:set ufirmware ([get upgrade-firmware])\r\
    \n\t}\r\
    \n\t:local identity ([/system identity get name])\r\
    \n\t:log info message=\"script=sysinfo version=\\\"\$version\\\" board-nam\
    e=\\\"\$board\\\" model=\\\"\$model\\\" serial=\$serial identity=\\\"\$ide\
    ntity\\\" factory-firmware=\\\"\$ffirmware\\\" current-firmware=\\\"\$cfir\
    mware\\\" upgrade-firmware=\\\"\$ufirmware\\\"\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system health\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemHealth) do={\r\
    \n\t:do {\r\
    \n\t\t# New version\r\
    \n\t\t:foreach id in=[/system health find] do={\r\
    \n\t\t\t:local health \"\$[/system health get \$id]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t} on-error={\r\
    \n\t\t# Old version\r\
    \n\t\t:if (!([/system health get]~\"(state=disabled|^\\\$)\")) do={\r\
    \n\t\t\t:local health \"\$[/system health get]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Sends wireless client data to log server \r\
    \n# ----------------------------------\r\
    \n:if (\$Wireless && [:len [/int find where type=wlan]]>0) do={\r\
    \n\t/interface wireless registration-table\r\
    \n\t:foreach i in=[find] do={\r\
    \n\t\t:log info message=\".id=\$i;ap=\$([get \$i ap]);interface=\$([get \$\
    i interface]);mac-address=\$([get \$i mac-address]);signal-strength=\$([ge\
    t \$i signal-strength]);tx-rate=\$([get \$i tx-rate]);uptime=\$([get \$i u\
    ptime]);script=wifi\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Count IP in address-lists\r\
    \n#----------------------------------\r\
    \n:if (\$AddressLists) do={\r\
    \n\t:local array [ :toarray \"\" ]\r\
    \n\t:local addrcntdyn [:toarray \"\"] \r\
    \n\t:local addrcntstat [:toarray \"\"] \r\
    \n\t:local test\r\
    \n\t:foreach id in=[/ip firewall address-list find] do={\r\
    \n\t\t:local rec [/ip firewall address-list get \$id]\r\
    \n\t\t:local listname (\$rec->\"list\")\r\
    \n\t\t:local listdynamic (\$rec->\"dynamic\")\r\
    \n\t\t:if (!(\$array ~ \$listname)) do={ :set array (\$array , \$listname)\
    \_}\r\
    \n\t\t:if (\$listdynamic = true) do={\r\
    \n\t\t\t:set (\$addrcntdyn->\$listname) (\$addrcntdyn->\$listname+1)\r\
    \n\t\t} else={\r\
    \n\t\t\t:set (\$addrcntstat->\$listname) (\$addrcntstat->\$listname+1)}\r\
    \n\t}\r\
    \n\t:foreach k in=\$array do={\r\
    \n\t\t:log info message=(\"script=address_lists list=\$k dynamic=\".((\$ad\
    drcntdyn->\$k)+0).\" static=\".((\$addrcntstat->\$k)+0))}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get MNDP (CDP) Neighbors\r\
    \n# ----------------------------------\r\
    \n:if (\$Neighbor and \$run) do={\r\
    \n\t:foreach neighborID in=[/ip neighbor find] do={\r\
    \n\t\t:local nb [/ip neighbor get \$neighborID]\r\
    \n\t\t:local id [:pick (\"\$nb\"->\".id\") 1 99]\r\
    \n\t\t:foreach key,value in=\$nb do={\r\
    \n\t\t\t:local newline [:find \$value \"\\n\"]\r\
    \n\t\t\t:if ([\$newline]>0) do={\r\
    \n\t\t\t\t:set value [:pick \$value 0 \$newline]\r\
    \n\t\t\t}\r\
    \n\t\t\t:log info message=\"script=neighbor nid=\$id \$key=\\\"\$value\\\"\
    \"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect DHCP Pool information\r\
    \n# ----------------------------------\r\
    \n:if (\$DHCP and \$run) do={\r\
    \n\t/ip pool {\r\
    \n\t\t:local poolname\r\
    \n\t\t:local pooladdresses\r\
    \n\t\t:local poolused\r\
    \n\t\t:local minaddress\r\
    \n\t\t:local maxaddress\r\
    \n\t\t:local findindex\r\
    \n\r\
    \n# Iterate through IP Pools\r\
    \n\t\t:foreach pool in=[find] do={\r\
    \n\t\t\t:set poolname [get \$pool name]\r\
    \n\t\t\t:set pooladdresses 0\r\
    \n\t\t\t:set poolused 0\r\
    \n\r\
    \n# Iterate through current pool's IP ranges\r\
    \n\t\t\t:foreach range in=[:toarray [get \$pool range]] do={\r\
    \n\r\
    \n# Get min and max addresses\r\
    \n\t\t\t\t:set findindex [:find [:tostr \$range] \"-\"]\r\
    \n\t\t\t\t:if ([:len \$findindex] > 0) do={\r\
    \n\t\t\t\t\t:set minaddress [:pick [:tostr \$range] 0 \$findindex]\r\
    \n\t\t\t\t\t:set maxaddress [:pick [:tostr \$range] (\$findindex + 1) [:le\
    n [:tostr \$range]]]\r\
    \n\t\t\t\t} else={\r\
    \n\t\t\t\t\t:set minaddress [:tostr \$range]\r\
    \n\t\t\t\t\t:set maxaddress [:tostr \$range]\r\
    \n\t\t\t\t}\r\
    \n\r\
    \n# Calculate number of ip in one range\r\
    \n\t\t\t\t:set pooladdresses (\$maxaddress - \$minaddress)\r\
    \n\r\
    \n# /foreach range\r\
    \n\t\t\t}\r\
    \n\r\
    \n# Test if pools is used in DHCP or VPN and show leases used\r\
    \n\t\t\t:local dname [/ip dhcp-server find where address-pool=\$poolname]\
    \r\
    \n\t\t\t:if ([:len \$dname] = 0) do={\r\
    \n# No DHCP server found, assume VPN\r\
    \n\t\t\t\t:set poolused [:len [used find pool=[:tostr \$poolname]]]\r\
    \n\t\t\t} else={\r\
    \n# DHCP server found, count leases\r\
    \n\t\t\t\t:local dname [/ip dhcp-server get [find where address-pool=\$poo\
    lname] name]\r\
    \n\t\t\t\t:set poolused [:len [/ip dhcp-server lease find where server=\$d\
    name]]}\r\
    \n\r\
    \n# Send data\r\
    \n\t\t\t:log info message=(\"script=pool pool=\$poolname used=\$poolused t\
    otal=\$pooladdresses\")\r\
    \n\r\
    \n# /foreach pool\r\
    \n\t\t}\r\
    \n# /ip pool\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get detailed command history RouterOS >= v7\r\
    \n# ----------------------------------\r\
    \n:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and \$CmdHi\
    story) do={\r\
    \n\t:global cmd\r\
    \n\t:local f 0\r\
    \n\t:foreach i in=[/system history find] do={\r\
    \n\t\t:if (\$i = \$cmd) do={ :set f 1 }\r\
    \n\t\t:if (\$f != 1) do={\r\
    \n\t\t\t:log info message=\"StartCMD\"\r\
    \n\t\t\t:log info message=[/system history get \$i]\r\
    \n\t\t\t:log info message=\"EndCMD\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n\t:global cmd  [:pick [/system history find] 0]\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Test if CAPsMANN is installed, if yes, run capsmann script.\r\
    \n# ----------------------------------\r\
    \n:if ( ([:len [/interface find where type=\"cap\"]] > 0) and \$CAPsMANN) \
    do={ /system script run capsman }\r\
    \n\r\
    \n\r\
    \n# End Script"
/tool romon
set enabled=yes

