Community discussions

MikroTik App
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Logging prefix is a mess

Sun Aug 06, 2017 8:49 pm

I do log packet from my mikrotik's to Splunk.
This works nice, except I have problem to categorize package.

Here is a list of prefix I have found:
certificate,debug
certificate,info
dhcp,critical,error
dhcp,debug
dhcp,debug,packet
dhcp,debug,state
dhcp,info
dhcp,warning
dns
dns,packet
e-mail,debug
firewall,info
interface,info
ipsec
ipsec,debug
ipsec,debug,packet
ipsec,error
ipsec,info
l2tp,debug
l2tp,debug,packet
l2tp,info
l2tp,ppp,debug
l2tp,ppp,debug,packet
l2tp,ppp,error
l2tp,ppp,info
l2tp,ppp,info,account
ntp,debug
ntp,debug,packet
pptp,debug
pptp,debug,packet
pptp,info
pptp,ppp,debug
pptp,ppp,debug,packet
pptp,ppp,error
pptp,ppp,info
pptp,ppp,info,account
radvd,debug
route,debug
route,debug,calc
route,debug,event
script,error
snmp
snmp,debug
ssh,debug
ssh,debug,packet
ssh,info
sstp,packet
system,e-mail,error
system,error,critical
system,info
system,info,account
upnp
It looks like its on format:
module,severity,info, eks ssh,debug,packet
But that is only half true.
What about:
system,error,critical is that module,severity,severity?
system,e-mail,error module,module,severity?
ipsec here is severity missing
pptp,ppp,info,account module,module,severity,info?

Why no just clean this up to only use module, severity, info.
Eks:
e-mail,error, blabla other info
On all message use severity.

E-mail should be its own module, not listed under system.

Hope some one can clean this up. It would make Splunk application much more easy.

Jo
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Logging prefix is a mess

Fri Jul 13, 2018 2:50 pm

Still nothing has happen to this.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Logging prefix is a mess

Thu Apr 18, 2019 10:04 am

I am still waiting for this to be fixed (cleaned up)
Should not be to hard??
If it can not be done whit 6.x, add it to the 7.x version of ros
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Logging prefix is a mess

Wed Jun 17, 2020 5:34 pm

I can see that v7 beta has not fixed anything regarding log format.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
neutronlaser
Member
Member
Posts: 447
Joined: Thu Jan 18, 2018 5:18 pm

Re: Logging prefix is a mess

Fri Sep 11, 2020 5:19 am

I don't think anyone cares.
 
jarda
Forum Guru
Forum Guru
Posts: 7784
Joined: Mon Oct 22, 2012 4:46 pm

Re: Logging prefix is a mess

Fri Sep 11, 2020 7:29 am

Seems so. But the idea is not bad, I like it.
 
User avatar
Jotne
Forum Guru
Forum Guru
Topic Author
Posts: 2342
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Logging prefix is a mess

Fri Sep 11, 2020 11:16 am

When using external logging tools like Splunk to analyse logs, this old and messy format gives a lot of extra work.
I have sent this request two times to MikroTik so they know about it.
 
Try Splunk> to monitor your MikroTik Router(s). How to set it up. :mrgreen:

MikroTik->Splunk
 
 
pe1chl
Forum Guru
Forum Guru
Posts: 7796
Joined: Mon Jun 08, 2015 12:09 pm

Re: Logging prefix is a mess

Wed Jan 13, 2021 11:56 am

I have filed a feature request some time ago to allow more control over the logging.
Of course the best would be when there is much more detail about the log message in the prefix, probably even up to a unique identifier of each message.
(so you don't have to rely on pattern matching of the message text to separate the individual error messages for the same category)
When each message has a unique category it would also be possible to suppress certain messages while showing detailed output of some category for some reason (when not using Splunk but only the internal logging handler).

Lacking that, I have proposed to add regexp matching capability to the logging topics matcher, but of course more detailed topics would be best.

Who is online

Users browsing this forum: banditj13, ee406621, Google [Bot], ivicask, JohnTRIVOLTA, sindy and 41 guests