Community discussions

MikroTik App
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Remote Logging and Kiwi Syslog

Thu Oct 07, 2021 10:50 pm

I have been try for 2 days now and can't get the Mikrotik router to do remote logging in to Kiwi I even Reset configuration and tuned off the Windows firewalls and made sure all the ports settings are right. What am I missing. I have read this post and the settings look the same. viewtopic.php?p=606032&sid=5d391c3322e8 ... 9a76a2efa2

I can see in the Firewall connections it is sending out the data but not getting to Kiwi.

P.S. I have this in a testing environment now so I don't mess up the production network I want to getting it working so I can put into production.

All help is welcome.

Thank you.
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Fri Oct 08, 2021 10:30 am

Can help you with this. But you can have a look at my post about setting up and using Splunk (instead of Kiwi syslog).
See link in my signature....
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Fri Oct 08, 2021 7:09 pm

We already have a paid version Kiwi syslog running on are production network. Only downloaded the free version for the test network. We will just stay with kiwi for now.
Need to get the router to send log to it.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Fri Oct 08, 2021 9:02 pm

Try to setup an rsyslog server on an ubuntu server. Than see if that receive syslog data from your router data.
For me Kiwi is just an equivalent to rsyslog server.

What other write about Splunk/Kiwi
The SolarWinds Kiwi Syslog Server does what it's supposed to do. It's a bare-bones Syslog Server. If your company is just trying to fulfill security requirements or doesn't need all the advanced features of a product such as Splunk, then Kiwi will work well and not break the bank. Using the tool is very straightforward as there aren't a lot of options outside of just viewing logs.
Last edited by Jotne on Tue Oct 12, 2021 7:59 am, edited 1 time in total.
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Mon Oct 11, 2021 11:37 pm

I try install rsyslog but some of the commands lines on there website don't work. So what next?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Tue Oct 12, 2021 8:03 am

So you can not get rsyslog to work?
You can try to search for help on google.
rsyslog site:https://stackoverflow.com
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Wed Oct 13, 2021 6:08 pm

We tried. Still running into problems trying to get rsyslog to work on Ubuntu I'm not going mess with rsyslog anymore.
Any ideas why we are not getting logs in kiwi?

P.S. So I tried a Syslog Generator on a different computer and kiwi does receive those logs so it's got to be on the router side of things.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Wed Oct 13, 2021 10:58 pm

To setup rsyslog on Ubuntu.
viewtopic.php?p=677233#p793342
This work for sure on a clean Ubuntu.

Where do you run Kiwi? Ubuntu/Linux
Is there a local firewall it may block data.

To send a test message from Ubuntu to a syslog server
echo '<14>sourcehost message text' | nc -v -u -w 0 127.0.0.1 514
It its a remote server, change 127.0.0.1 to ip of the receiver.

If this works from a remote server, then there is error on the Mikrotik setup or some between MT and Kiwi.

Is the MT and Kiwi on the same lan?

Post the output of:
/system logging export
This is the my setup using with Splunk.
/system logging action
add name=logserver remote=192.168.1.50 target=remote
/system logging
set 0 disabled=yes
add action=logserver prefix=MikroTik topics=dhcp
add action=logserver prefix=MikroTik topics=!debug,!packet
add action=logserver prefix=MikroTik topics=hotspot
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Mon Oct 18, 2021 8:16 pm

Sorry for the late replay.

Kiwi is installed on windows 10 pro

and firewalls have been turned off.

kiwi is on the same network.

/system logging action
set 3 remote=192.168.88.254
/system logging
add action=remote topics=firewall
add action=remote topics=info
add action=remote topics=warning
add action=remote topics=error
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Tue Oct 19, 2021 11:38 am

It looks correct. Can you send from a Linux server to the Kiwi Syslog server as I mention above?
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Wed Oct 20, 2021 7:59 pm

So I echo '<14>sourcehost message text' | nc -v -u -w 0 192.168.88.254 514 and kiwi did receive the message. I did not see any logs in side the /data/syslog/tcp or /data/syslog/udp folders.

But kiwi is receiving the messages so its the MT side of things. What next?
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Thu Oct 21, 2021 3:11 pm

What router do you have and what software version.

Try to remove all logging config and cut/paste this
/system logging action
add name=logserver remote=192.168.88.254 target=remote
/system logging
set 0 disabled=yes
add action=logserver topics=!ups
This should send all logs(including debug) (since I guess you do not have an UPS on the router) to logserver=192.168.88.254
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Remote Logging and Kiwi Syslog

Thu Oct 21, 2021 3:58 pm

I dont use kiwi, so Im not sure how their filtering works, but you have 192.168.88.1 setup as a source on kiwi, and your logging src-address for the mikrotik is default 0.0.0.0. While the log packet would have a source-ip of 192.168.88.1, kiwi may also be filtering based on the src-address of the log message.


pic.png
You do not have the required permissions to view the files attached to this post.
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Thu Oct 21, 2021 5:43 pm

Software Version: 6.48.5

And I did set the Src Address to 192.168.88.1 but that did not work as well.

/system logging> print
Flags: X - disabled, I - invalid, * - default
# TOPICS ACTION PREFIX
0 * info memory
1 * error memory
2 * warning memory
3 * critical echo

/system logging> remove numbers=0
failure: can not remove default rules

/system logging action> print
Flags: * - default
0 * name="memory" target=memory memory-lines=1000 memory-stop-on-full=no
1 * name="disk" target=disk disk-file-name="flash/log" disk-lines-per-file=1000 disk-file-count=2 disk-stop-on-full=no
2 * name="echo" target=echo remember=yes
3 * name="remote" target=remote remote=192.168.88.254 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

/system logging action> remove numbers=3
failure: can not remove default actions

But I did add your code. And still nothing.
Here are the last things I have got form kiwi.