CHRv6.49.4

/interface bridge
add name=bridge1 protocol-mode=none
/system logging action
add name=72 remote=10.0.0.72 src-address=10.0.0.56 target=remote
/interface bridge port
add bridge=bridge1 interface=ether1
/ip cloud
set update-time=no
/ip dhcp-client
add disabled=no interface=bridge1
/system clock manual
set time-zone=+02:00
/system identity
set name=CHR_x86_64
/system logging
add action=72 disabled=yes prefix=MikroTik topics=critical
add action=72 disabled=yes prefix=MikroTik topics=account
add action=72 disabled=yes prefix=MikroTik topics=health
add action=72 disabled=yes prefix=MikroTik topics=interface
add action=72 disabled=yes prefix=MikroTik topics=info
add action=72 prefix=MikroTik topics=!debug,!packet,!snmp
/system note
set note="\r\
    \n   _____ _    _ _____     __ _  _   \r\
    \n  / ____| |  | |  __ \\   / /| || |  \r\
    \n | |    | |__| | |__) | / /_| || |_ \r\
    \n | |    |  __  |  _  / | '_ \\__   _|\r\
    \n | |____| |  | | | \\ \\ | (_) | | |  \r\
    \n  \\_____|_|  |_|_|  \\_\\ \\___/  |_|  \r\
    \n                    ______          \r\
    \n                   |______|         \r\
    \n"
/system ntp client
set enabled=yes primary-ntp=10.0.0.1 secondary-ntp=10.0.200.0
/system ntp server
set enabled=yes
/system scheduler
add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=mar/03/2022 start-time=14:56:37
/system script
add dont-require-permissions=no name=Data_to_Splunk_using_Syslog owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="# Collect information from Mikrotik RouterOS\r\
    \n# Jotne 2021\r\
    \n:log info message=\"script=version ver=4.8\"\r\
    \n# ----------------------------------\r\
    \n\r\
    \n\r\
    \n# What data to collect.  Set to false to skip the section \r\
    \n# ----------------------------------\r\
    \n:local SystemResource true\r\
    \n:local SystemInformation true\r\
    \n:local SystemHealth true\r\
    \n:local TrafficData true\r\
    \n:local AccuntData true\r\
    \n:local uPnP true\r\
    \n:local Wireless false\r\
    \n:local AddressLists true\r\
    \n:local DHCP true\r\
    \n:local Neighbor true\r\
    \n:local InterfaceData true\r\
    \n:local CmdHistory true\r\
    \n:local CAPsMANN false\r\
    \n\r\
    \n\r\
    \n# Collect system resource\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemResource) do={\r\
    \n\t/system resource\r\
    \n\t:local cpuload [get cpu-load]\r\
    \n\t:local freemem ([get free-memory]/1048576)\r\
    \n\t:local totmem ([get total-memory]/1048576)\r\
    \n\t:local freehddspace ([get free-hdd-space]/1048576)\r\
    \n\t:local totalhddspace ([get total-hdd-space]/1048576)\r\
    \n\t:local up [get uptime]\r\
    \n\t:local sector [get write-sect-total]\r\
    \n\t:log info message=\"script=resource free_memory=\$freemem MB total_mem\
    ory=\$totmem MB free_hdd_space=\$freehddspace MB total_hdd_space=\$totalhd\
    dspace MB cpu_load=\$cpuload uptime=\$up write-sect-total=\$sector\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Make some part only run every hours\r\
    \n# ----------------------------------\r\
    \n:global Hour\r\
    \n:local run false\r\
    \n:local hour [:pick [/system clock get time] 0 2]\r\
    \n:if (\$Hour != \$hour) do={\r\
    \n\t:global Hour \$hour\r\
    \n\t:set run true\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get NTP status\r\
    \n# ----------------------------------\r\
    \n:local ntpstatus \"\"\r\
    \n:if ([:len [/system package find where !disabled and name=ntp]] > 0 or [\
    :tonum [:pick [/system resource get version] 0 1]] > 6) do={\r\
    \n    :set ntpstatus [/system ntp client get status]\r\
    \n} else={\r\
    \n    :if ([:typeof [/system ntp client get last-update-from]] = \"nil\") \
    do={\r\
    \n        :set ntpstatus \"using-local-clock\"\r\
    \n    } else={\r\
    \n        :set ntpstatus \"synchronized\"\r\
    \n    }\r\
    \n}\r\
    \n:log info message=\"script=ntp status=\$ntpstatus\" \r\
    \n\r\
    \n\r\
    \n# Get interface traffic data for all interface\r\
    \n# ----------------------------------\r\
    \n:if (\$TrafficData) do={\r\
    \n\t:foreach id in=[/interface find] do={\r\
    \n\t\t:local output \"\$[/interface print stats as-value where .id=\$id]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"if_traffic\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get traffic data v2 (Kid Control)\r\
    \n# ----------------------------------\r\
    \n:if (\$AccuntData) do={\r\
    \n\t:foreach logline in=[/ip kid-control device find] do={\r\
    \n\t\t:local output \"\$[/ip kid-control device get \$logline]\"\r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"kids\"\r\
    \n\t\t:log info message=\"\$output\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Finding dynmaic lines used in uPnP\r\
    \n# ----------------------------------\r\
    \n:if (\$uPnP) do={\r\
    \n\t:foreach logline in=[/ip firewall nat find where dynamic=yes and comme\
    nt~\"^upnp \"] do={\r\
    \n\t\t:local output \"\$[/ip firewall nat print as-value from=\$logline]\"\
    \r\
    \n\t\t:set ( \"\$output\"->\"script\" ) \"upnp\"\r\
    \n\t\t:log info message=\"\$output\" \r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system information\r\
    \n# ----------------------------------\r\
    \n:local model na\r\
    \n:local serial na\r\
    \n:local ffirmware na\r\
    \n:local cfirmware na\r\
    \n:local ufirmware na\r\
    \n:if (\$SystemInformation and \$run) do={\r\
    \n\t:local version ([/system resource get version])\r\
    \n\t:local board ([/system resource get board-name])\r\
    \n\t:if (\$board!=\"CHR\") do={\r\
    \n\t\t/system routerboard\r\
    \n\t\t:set model ([get model])\r\
    \n\t\t:set serial ([get serial-number])\r\
    \n\t\t:set ffirmware ([get factory-firmware])\r\
    \n\t\t:set cfirmware ([get current-firmware])\r\
    \n\t\t:set ufirmware ([get upgrade-firmware])\r\
    \n\t}\r\
    \n\t:local identity ([/system identity get name])\r\
    \n\t:log info message=\"script=sysinfo version=\\\"\$version\\\" board-nam\
    e=\\\"\$board\\\" model=\\\"\$model\\\" serial=\$serial identity=\\\"\$ide\
    ntity\\\" factory-firmware=\\\"\$ffirmware\\\" current-firmware=\\\"\$cfir\
    mware\\\" upgrade-firmware=\\\"\$ufirmware\\\"\"\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect system health\r\
    \n# ----------------------------------\r\
    \n:if (\$SystemHealth) do={\r\
    \n\t:do {\r\
    \n\t\t# New version\r\
    \n\t\t:foreach id in=[/system health find] do={\r\
    \n\t\t\t:local health \"\$[/system health get \$id]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t} on-error={\r\
    \n\t\t# Old version\r\
    \n\t\t:if (!([/system health get]~\"(state=disabled|^\\\$)\")) do={\r\
    \n\t\t\t:local health \"\$[/system health get]\"\r\
    \n\t\t\t:set ( \"\$health\"->\"script\" ) \"health\"\r\
    \n\t\t\t:log info message=\"\$health\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Sends wireless client data to log server \r\
    \n# ----------------------------------\r\
    \n:if (\$Wireless && [:len [/int find where type=wlan]]>0) do={\r\
    \n\t/interface wireless registration-table\r\
    \n\t:foreach i in=[find] do={\r\
    \n\t\t:log info message=\".id=\$i;ap=\$([get \$i ap]);interface=\$([get \$\
    i interface]);mac-address=\$([get \$i mac-address]);signal-strength=\$([ge\
    t \$i signal-strength]);tx-rate=\$([get \$i tx-rate]);uptime=\$([get \$i u\
    ptime]);script=wifi\"\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Count IP in address-lists\r\
    \n#----------------------------------\r\
    \n:if (\$AddressLists) do={\r\
    \n\t:local array [ :toarray \"\" ]\r\
    \n\t:local addrcntdyn [:toarray \"\"] \r\
    \n\t:local addrcntstat [:toarray \"\"] \r\
    \n\t:local test\r\
    \n\t:foreach id in=[/ip firewall address-list find] do={\r\
    \n\t\t:local rec [/ip firewall address-list get \$id]\r\
    \n\t\t:local listname (\$rec->\"list\")\r\
    \n\t\t:local listdynamic (\$rec->\"dynamic\")\r\
    \n\t\t:if (!(\$array ~ \$listname)) do={ :set array (\$array , \$listname)\
    \_}\r\
    \n\t\t:if (\$listdynamic = true) do={\r\
    \n\t\t\t:set (\$addrcntdyn->\$listname) (\$addrcntdyn->\$listname+1)\r\
    \n\t\t} else={\r\
    \n\t\t\t:set (\$addrcntstat->\$listname) (\$addrcntstat->\$listname+1)}\r\
    \n\t}\r\
    \n\t:foreach k in=\$array do={\r\
    \n\t\t:log info message=(\"script=address_lists list=\$k dynamic=\".((\$ad\
    drcntdyn->\$k)+0).\" static=\".((\$addrcntstat->\$k)+0))}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get MNDP (CDP) Neighbors\r\
    \n# ----------------------------------\r\
    \n:if (\$Neighbor and \$run) do={\r\
    \n\t:foreach neighborID in=[/ip neighbor find] do={\r\
    \n\t\t:local nb [/ip neighbor get \$neighborID]\r\
    \n\t\t:local id [:pick (\"\$nb\"->\".id\") 1 99]\r\
    \n\t\t:foreach key,value in=\$nb do={\r\
    \n\t\t\t:local newline [:find \$value \"\\n\"]\r\
    \n\t\t\t:if ([\$newline]>0) do={\r\
    \n\t\t\t\t:set value [:pick \$value 0 \$newline]\r\
    \n\t\t\t}\r\
    \n\t\t\t:log info message=\"script=neighbor nid=\$id \$key=\\\"\$value\\\"\
    \"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Collect DHCP Pool information\r\
    \n# ----------------------------------\r\
    \n:if (\$DHCP and \$run) do={\r\
    \n\t/ip pool {\r\
    \n\t\t:local poolname\r\
    \n\t\t:local pooladdresses\r\
    \n\t\t:local poolused\r\
    \n\t\t:local minaddress\r\
    \n\t\t:local maxaddress\r\
    \n\t\t:local findindex\r\
    \n\r\
    \n# Iterate through IP Pools\r\
    \n\t\t:foreach pool in=[find] do={\r\
    \n\t\t\t:set poolname [get \$pool name]\r\
    \n\t\t\t:set pooladdresses 0\r\
    \n\t\t\t:set poolused 0\r\
    \n\r\
    \n# Iterate through current pool's IP ranges\r\
    \n\t\t\t:foreach range in=[:toarray [get \$pool range]] do={\r\
    \n\r\
    \n# Get min and max addresses\r\
    \n\t\t\t\t:set findindex [:find [:tostr \$range] \"-\"]\r\
    \n\t\t\t\t:if ([:len \$findindex] > 0) do={\r\
    \n\t\t\t\t\t:set minaddress [:pick [:tostr \$range] 0 \$findindex]\r\
    \n\t\t\t\t\t:set maxaddress [:pick [:tostr \$range] (\$findindex + 1) [:le\
    n [:tostr \$range]]]\r\
    \n\t\t\t\t} else={\r\
    \n\t\t\t\t\t:set minaddress [:tostr \$range]\r\
    \n\t\t\t\t\t:set maxaddress [:tostr \$range]\r\
    \n\t\t\t\t}\r\
    \n\r\
    \n# Calculate number of ip in one range\r\
    \n\t\t\t\t:set pooladdresses (\$maxaddress - \$minaddress)\r\
    \n\r\
    \n# /foreach range\r\
    \n\t\t\t}\r\
    \n\r\
    \n# Test if pools is used in DHCP or VPN and show leases used\r\
    \n\t\t\t:local dname [/ip dhcp-server find where address-pool=\$poolname]\
    \r\
    \n\t\t\t:if ([:len \$dname] = 0) do={\r\
    \n# No DHCP server found, assume VPN\r\
    \n\t\t\t\t:set poolused [:len [used find pool=[:tostr \$poolname]]]\r\
    \n\t\t\t} else={\r\
    \n# DHCP server found, count leases\r\
    \n\t\t\t\t:local dname [/ip dhcp-server get [find where address-pool=\$poo\
    lname] name]\r\
    \n\t\t\t\t:set poolused [:len [/ip dhcp-server lease find where server=\$d\
    name]]}\r\
    \n\r\
    \n# Send data\r\
    \n\t\t\t:log info message=(\"script=pool pool=\$poolname used=\$poolused t\
    otal=\$pooladdresses\")\r\
    \n\r\
    \n# /foreach pool\r\
    \n\t\t}\r\
    \n# /ip pool\r\
    \n\t}\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Get detailed command history RouterOS >= v7\r\
    \n# ----------------------------------\r\
    \n:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and \$CmdHi\
    story) do={\r\
    \n\t:global cmd\r\
    \n\t:local f 0\r\
    \n\t:foreach i in=[/system history find] do={\r\
    \n\t\t:if (\$i = \$cmd) do={ :set f 1 }\r\
    \n\t\t:if (\$f != 1) do={\r\
    \n\t\t\t:log info message=\"StartCMD\"\r\
    \n\t\t\t:log info message=[/system history get \$i]\r\
    \n\t\t\t:log info message=\"EndCMD\"\r\
    \n\t\t}\r\
    \n\t}\r\
    \n\t:global cmd  [:pick [/system history find] 0]\r\
    \n}\r\
    \n\r\
    \n\r\
    \n# Test if CAPsMANN is installed, if yes, run capsmann script.\r\
    \n# ----------------------------------\r\
    \n:if ( ([:len [/interface find where type=\"cap\"]] > 0) and \$CAPsMANN) \
    do={ /system script run capsman }\r\
    \n\r\
    \n\r\
    \n# End Script\r\
    \n"

Thanks!

mducharme · Thu Mar 17, 2022 8:12 am

@jotne

I've never used Splunk before but thought I would give it a try for home.

Under MikroTik Device Traffic (although I properly have kid-control enabled), the hostname is blank for all entries, even though I can see in kid-control devices the hostname is shown for some of those. Also instead of showing all IP addresses the device has, it only shows the first one in the list. Other than that most features seem to work.

I am using CAPsMAN as well but there is no data displayed there.

Jotne · Thu Mar 17, 2022 8:39 am

Let it run for least on day. Some script are just run every 24 hours.

gpmendive · Sat Apr 02, 2022 7:47 pm

Thanks a lot Jotne for your App for Splunk!
It´s my first installation of Splunk and your guide proved to be very helpful.

I first installed both on Ubuntu server running on a physical PC. I tried it for several days and in performed great.
Then I installed on same OS but running in a ProxmoxVE Virtual Machine; great performance also!
I will stick to the latter configuration.

Thanks again to you, and also to the other members who contributed to this topic.

LogicalNZ · Sat Apr 16, 2022 11:03 am

I’m really interested in Splunk.

I have been using GreyLog for a couple of years for Syslog management on my Tiks. Can someone help me understand when using Splunk with a Tik, what would be the advantage over GreyLog?

jvanhambelgium · Mon Apr 18, 2022 5:09 pm

My 2 cents,
I don't think there are any advantages. In theory with GreyLog you can do the same (or should be able to do so), but obviously the key is that for Mikrotik Jotne has provided some nice app/dashboards to work with.

MeMB · Wed Apr 20, 2022 1:21 pm

Do i need to add any apps to Splunk before proceeding so that V3.5 can communicate with Splunk.
I have followed the start of the tutorial, however my Mik does not even show in the device list.

Jotne · Sat Apr 23, 2022 12:40 pm

What do you get when search for

index=*

Do you use rsyslog or are you running Splunk as root and listen on port 514?
See section
3b) Debugging

Jotne · Sat Apr 23, 2022 12:44 pm

I have been using GreyLog for a couple of years for Syslog management on my Tiks. Can someone help me understand when using Splunk with a Tik, what would be the advantage over GreyLog?

GreyLog and Splunk are the two mayor log receiving system.
One is 100% free, other is free up to 500MB log / day.

Do a google for

graylog vs splunk

I do like Splunk, since its what I can

siscom · Tue May 03, 2022 10:59 am

Hi Jotne,

1 - Thank you for this app - very clean and useful.
2 - Problem - VPN Connections not working well

This was all working ok until I introduced a 2FA solution. What happens is that on a user accessing the L2TP/IPsec server, a request is sent to a radius server that sends a request to a service which then sends a request to the users's mobile for auth. Once this happens, the service sends a reply back to radius which in turn advises the router to admit the user. All this takes time which means the logging is not within the same few seconds it usually is. This seems to cause Splunk/Mikrotik app to lose the login.

If I log in using the same user without 2FA (tried with both PPTP & L2TP/IPsec), Splunk logs it 100% and if you look at the router log, only the timing is the difference.

I tried to modify the MAX_TIMESTAMP_LOOKAHEAD value in the props.conf in the Mikrotik app directory (restarted Splunk) but this made no difference.
Any idea what could be causing this?

Rgds,
Mark

Jotne · Tue May 03, 2022 8:29 pm

Do you see the logs in splunk?

index=*

Can you post some example line?

juancipolletti · Wed May 04, 2022 8:33 pm

Hi Jotne,I'm new to the forum and to splunk, I have my lab upstairs with an ubuntu server with rsyslog and a mikrotik rb3011/6.42.9v router, the logs arrive in my rsyslog, but I can't see them in splunk. I would appreciate any help.

siscom · Wed May 04, 2022 9:37 pm

Hi,

Thank you for the reply. I tried to run the Search with the index=* parameter but there is too much data being displayed. Any way to get something only related to the logins?

Rgds,
Mark.