10-20-2021 13:23:58 User.Info 192.168.88.253 test message From Ubuntu
10-20-2021 13:15:32 Syslog.Debug 192.168.88.251 This is a test message generated by Kiwi SyslogGen
10-20-2021 13:14:21 Local7.Debug 127.0.0.1 Kiwi Syslog Server - Test message number 0001
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Fri Oct 22, 2021 8:14 am

Start over.

Set MT Router to default settings, connect it to Kiwi server on the same nett.
Add Syslog configuration test.

Then ad all other config.
Or test with an other MT router.
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Mon Oct 25, 2021 6:11 pm

I have set the router back to default and tried a different MT router and get the same thing.

Also Tried

/system logging action
set 3 remote=192.168.88.254 src-address=192.168.88.1
/system logging
add action=remote topics=critical
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=firewall

/system logging action
set 3 bsd-syslog=yes remote=192.168.88.254 src-address=192.168.88.1 syslog-facility=syslog

/system logging action
set 3 bsd-syslog=yes remote=192.168.88.254 src-address=192.168.88.1 syslog-facility=local7

/system logging action
set 3 remote=192.168.88.254
/system logging
add action=remote topics=critical
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=firewall


and tested Kiwi again
10-25-2021 08:26:24 User.Info 192.168.88.253 test message From Ubuntu
10-25-2021 08:26:24 Local7.Debug 192.168.88.253 X
10-25-2021 08:26:24 Local7.Debug 192.168.88.253 X
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Mon Oct 25, 2021 6:51 pm

Then I do not know what is wrong.
You can try my solution (in the singature) . Install ubuntu on a PC or WM maskine. Install Splunk and send log data there.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Remote Logging and Kiwi Syslog

Tue Oct 26, 2021 8:27 am

Its easy enough to do a packet capture and verify the device is sending the syslog packets. Im betting its an issue with your kiwi setup.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Tue Oct 26, 2021 7:58 pm

I do agree to the last comment. Config looks ok.
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Tue Oct 26, 2021 8:24 pm

mikeeg02

I don't think it a kiwi setup issue. I don't think the router is send out syslog packets.

Here are the packet capture from the router but this is a file I saved to the router and then input into wireshark.
Router Capture1.JPG

I don't know if those packet actually left the router sense no packet are coming to the kiwi computer from the router on port 514.

Here is the kiwi computer capture by wireshark.
Wireshark and the right and kiwi on the left.
Kiwi Capture1.JPG
IP address
Router :192.168.88.1
Kiwi: 192.168.88.254
Ubuntu: 192.168.88.252

There are no IP packet coming in from the router on port 514 but from Ubuntu there are.

Here is the setup
Router 2.JPG
Router 1.JPG
Kiwi 2.JPG
Kiwi 1.JPG
You do not have the required permissions to view the files attached to this post.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Thu Oct 28, 2021 7:51 am

Router is correct setup. You have same RouterOS version that I have used, so know that it works.

Try another Syslog server. I do use 30-40 minutes to setup an Ubuntu server with Splunk.
If you run Splunk as a root user (normal I do not recommend that), you can make Splunk listen on port 514.
No need to add the MikroTik App that I have created. Just search for index=* to see all log coming to splunk.

How to make Splunk listen on UDP 514
Settings->Data Input->UDP-> +Add new->UDP->Port:514->Next->New->Source Type:test->Review->Submit
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog

Fri Oct 29, 2021 8:00 pm

I setup did make a Splunk and got nothing.

So I setup a VM that's running the Router OS 6.48.5 and set it up and got logs in Kiwi and Splunk. I don't get it.
I have RB750Gr2 and I have load the default Configuration on it and does not work.

Any ideas?
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Remote Logging and Kiwi Syslog

Fri Oct 29, 2021 8:35 pm

It really doesnt sound like your vm running kiwi has access to the external network interface, only internal, since your vm's all can send to your kiwi. If I am understanding what youve written properly.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Sat Oct 30, 2021 8:19 am

Is the VM and Kiwi running on the same hardware. Seems that some in you network do block Syslog. Can you make a detailed diagram?
 
BlueTechnomage
newbie
Topic Author
Posts: 46
Joined: Wed Nov 01, 2017 9:27 pm
Location: USA

Re: Remote Logging and Kiwi Syslog  [SOLVED]

Tue Dec 21, 2021 1:27 am

Added Firewall rules for syslog.
add action=accept chain=output comment="Test syslog" dst-address=192.168.88.254 dst-port=514 out-interface="bridge1" protocol=udp
Move the rule to the top and it works don't know why it did not before but it does now.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Remote Logging and Kiwi Syslog

Tue Dec 21, 2021 2:15 am

Default firewall on router doesn't block any outgoing traffic (chain=output is empty). If you (or someone else) added any blocking rules, then yes, that could be the problem, and your new rule can fix it. But it was user error all along.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 3291
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Remote Logging and Kiwi Syslog

Tue Dec 21, 2021 9:04 am

Post your complete configuration. As Sob writes, normally there are no rules blocking outgoing traffic, so you has added some your self.
/export hide-sensitive

Who is online

Users browsing this forum: EmuAGR, ppawe, TheCat12, truefriendcz and 76 guests