Jotne · Wed May 04, 2022 9:56 pm

@siscom try some search like this.

index=* sourcetype=mikrotik  eventtype IN (*tp_connection_from,*tp_user_logged_in,ppp_authentication_failed,l2tp_user_logged_out)

or

index=* sourcetype=mikrotik  ppp

Without seeing what you get its not easy,

Jotne · Wed May 04, 2022 10:03 pm

Hi Jotne,I'm new to the forum and to splunk, I have my lab upstairs with an ubuntu server with rsyslog and a mikrotik rb3011/6.42.9v router, the logs arrive in my rsyslog, but I can't see them in splunk. I would appreciate any help.

Do this search give any Mikrotik data?

index=*

You have followed this part 100%
viewtopic.php?p=888803#p888803
Do this file exist:

%SplunkHome%/etc/system/local/inputs.conf

Under
Settings->Data Inputs->Files & Directories you should see rsyslog section and a number of files it sees.

udp.png

.

Jotne · Thu May 05, 2022 11:44 am

Upgraded to 3.6

# 3.6 (05.05.2022)
# NB Delete old app (copy custom made config) before install v3.6
# Change data to store in Mikrotik index, instead of default index
# Change how rsyslog handles data. Did fail if there was more than one type of input
# Updeted script in "MikroTik DHCP to Static"
# Uses new Index, important to look at macros.conf and set correct index.
# Added colors to "MikroTik Admin user login"

This version no longer uses default index (main). It will create its own index name (mikrotik)
I do suggest that you remove old installed version before install the new version due to index change.
New data will be stored in new index and old data will remain in old main index. App will search both.

If you for some reason needs another custom index name, you can do that as well. Just edit the macros.conf to indicate what index to search,

tahir491 · Sat May 07, 2022 1:19 pm

Hi Every one
I'm unable to find Mikrotik.spl file can someone please help for finding this file

zandhaas · Sat May 07, 2022 3:47 pm

The Mikrotik.SPL file is packaged as a RAR file and you can download this under paragraph 1G in the first post of this thread.

Jotne · Sat May 07, 2022 6:43 pm

File is find in section 1g) in the first post. And I did forget to upload 3.6 when I had written that it was upgraded. Fixed now.

Jotne · Tue May 10, 2022 2:22 pm

Small bug found that will come in 3.7 if you do use rsyslog.

Quick fix to get it to work.

Change this part of props.conf from

[rsyslog]
TRUNCATE = 10000
TRANSFORMS-dns = remove_dns_query,remove_dns_answer
TRANSFORMS-force_mikrotik = force_mikrotik_st,force_mikrotik_ix

To

[rsyslog]
TRUNCATE = 10000
TRANSFORMS-dns = remove_dns_query,remove_dns_answer
TRANSFORMS-force_mikrotik = force_mikrotik_st,force_mikrotik_ix
SEDCMD-clean_header = s/\d{4}-\d\d-\d\d.*?<\d+>//
SEDCMD-clean_end = s/#015$//

jwshields · Tue May 10, 2022 6:54 pm

I work with Splunk daily as part of my day job, managing a medium sized cluster of around ~50 nodes, consuming around 5TB of events per day. I absolutely love getting my hands dirty in apps and building things for Splunk.
Is this the same Mikrotik App that was out about 1.5-2 years ago, and has just been updated? Or a completely different app?

Are you interested in open-sourcing the app and hosting it on [your choice of a publicly hosted Git platform]? I would love to contribute and work on this app if at all possible, and if there is interest.
Let me know if you're open to open-sourcing the Splunk app, or collaborating together.
You should be able to DM me or email me on here, but if you're interested, let me know. Would love to chat more about this! Your screenshots look so beautiful!

- Jared

Jotne · Tue May 10, 2022 7:05 pm

I would have no problem to make this app better and working together

Yes its the same app that has been around since at least 2017.

My level of programming skill is not at a high level, but know some and also working with splunk as a main work.
We have 50+ Splunk server and 1+ TB a day from 3k+ servers +++

eaf · Wed May 11, 2022 10:53 pm

I have a question regarding the below snippet. What is [/ip kid-control device find] supposed to print/return? For me it prints nothing. And kid control has been enabled as per the instructions.

Also a couple of typos here: "$AccuntData" and "dynmaic".

:if ($AccuntData) do={
:foreach logline in=[/ip kid-control device find] do={
:local output "$[/ip kid-control device get $logline]"
:set ( "$output"->"script" ) "kids"
:log info message="$output"
}
}

# Finding dynmaic lines used in uPnP
# ----------------------------------

Jotne · Wed May 11, 2022 11:29 pm

Here is output of my settings

/ip/kid-control> export
# may/11/2022 22:25:17 by RouterOS 7.2.3
# software id = E4B6-AAAA
#
# model = RouterBOARD 750G r3
# serial number = xxxxx
/ip kid-control
add fri=0s-1d mon=0s-1d name=Monitor sat=0s-1d sun=0s-1d thu=0s-1d tue=0s-1d wed=0s-1d

To see the actual data

 /ip kid-control device/print 
Flags: D, L - LIMITED; I - INACTIVE
Columns: NAME, MAC-ADDRESS, IDLE-TIME, RATE-DOWN, RATE-UP
 #    NAME                       MAC-ADDRESS        IDLE-TIME   RATE-DOWN  RATE-UP 
 0 D                             00:05:00:01:00:01  2s          0bps       0bps    
 1 D                             AC:CA:54:00:AA:CC  2s          0bps       0bps    
 2 D                             00:1D:EC:06:AA:83  2s          0bps       0bps    
 3 D  vuxxxx-xxx                00:1D:EC:AA:92:6D  1s          0bps       0bps    
 4 D                             00:40:8C:DF:AA:44  3m37s       0bps       0bps    
 5 D                             90:B1:1C:8E:AA:6E  0s          49.7kbps   32.6kbps
 6 D                             90:B1:1C:68:AA:D1  0s          29.9kbps   4.8kbps 
 7 D                             EE:9D:21:79:AA:CC  3m50s       0bps       0bps    
 8 D                             4C:5E:0C:0E:AA:F5  39s         0bps       0bps    
 9 D  HUAWEI_P_smart_Z-3006e00b  74:AA:09:53:A7:E9  5s          0bps       0bps    
10 D  ESP_4E46B6                 CC:50:E3:AA:46:B6  1s          0bps       0bps    
11 D  S21-pol-zovatela-rtes     BA:E8:4C:AA:DF:FD  31s         0bps       0bps    
12 D  Pulsecf129d87a0            A4:CF:12:AA:87:A0  3s          0bps       0bps    
13 D                             5C:83:8F:0C:AA:AC  11s         0bps       0bps    
14 D                             C4:AD:34:B1:AA:CE  49s         0bps       0bps    
15 D                             00:C0:B7:C2:AA:0F              0bps       0bps    
16 D  raspberrypi                00:13:EF:AA:2F:E3  1m54s       0bps       0bps

If you do not see anything, I am not sure what is wrong.
Should work both on both RuterOS 6 and 7.

eaf · Thu May 12, 2022 12:02 am

Ah, sorry, some major misunderstanding of MT scripting on my side. "/ip kid-control device find" isn't supposed to print anything. ":put [/ip kid-control device find]" will.

I was just trying to see what kind of log lines that snippet was supposed to produce. Apparently something like this:

.id=*1;activity=i.scdn.co;blocked=false;bytes-down=6980168;bytes-up=742091;disabled=false;dynamic=true;idle-time=00:00:01;inactive=false;ip-address=192.168.88.7;limited=false;mac-address=74:D6:37:70:58:41;name=amazon-cd1e20631;rate-down=504;rate-up=920;user=

bholler · Thu May 12, 2022 10:56 pm

Hi Guys,

An interesting discussion is going on here. I have been looking for this type of solution for a while. However, I have few questions for @jotnet

1. Can a report be generated for the individual device?

2. Can the script log the address list so I can perform an audit on affected IPs.

3. I dont understand your naming convention...are you referring to the comment given to the rules?

4. What if the minimum requirement for the splunk and can any of the AWS t2 micro or nano be sufficient?

I look forward to your reply.

Regards

jvanhambelgium · Fri May 13, 2022 12:04 am

1. Can a report be generated for the individual device?

Sure, in the dashboard there is a "Host" selector if you have multiple Mikrotiks

2. Can the script log the address list so I can perform an audit on affected IPs.

"Log the address list" ? In the dashboard you'll see the IP-address of the device generating the traffic. So you, you can trace it back yes.

3. I dont understand your naming convention...are you referring to the comment given to the rules?

You can name the FW-rules how you want, but he gives a proposal that could be interesting.
I run completely different naming and this works fine, just make sure you do not exceed 20characters.

4. What if the minimum requirement for the splunk and can any of the AWS t2 micro or nano be sufficient?

Hmm, these are *very* lightweight ... t2 micro = 1vCPU and 1GBytes RAM and a t2 nano = 1vCPU and 512Mbytes RAM
That's gonna be a problem I think. I run Splunk on a VM (on my Synology NAS) with 1vCPU and 4Gbytes RAM and it is quite slow and collector only data from 1 Mikrotik.
Good enough for "hobby" but if I compare it to the performance of the Splunk systems I have access to professionally its a bit of a joke

Jotne · Fri May 13, 2022 8:18 am

1. Can a report be generated for the individual device?

Yes

2. Can the script log the address list so I can perform an audit on affected IPs.

Yes

3. I dont understand your naming convention...are you referring to the comment given to the rules?

Yes its the naming of filter/nat rules to make it easier to se what is what int the graphical view

4. What if the minimum requirement for the splunk and can any of the AWS t2 micro or nano be sufficient?

Not sure, but it depends on the amount of logged each day and how often you search the data.
Running the 500MB/day limit (lots of stuff logged) does run fine on and older linux PC (16GB ram)
Using SSD as storage speeds up the dashboard view.

If there are some function missing Splunk is very flexible and can add almost any thing you like.

bholler · Fri May 13, 2022 11:45 am

HI Guys,

Thank you for the brilliant response. I am a product manager and security expert. I love to deploy Mikrotik firewall and bandwidth management in the cooperate or enterprise environment, In most cases, some of our customers have replaced their Cisco ASA with our customized Mikrotik Security Boxes. However, one of the issues we keep having is a customized logging system for reporting, be it for regulatory compliance reasons or internal policies.

Splunk appears like software with such flexibility. I will like to work with someone with the experience on how to customize Splunk to suit the range of reporting required by our customers. One of such is having address-list on Splunk. We have various address-lists with captured src or dst address that violates certain policy and the administrator may want to do a drill-down.

e.g if we have the policy to capture the src ip of those using VPN to bypass content filtering, the admin will want to know the users and be able to take necessary actions to forestall such action. Mikrotik firewall can capture such IP in address-list for future evaluation on splunk.

Also, does Splunk provide domain names of destination hosts when generating reports?

I look forward to your usual brilliant contribution

Jotne · Fri May 13, 2022 1:40 pm

Splunk can do all you ask about and more. Nearly unlimited possibility. It do cost allot of money if you put it inn to a large scale company, but may be the best and most flexible solution out there.

For your IP address list, you can hav tem in a csv file that Splunk uses. This fil can be updated automatically if need.
You can then make alerts or reports that checks data logged against this table and send alerts of make graphs.

Domain name are normally part of your DNS solution, so you can just make Splunk do a lookup at your DSN servers for domain name,
Or you can add it as an identity to the router it self and make Splunk read it from there.

To use Splunk, you need to get data inn to it (File/Agents/Syslog/HTTP requests/Scripts +++++), then the next step is to graph it.
This can be an application you download (free or paid) or you can make dashboard your self.

I my organisation I am in charge og logging and using Splunk to handle it. We do get 1TB + of data a day from 3-4000 server, 1000+ switches/routers ++++++++. This shows a basic overview of our Splunk design (50+ Splunk dedicated servers).
.

splunk.png

bholler · Fri May 13, 2022 2:23 pm

Splunk can do all you ask about and more. Nearly unlimited possibility. It do cost allot of money if you put it inn to a large scale company, but may be the best and most flexible solution out there.

For your IP address list, you can hav tem in a csv file that Splunk uses. This fil can be updated automatically if need.
You can then make alerts or reports that checks data logged against this table and send alerts of make graphs.

Domain name are normally part of your DNS solution, so you can just make Splunk do a lookup at your DSN servers for domain name,
Or you can add it as an identity to the router it self and make Splunk read it from there.

To use Splunk, you need to get data inn to it (File/Agents/Syslog/HTTP requests/Scripts +++++), then the next step is to graph it.
This can be an application you download (free or paid) or you can make dashboard your self.

I my organisation I am in charge og logging and using Splunk to handle it. We do get 1TB + of data a day from 3-4000 server, 1000+ switches/routers ++++++++. This shows a basic overview of our Splunk design (50+ Splunk dedicated servers).
.
splunk.png

Wow!

I did a lookup your profile to see i could do you a DM. Mine is holler4eva@gmail.com. Lets take this further.

Regards

Abiola

bholler · Sun May 15, 2022 1:34 pm

Hi Guys,

I have been able to launch an EC2 instance (on the free tier for testing purposes) on AWS and installed splunk successfully. However, I am having issues on the rsyslog section of the installation process. see my questions below:

Where is /etc/rsyslog drirectory ? - in the root user account or splunk (/opt/splunk) i couldnt locate it.

Where are the new syslog directory be created ? root user account or splunk ?

REgards

Jotne · Sun May 15, 2022 2:18 pm

Did try to send you an email, but did not get delivered, so did try one more just now.

I do use Ubuntu and there all rsyslog are installed as default in folder /etc/rsyslog.d/ and as user root.
In the config there are settings that points to where to store syslog data, udp.conf that points to folder /data/syslog/udp/ .

So rsyslog runs as root and Splunk runs as Splunk user.

bholler · Sun May 15, 2022 3:25 pm

HI,

I just replied your email. BTW, thank you for the clarification. I am already on it. I will revert incase of any issue.

Thank you

Regards

bholler · Sun May 15, 2022 4:24 pm

I am getting error from splunk web interface...

The minimum free disk space (5000MB) reached for /opt/splunk/var/run/splunk/dispatch. What does this mean?

I am using AWS t2micro. It comes with 8GB storage

bholler · Sun May 15, 2022 4:51 pm

I am having error is adding UDP/514 to Data Inputs in Splunk. See attached

Jotne · Sun May 15, 2022 7:03 pm

Ahh, If you use rsyslog, it uses UDP port 514, so you can not add it to Splunk. Only one app can use one given port. And since you need to be root to use port 514 (<1024), the app needs to run as root. And since its not recommended to run Splunk as root, I let rsyslog get the data by it listen to port 514.
Splunk do get log data from Splunk by reading (following) folder

/data/syslog/udp/*

In file
splunk/etc/system/local/inputs.conf
there are a section that collects the rsyslog data.

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment = 4

Or you can see it here:
Settings->Data Input->Files & Directories

/data/syslog/udp/.../*.log	
Segment
rsyslog
default
11711	
system
Enabled | Disable	Delete

Since this number 11711 do increase, it shows that it reads new data.

bholler · Sun May 15, 2022 9:48 pm

I followed your instrction based on steps 1b and 1f.

I installed splunk as non root and deploy rsyslog.

1f required we specify dns/514 for syslog as the the sourcetype.

Are you trying to say 1f is not required?

please reply

Jotne · Sun May 15, 2022 11:08 pm

Updated section 1f, to make clear your can not use UDP/514 in Splunk if Splunk is not run as root. You then need external rsyslog server.

bholler · Mon May 16, 2022 4:36 pm

Hey Guys,

I need your help. My dashboard isnt reading data despite my router keeps loggin data to splunk.

When I issued the command sudo vim /data/syslog/udp/41.X.X.193 (where 41.X.X.193) is my router's IP), see the output below

" ============================================================================
" Netrw Directory Listing (netrw v165)
" /data/syslog/udp/41.X.X.193
" Sorted by name
" Sort sequence: [\/]$,\<core\%(\.\d\+\)\=\>,\.h$,\.c$,\.cpp$,\~\=\*$,*,\.o$,\.obj$,\.info$,\.swp$,\.bak$,\~$
" Quick Help: <F1>:help -:go up dir D:delete R:rename s:sort-by x:special
" ==============================================================================
../
./
20220515-15.log
20220515-16.log
20220515-17.log
20220515-18.log
20220515-19.log
20220515-20.log
20220515-21.log
20220515-22.log
20220515-23.log
20220516-00.log
20220516-01.log
20220516-02.log
20220516-03.log
20220516-04.log
20220516-05.log
20220516-06.log
20220516-07.log
20220516-08.log
20220516-09.log
20220516-10.log
20220516-11.log
20220516-12.log
20220516-13.log

I believe this is a piece of evidence that my Mikrotik is logging data to Splunk. If yes, what could be the possible reason the dashboard is empty.

KIndly assist with your brilliant suggestion.

Jotne · Mon May 16, 2022 5:31 pm

Whats inn those files? paste some lines. See section 3b Debuging

If syslog folder has data, it could be one of two.
Not using MikroTik tag (Capital M and capital T)
Splunk not reading data.

What do search for

index=*

give

bholler · Mon May 16, 2022 7:10 pm

Whats inn those files? paste some lines. See section 3b Debuging

If syslog folder has data, it could be one of two.
Not using MikroTik tag (Capital M and capital T)
Splunk not reading data.

What do search for
Code: Select all
index=*
give

See the line from the syslog file
2022-05-16T16:00:00.259726+00:00 <13>firewall,info MikroTik: AT_Accpt_Https Allowed Traffic: in:BV-Br out:ether2-WAN, src-mac d8:b0:53:1b:97:a6, proto TCP (SYN), 192.168.10.81:50032->216.58.223.202:443, len 60
2022-05-16T16:00:00.259989+00:00 <13>firewall,info MikroTik: SrcNat_Masq srcnat: in:(unknown 0) out:ether2-WAN, src-mac d8:b0:53:1b:97:a6, proto TCP (SYN), 192.168.10.81:50032->216.58.223.202:443, len 60
2022-05-16T16:00:00.260448+00:00 <13>firewall,info MikroTik: RS_Drop_Youtube Restricted Site: in:BV-Br out:ether2-WAN, src-mac d8:b0:53:1b:97:a6, proto TCP (ACK,PSH), 192.168.10.81:50032->216.58.223.202:443, NAT (192.168.10.81:50032->41.X.X.193:50032)->216.58.223.202:443, len 569

About index=*, see below:
ubuntu@ip-172-31-28-110:~$ index=*
ubuntu@ip-172-31-28-110:~$ index=* | table _time sourcetype _raw

Command 'table' not found, did you mean:

command 'ptable' from deb xcrysden (1.6.2-3build1)
command 'tabble' from deb tabble (0.43-3)

Try: sudo apt install <deb name>

ubuntu@ip-172-31-28-110:~$

About caps for M & T. it is confirmed OK.

I am suspecting the right of Splunk. OR what do you think

Jotne · Mon May 16, 2022 7:22 pm

It seems that rsyslog data looks fine.
But to get the firewall data in firewall dashboard correctly, you should name the rule as in section. 2c

In splunk go to this setting:
Settings->Data Input->Files & Directories
Do you see a line starting with?
/data/syslog/udp/.../*.log

This command

index=* | table _time sourcetype _raw

should be run in Splunk search window, not in linux command line

bholler · Mon May 16, 2022 8:02 pm

It seems that rsyslog data looks fine.
But to get the firewall data in firewall dashboard correctly, you should name the rule as in section. 2c

In splunk go to this setting:
Settings->Data Input->Files & Directories
Do you see a line starting with?
/data/syslog/udp/.../*.log

NO. there is no line like that

This command
Code: Select all
index=* | table _time sourcetype _raw
should be run in Splunk search window, not in linux command line

I ran the command, it did not return any result

Jotne · Mon May 16, 2022 8:17 pm

Then you have skipped this part in rsyslog setup:

To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/inputs.conf

[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4

NB Splunk needs to restart to read new config file.

Its important to follow all steps and read all information, line by line.

bholler · Mon May 16, 2022 8:29 pm

Then you have skipped this part in rsyslog setup:

To make Splunk read rsyslog data make this file: %SplunkHome%/etc/system/local/input.conf
Code: Select all
[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4
NB Splunk needs to restart to read new config file.

Its important to follow all steps and read all information, line by line.

splunk@ip-172-31-28-110:~$ cat /opt/splunk/etc/system/local/input.conf
[monitor:///data/syslog/udp/.../*.log]
sourcetype = rsyslog
host_segment=4

[monitor:///data/syslog/tcp/.../*.log]
sourcetype = rsyslog
host_segment=4

Jotne · Mon May 16, 2022 8:54 pm

In folder (in linux)

/opt/splunk/bin

run

./splunk btool inputs list | grep udp

You should see:

[monitor:///data/syslog/udp/.../*.log]
[udp]

bholler · Mon May 16, 2022 9:25 pm

In folder (in linux)
Code: Select all
/opt/splunk/bin
run
Code: Select all
./splunk btool inputs list | grep udp
You should see:
Code: Select all
[monitor:///data/syslog/udp/.../*.log]
[udp]

Only saw [udp]

[monitor:///data/syslog/udp/.../*.log] isnt there.

Oops

Jotne · Mon May 16, 2022 9:39 pm

Then splunk does not see the file.

/opt/splunk/etc/system/local/inputs.conf

It can be a permission settings, if its there.
If I do run Splunk a non-root user, f.eks as a splunk user, I make sure all files under /opt/splunk has same rights.

mareka · Mon Jun 06, 2022 4:32 pm

At first, this is wery good job. It take a while to undestand how it works and i missing caps man script etc in this thread but still, good job.
I am using ROS 7 and i have small enhancement for CapsMan to work correctly with Caps man dashboards.
Could you Jotne please update your app by there steps?

In file C:\Program Files\Splunk\etc\apps\MikroTik\default\eventtypes.conf
search
[capsman_disconnected]
search = "caps,info * disconnected,"
[capsman_connected]
search = "caps,info * connected, signal"

change it to
[capsman_disconnected]
search = "caps,info * disconnected," OR "caps,debug * disconnected,"
[capsman_connected]
search = "caps,info * connected, signal" OR "caps,debug * connected, signal"

In file C:\Program Files\Splunk\etc\apps\MikroTik\default\props.conf
search
EXTRACT-mikrotik_caps-man2 = caps,info.*?(?<mac>(?:\w\w:){5}\w\w)@(?<ap>.*?) (?:(?:dis)?connected|rejected), (?<reason>.*?)(?:$\d+$| (?<strength>-\d+))?$
EXTRACT-mikrotik_caps-man_frequency = caps,info.*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)\/(?<standard>[^$]+)\((?<dBm>\d+)dBm

change it to
EXTRACT-mikrotik_caps-man2 = caps,(info|debug).*?(?<mac>(?:\w\w:){5}\w\w)@(?<ap>.*?) (?:(?:dis)?connected|rejected), (?<reason>.*?)(?:\(\d+$| (?<strength>-\d+))?$
EXTRACT-mikrotik_caps-man_frequency = caps,(info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\(]+)\((?<dBm>\d+)dBm

Then restart splunk.
i am pretty sure on linux will be same path structure from splunk install directory so every user can change it itself.

Jotne · Mon Jun 06, 2022 5:59 pm

All updated. But could you post a log line that this will match on?

EXTRACT-mikrotik_caps-man_frequency = caps,(info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\(]+)\((?<dBm>\d+)dBm

I do not have/use capsman, so any help is appreciated.

mareka · Wed Jun 15, 2022 6:33 pm

Hello
the parse modification is not perfect because i am not understand wifi standards deep enought. But it works with probably one mistake in standard detection and that is the place of my misunderstand of wifi stamdards vs Mikrotik.

caps,info MikroTik: AP 2 - 5GHz: selected channel 5680/20-eeCe/ac/DP(27dBm)

Jotne · Thu Jun 16, 2022 3:50 am

Do you say that the reges is not correct? When I test regex:

caps,(?:info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\(]+)\((?<dBm>\d+)dBm

On this data

caps,info MikroTik: AP 2 - 5GHz: selected channel 5680/20-eeCe/ac/DP(27dBm)

using regex101.com it looks correct.

mareka · Fri Jun 17, 2022 2:53 pm

No, regex which i posted is correct, it parses the line but grouping may be incorrect.
When i use web you posted i will get these groups
ap=AP 2 - 5GHz
frequency=5680
widt=20
extensionChannel=eeCe
standard=ac/DP
dBm=27

i as i can see now i have typo in "widt" which may be width. Sorry about that.
Back to root case. In previos post i spoke about this grou standard=ac/DP because i have no idea if /DP is part of wifi AC standard ot it is it's own category (group)

Jotne · Mon Jun 20, 2022 1:01 pm

I do agree that it may be wrong. Updated to this:

caps,(?:info|debug).*?: (?<ap>[^:]+): selected channel (?<frequency>\d+)\/(?<widt>\d+)?-?(?<extensionChannel>\w+)\/(?<standard>[^\/]+)\/\S+\((?<dBm>\d+)dBm

Jotne · Sat Jun 25, 2022 9:25 pm

NB. If you upgrade Splunk to 9.0, you will get some warnings. I have locked at them, and there are no big error.
It will be fixed in next version of MikroTik app for Splunk

jvanhambelgium · Sun Jul 24, 2022 2:49 pm

Hi,
I've switched over to the RB5009 on 7.3.1 and the logging throws me the error below on execution of your script 4.8
Some sections seem to give output, like address-lists & kid-control.

script error: error - contact MikroTik support and send a supout file (10)

Did you test on 7.3.1 already ?
I'll cut the script into smaller sections and execute section-per-section to see if something comes up.

My 7.3.1 release does not like the section below, it throws the error on the console immediately after execution it.

# Get detailed command history RouterOS >= v7
# ----------------------------------
:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and $CmdHistory) do={
:global cmd
:local f 0
:foreach i in=[/system history find] do={
:if ($i = $cmd) do={ :set f 1 }
:if ($f != 1) do={
:log info message="StartCMD"
:log info message=[/system history get $i]
:log info message="EndCMD"
}
}
:global cmd [:pick [/system history find] 0]
}

holvoetn · Sun Jul 24, 2022 2:54 pm

Hi,
I've switched over to the RB9005 ...

Where did you find that one ??

jvanhambelgium · Sun Jul 24, 2022 3:11 pm

Hi,
I've switched over to the RB9005 ...
Where did you find that one ??

Coming from a secret lab @ Mikrotik somewhere in the very,very,very distant future

Jotne · Sun Jul 24, 2022 6:45 pm

I have tested it on bot 7.2.3 and 7.4 without any problem.

What do you see when you cut and past this to terminal.

{
:local CmdHistory true
# Get detailed command history RouterOS >= v7
# ----------------------------------
:if ([:tonum [:pick [/system resource get version] 0 1]] > 6 and $CmdHistory) do={
:global cmd
:local f 0
:foreach i in=[/system history find] do={
:if ($i = $cmd) do={ :set f 1 }
:if ($f != 1) do={
:log info message="StartCMD"
:log info message=[/system history get $i]
:log info message="EndCMD"
}
}
:global cmd [:pick [/system history find] 0]
}
}

If you after run this part look at Environment in script list, then try change some (add a static DNS host), then run the script. It should increase the global cmd for each time some is done on the router.

jvanhambelgium · Sun Jul 24, 2022 7:42 pm

So initially I executed and these are the env-vars

Hour = 18
cmd = *238B

Then I added Netflow-config + target and re-ran

Hour = 18
cmd = *2391

Now I have to say, it has been some time since that error popped up...the last one about 2 hours ago.
That is the same time I reconfigged the "logging target" settings. Hmm, probably fixed, but thanks the feedback!

Screenshot from 2022-07-24 18-39-42.png

jvanhambelgium · Fri Jul 29, 2022 11:52 pm

Just updated my Splunk to 9.0.0.1-9e907cedecb1 and indeed getting the "error" about the possibel insecure query. I'm sure you'll clean it up in a next release.
However, I think I'm seeing some issues with the DHCP-pool section.
With my RB5009, I've modified the config and now I'm using VLAN's internally on my network and therefore created 7 IP-pools representing lab areas.
This does not seem to reflect in the Splunk dashboard, where I would be expecting various 192.168.10.x , 192.168.20.x etc like the Winbox pool-configuration shows correctly.

Screenshot from 2022-07-29 22-43-18.png

Screenshot from 2022-07-29 22-44-43.png

Jotne · Sat Jul 30, 2022 9:30 pm

1. I do see you get Duplicate Values under host. This may be that you did change name on one device ore have multiple host with same name.
Install Lookup Editor in Splunk if you do not already have done. Got to Apps -> Lookup Editor, select device_kvstore and open it. Remove the duplicate line.

2. The warning about security issue is already fixed in next version. Just ignore the message, it just comes from Dashboards updates table.

3. DHCP dashboard are correct. One pool many contain several different subnet, so just pool name are used,
Here is an example:

pool.png

Here is an example from a test router:

dhcp.png

jvanhambelgium · Sun Jul 31, 2022 8:46 pm

Hi Jotne,
Cleaned up device_kvstore, thx for the tip.
Can you please explain how you arranged you DHCP-settings on your test-system ?

> Are you using multiple DHCP-server instances (1 for each VLAN ?) This seems mandatory to me to get it working.
> Are you using multiple pools ?? (/ip pool) or 1 pool and did add several IP-ranges ?? -> This does not work, VM's in my VLAN's are assigned a faulty IP unless I create 1 POOL for EACH VLAN subnet

Because in Splunk I get following.
Why it is written like

"DHCP-VLAN20(172.29.45.254)" ?? This VLAN20 = 192.168.20.0/24 and it has a DHCP-server running on 192.168.20.254 (= gateway for that subnet)
Why would it be displaying this 172.29.45.254 which is my "VLAN1" / Bridge-IP ?

Screenshot from 2022-07-31 19-43-34.png

Jotne · Sun Jul 31, 2022 10:03 pm

No I understand what you asks for

I do use a simple setup with one pool pr each vlan. What I would say most do.

IP you see after the scope is the host IP. The reason for having it there is that if you have two routers with both have same pool name (default setup), Splunk would mix each scope together and make a big mess.

Have now changed the tag from using host (ip) to (host_name). Will be in next release.

eddieb · Fri Aug 05, 2022 3:45 pm

Hi,
I just upgraded to the 3.6 version by upgrading the .spl in my running splunt (on docker/synology)
I see "This dashboard version is missing. Update the dashboard version in source" in the dashboard...
Any way to fix this ? I am not a splunk guru so please help

(It seems my splunk was auto updated to 9 ???)

Eddie

Jotne · Fri Aug 05, 2022 11:43 pm

Its nothing to worry about. Its just some Splunk added in the new 9.x version. I have updated it for all dashboard the will be released as next version.

To fix it you self:
Click Edit for the Dashboard to fix, then click source and change first line from:

<form theme="dark">

to

<form version="1.1" theme="dark">

Save, and then repeat for all dashboard.

eddieb · Sat Aug 06, 2022 7:14 am

Its nothing to worry about. Its just some Splunk added in the new 9.x version. I have updated it for all dashboard the will be released as next version.

To fix it you self:
Click Edit for the Dashboard to fix, then click source and change first line from:
<form theme="dark">
to
<form version="1.1" theme="dark">
Save, and then repeat for all dashboard.

Tnx, I can do that...
But, on "mikrotik_device_list"

I get

We've identified a potential security risk
This dashboard is attempting to execute an SPL query that we've flagged as risky.Learn more
The flagged commands are:

    outputlookup

I did not find a way to fix that ..

Jotne · Sat Aug 06, 2022 8:26 am

PS
No need to quote the whole post above you. Use Post Reply button below post.

I have fixed that as well. Its just a warning that a Dashboard writes an update back to a KV database or CSV file. Nothing to worry about.
Edit MicroTik Device List, find and remove:

| outputlookup device_table

It was you to make sure the KV database of devices was created as soon as possible so devices gets populated. There is an scheduled task that runes every 24 hours that update it. So for new user, it will take a day before dashboard show host instead of IP.

eddieb · Sat Aug 06, 2022 8:29 am

tnx,
indeed, after removing that line the error is gone

eddieb · Sun Aug 07, 2022 3:55 pm

hmm,
something very strange did happen ...
I did upgrade my gateway router from 6.x to 7.4 this morning, all seemed to work fine
splunk does not display firewall rules anymore for this device !!!
It is in de devicelist and updated
DNS requests are displayed
DHCP requests are NOT displayed (no results found)
Firewall info is NOT displayed (no results found)
Device traffic is displayed (using kid control)
Interface traffic is displayed
Live attack is empty (waiting for data) ...
any way to debug this ?

jvanhambelgium · Sun Aug 07, 2022 4:30 pm

hmm,
something very strange did happen ...
I did upgrade my gateway router from 6.x to 7.4 this morning, all seemed to work fine
splunk does not display firewall rules anymore for this device !!!
It is in de devicelist and updated
DNS requests are displayed
DHCP requests are NOT displayed (no results found)
Firewall info is NOT displayed (no results found)
Device traffic is displayed (using kid control)
Interface traffic is displayed
Live attack is empty (waiting for data) ...
any way to debug this ?

That's a major jump from 6.x to 7.4
I suggest you check each and every requirement to get it working in the first place. Like on the first page of the post to make sure everything is OK.
A bit like a new install.
For example, my latest update from 7.3 to 7.4 mysteriously removed some zerotier-interface etc. I had to recreate it again.
Do you have log-output when the script runs ?

Jotne · Sun Aug 07, 2022 7:27 pm

@eddieb

What is the output from this search:

index=* sourcetype=mikrotik
| fillnull value=NULL 
| stats count by index module script
| sort -count

It should give a list of all module and script that sends log to splunk from mikrotik

index....	module	script	count
mikrotik	dns	NULL	19983
mikrotik	script	kids	2923
mikrotik	firewall	NULL	2815
mikrotik	dhcp	NULL	2533
mikrotik	script	if_traffic	1198
mikrotik	script	traffic	942
mikrotik	script	address_lists	665
mikrotik	script	neighbor	396
mikrotik	script	upnp	387
mikrotik	script	resource	182
mikrotik	script	monitor	148
mikrotik	script	ntp	145
mikrotik	script	version	145
mikrotik	ipsec	NULL	96
mikrotik	script	health	74
mikrotik	script	wifi	74
mikrotik	script	pool	49
mikrotik	script	sysinfo	49
mikrotik	script	uncounted	37
mikrotik	wireless	NULL	16
mikrotik	upnp	NULL	4

eddieb · Sun Aug 07, 2022 9:25 pm

is this what you want to see ?

Screenshot 2022-08-07 at 20.24.18.png

mfedotov · Sun Aug 07, 2022 11:06 pm

I just installed the latest Splunk (9.0.0.1) and the app 3.6, still playing with it to see, but I noticed that my Mikrotik is sending the firewall logs with some extra information (prio 1->0), which breaks the parser a bit and makes it believe that this whole string from start of destination IP address up to the len is just the destination IP, and does not collect the destination port at all.
The example of the log entry is below (IP/MAC addresses blanked):

firewall,info drop_in input: in:wan out:(unknown 0), src-mac XX:XX:XX:XX:XX:XX, proto TCP (SYN), XX.XXX.XXX.XX:18568->XXX.XXX.XXX.XXX:32400, prio 1->0, len 60

I tried to update the regex I found, but without proper knowledge it was a shot in the dark and did not work for me. Would you mind to update your rule to parse this case?

Thanks

Jotne · Sun Aug 07, 2022 11:19 pm

@eddieb

Post looks correct, but it may be that some format has changed.
Can you post output of:

index=* sourcetype=mikrotik module=dhcp OR module=firewall
| dedup module punct

Just post 10-20 events, so I can look at the format.

It may be the same problem as mfedotov sees

jvanhambelgium · Sun Aug 07, 2022 11:24 pm

@eddieb

Post looks correct, but it may be that some format has changed.
Can you post output of:
Code: Select all
index=* sourcetype=mikrotik module=dhcp OR module=firewall
| dedup module punct
Just post 10-20 events, so I can look at the format.

It may be the same problem as mfedotov sees

I'm running 7.3.1 release and do not have any issue / new "prio" field. So perhaps the 7.4 introduced this change. Not present in 7.3.1

firewall,info MikroTik: IP4-IN-DYNAMIC-DROP input: in:ISP out:(unknown 0), proto TCP (SYN), 91.240.118.229:41773->82.241.131.121:3196, len 44
host = 172.30.45.254 index = mainsource = udp:20514 sourcetype = mikrotiksplunk_server = splunky

Jotne · Sun Aug 07, 2022 11:40 pm

@mfedotov

Not sure when firewall has added the prio and what it does mean. My test router running 7.2.3 do not logg this type of message.
From your post I do not see the MikroTik tag that needs to be in the log to make sure Splunk gives it correct source type'. See section 2b) in first post.
Understanding Regex is hard, understand other users regex harder, and understanding this regex is very hard

Edit
MikroTik/default/props.conf
find
EXTRACT-mikrotik_firewall_info1 = .....

Try to change the regex after the = to:

^firewall,info\s[Mm]ikro[Tt]ik:\s(?:(?<rule>[^:]+)\s)?(?<chain>.+?):\sin:(?<in_if>.*?)\sout:(?<out_if>[^,]+),(?:\ssrc-mac\s(?<src_mac>[^,]+),)?\sproto\s(?<protocol>\S+)(?:\s\((?<flag>[^\)]*)\))?,\s\[?(?<src_ip>(?:\d+\.\d+\.\d+\.\d+|[^\]]+))\]?(?::(?<src_port>[^-]+))?->\[?(?<dest_ip>(?:\d+\.\d+\.\d+\.\d+|[^\]]+))(?:\]?:(?<dest_port>[^,]+))?,\s(?:NAT[^,]+, )?(?:prio[^,]+,\s)?len\s(?<length>\d+)

Jotne · Sun Aug 07, 2022 11:54 pm

@jvanhambelgium
I do se now that you just did try to help and have no problem. Since you do not use Post Reply but quote the whole post above you. I did missunderstand.

eddieb · Mon Aug 08, 2022 8:13 am

@jotne

removed

Jotne · Mon Aug 08, 2022 10:16 am

For some reason, do your firewall show connection state. So here is a new and updated regex

Edit
MikroTik/default/props.conf
find
EXTRACT-mikrotik_firewall_info1 = .....

Change the regex after the = to:

^firewall,info\s[Mm]ikro[Tt]ik:\s(?:(?<rule>[^:]+)\s)?(?<chain>.+?):\sin:(?<in_if>.*?)\sout:(?<out_if>[^,]+),(?:\sconnection-state:(?<connection_state>\S+))?(?:\ssrc-mac\s(?<src_mac>[^,]+),)?\sproto\s(?<protocol>\S+)(?:\s\((?<flag>[^\)]*)\))?,\s\[?(?<src_ip>(?:\d+\.\d+\.\d+\.\d+|[^\]]+))\]?(?::(?<src_port>[^-]+))?->\[?(?<dest_ip>(?:\d+\.\d+\.\d+\.\d+|[^\]]+))(?:\]?:(?<dest_port>[^,]+))?,\s(?:NAT[^,]+, )?(?:prio\s(?<prio>[^,]+),\s)?len\s(?<length>\d+)

eddieb · Mon Aug 08, 2022 10:48 am

@jotne
tnx, now my firewall entries are visible again.
but stil no DHCP entries visible ...

eddieb · Mon Aug 08, 2022 12:22 pm

@jotne
Here is some output from this search

index=* sourcetype=mikrotik module=dhcp

removed

Jotne · Mon Aug 08, 2022 2:31 pm

That did not get me what I am looking for.

Post some of this output instead:

index=*
      sourcetype=mikrotik
      module=dhcp
      host="*"
      | rex "Parameter-List = (?<ParameterList>.*)"
      | makemv delim="," ParameterList
      | eval identity=coalesce(identity,host)
      | transaction host  maxspan=1s
| search "received request"
| table eventtype _raw

eddieb · Mon Aug 08, 2022 2:39 pm

@jotne
on request

remove

Jotne · Mon Aug 08, 2022 2:59 pm

Everything looks correct.
Last test:

index=*
sourcetype=mikrotik
module=dhcp
host="*"
| rex "Parameter-List = (?<ParameterList>.*)"
| makemv delim="," ParameterList
| eval identity=coalesce(identity,host)
| transaction host startswith="eventtype=dhcp_received_request" endswith="eventtype=dhcp_domain_server" maxspan=1s
| stats  count as Num_Hits values(*) as * latest(_time) as last_time by chaddr

If possible, I can log inn to your Splunk and see directly. (post your email or another form for contact)

eddieb · Mon Aug 08, 2022 4:48 pm

@jotne

00:0E:C6:20:0A:F3	1	192.168.26.189	 	 	 	 	192.168.26.246	 	 	request	
Domain-Server
Router
Subnet-Mask
	Subnet-Mask	192.168.26.254	192.168.26.254	255.255.255.0	CCR1009-8G-1S	0.0.0.0	1	dhcp-home	0	17	
dhcp_domain_server
dhcp_received_request
	17	192.168.99.254	ccr1009	mikrotik	
debug
info
	packet	17	CCR1009-8G-1S	dhcp	
,,_:_____-_=_
,,_:_____-_=_-,,-
,,_:_____-_=_...
,,_:______=_...
,,_:______=_:::::
,_:_-__...__:::::_
,_:_-______..._''
,_:_-_______...
,_:__,___
	 	606B05D59E99	192.168.26.254	udp:3514	mikrotik	splunk	none	6.49.5 (stable)	192.168.26.189	1659930155
10:30:25:94:DA:23	2	 	7776000	 	 	01-10-30-25-94-DA-23	192.168.26.246	fpad	1500	request	
Auto-Proxy-Config
Captive-Portal
Classless-Route
Domain-Name
Domain-Search
Domain-Server
Router
Subnet-Mask
Unknown(108)
	Subnet-Mask	192.168.26.254	 	255.255.255.0	CCR1009-8G-1S	192.168.26.214	1	dhcp-home	0	18	
dhcp_domain_server
dhcp_received_request
	18	192.168.99.254	ccr1009	mikrotik	debug	packet	18	CCR1009-8G-1S	dhcp	
,,_:_____---_=_
,,_:_____-_=_
,,_:_____-_=_""
,,_:_____-_=_-,-,,-,-,(),-,-,--
,,_:_____-_=_------
,,_:_____-_=_...
,,_:______=_...
,,_:______=_:::::
,_:_-______..._'::::::'
,_:_-_______...
,_:__,_
	 	606B05D59E99	192.168.26.254	udp:3514	mikrotik	splunk	none	6.49.5 (stable)	192.168.26.214	1659925337
24:1B:7A:90:7E:0E	2	 	7776000

Who is online