MikroTik routers are combining a powerful operating system (RouterOS) with low-cost prices. With Logstail.com and its advanced features built on top of ELK stack, we will visualize our MikroTik logs and analyze our network and security performance and get instant email alerts alongside with encriched reports. The importance of using log management software is highlighted in this article from our blog. In the few following steps we will analyze our logs on the platform, but also benefit from the numerous features of Logstail.
- Create a new logging action
- Configure MikroTik logging rules to specify which logs to send to Logstail.com
- Validate our logs.
- Add Mikrotik Graphs/Dashboards
- Configure Email Alerting
- Configure Reporting
- View Logstail’s Mikrotik Insights (using Machine Learning)
- Full encryption in Transit
Let’s start!
Step 1. Create a new logging action
In the first step, we have to sign-up for a new Logstail.com account here or login to an existing one. Then, on RouterOS we should create a new logging action under System -> Logging -> Actions that will send log data to Logstail.com.
To do so we should press “Add New” and add the following information to the relevant fields: Name “SendLogstail” (or any other name), Remote Address: “95.216.177.82” and Remote Port: “35625”.
If we choose to configure with terminal, then this is the command we should execute:
|
1 2 |
/system logging action add bsd-syslog=no name=SendLogstail remote=95.216.177.82 remote-port=35625 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto syslog-time-format=bsd-syslog target=remote |
Step 2. Configure MikroTik logging rules to specify which logs to send to Logstail.com
In the second step, we will develop some rules on MikroTik to send specific data to our Logstail.com stack.
1st rule: Send Firewall logs
The first rule is sending firewall messages, logs, or firewall events to Logstail.com. We configure a new rule which uses the action we created on the previous step, named “SendLogstail”. This new rule is going to send all messages that fall into the firewall topic from “firewall”. Logstail.com requires your unique “Your stacks’s token”, which can be copied from our main dashboard, to be added as a prefix in order to be able to successfully parse our logs. This token can be found here.
In the Prefix field, we should also add the word “mikrotik” after our “User Token” so as our logs to be distinguished from logs coming from other apps (ex. Apache, Nginx e.t.c.). After the word “mikrotik” we have to specify a “DeviceId” e.g. “OurRouter” or “Router_1” in order to distinguish this MikroTik Router logs from other Mikrotik Routers that we are going to add later.
|
1 2 |
/system logging add action=SendLogstail disabled=no prefix="OurUserToken mikrotik DeviceID" topics=firewall |
2nd Rule: Enable Firewall to log and drop
In the next action, we enable logging on our MikroTik firewall. If we have a set of firewall filter rules already on our Mikrotik, we can just simply enable logging. This procedure can be done in Action Tab of any firewall rule by selecting Log checkbox.
3rd Rule: Monitor Routers Health
In order to monitor RouterOS and health and other useful parameters (ex. arp list and firewall connections, Wireless & Hotspot Statistics), we have to create a scheduled task. Under System-> Scheduler-> Add New and name it “logstail” (or any name os your choice). Then we copy and paste the following commands into the scheduler task:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 |
#Ask MyMikroTik about its health #My Routers CPU Load, On DDOS attacks CPU goes almost 100% :local cpuload [/system resource get cpu-load]; #Routers Temperature :local SysTemperature [:tonum [/system health get temperature]]; #Firewall’s Number of firewall connections may indicate an attack :local Nofwconns [/ip firewall connection print count-only]; #No of members of router;s arp list help us to find how many lan users are up and running :local Arplist [/ip arp print count-only where complete=yes]; # Send the answer to logstail via syslog log error ("CPU_Load: $cpuload"); log error ("SysTemperature: $SysTemperature"); log error ("Nofwconns: $Nofwconns"); log error ("Arplist: $Arplist"); if ([/inte wireless registration-table print count-only]=1) do={ :local WirelessSignal [/ interface wireless registration-table get 0 signal-strength-ch0]; :local WirelessCCQ [/interface wireless registration-table get 0 rx-ccq]; log error ("WirelessSignal: $WirelessSignal"); log error ("WirelessCCQ: $WirelessCCQ"); log error ("WirelessClients: 1");} if ([/inte wireless registration-table print count-only]>1) do={ :local WirelessClients [/interface wireless registration-table print count-only]; log error ("WirelessClients: $WirelessClients"); } if ([/caps-man manager get enabled]=yes) do={ :local capTotclients [/caps-man registration-table print count-only]; log error ("CapsTotClients: $capTotclients");} if ([ / ip hotspot active print count-only] > 0 ) do={ :local hotspotactive [/ip hotspot active print count-only]; :local hotspotusers [/ip hotspot user print count-only]; log error ("hotspotactive: $hotspotactive"); log error ("hotspotusers: $hotspotusers");} /ip accounting snapshot take foreach syslog in=[/ip accounting snapshot find] do={:log error message="$[/ip accounting snapshot print as-value from=$syslog]"}}; |
System health logs are going to be generated via “error” log messages so we need to add a rule to send scheduler’s generated logs.
|
1 2 |
/system logging add action=logstail disabled=no prefix="OurUserToken mikrotik DeviceID" topics=error, !script |
4th Rule: DNS Requests
In this last step, we will configure MikroTik to send DNS related logs to Logstail.com, so as to be able to monitor what our local users visit more. To do so we should add this logging rule to log DNS requests and replies:
|
1 2 |
/system logging add action=logstail disabled=no prefix="OurUserToken mikrotik DeviceID" topics=dns,!packet |
5th Rule: Monitor your CapsMan
If they exist in your network Controlled Access Points (CAP) you can monitor your Controlled Access Point system Manager (CAPsMAN) which allows centralization of wireless network management. Logstail.com offers you a nice graph called HeatMap. With this, you can monitor the signal strengths of your connected users. In addition, you can monitor the utilization of each CAP. To do so you only have to enable CapsMan logging.
|
1 2 |
/system logging add action=logstail disabled=no prefix= "OurUserToken mikrotik DeviceID" topics=caps |
6th Rule: IP Accounting Information
To Monitor IP Accounting Information and get the most out of it you should go to IP->Accounting and Enable Accounting. (only for RouterOS6 and below)
|
1 2 |
/ip accounting set account-local-traffic=no enabled=yes threshold=256 |
The final image of the logging rules will be like this:
Step 3. Logs validation on Kibana
If we followed the previous steps, we should now be able to validate our logs on Logstail.com main page. We can now go to the Kibana submenu called Discover https://apps.logstail.com/discover/ and see our logs coming in.
Step 4. Adding Apps (Prebuilt Dashboards)
At this step, we can add some Logstail.com community prebuilt Dashboards and Visualizations that will definitely add value to our logs and will help us efficiently analyze them and discover hidden values. To add prebuilt Dashboards, go to Apps tab and install one or more Prebuilt Dashboards. Then you can access these Dashboards from the Kibana submenu called Objects.
Available MikroTik Dashboards
MikroTik – Firewall General Overview Dashboard
MikroTik – All-in-one Dashboard
MikroTik – Famous sites Dashboard
MikroTik – Attack on main ports Dashboard
Step 5. Email Alerting
Our alerting mechanism enables you or your team to be notified about situations that may cause problems to your devices or generally your infrastructure. You can find more detailed guidance about this excellent feature on our blog article! Don’t forget that now you have three (3) options to be alerted, Slack, Webhook and Email! Use them to take benefit of our alerting!
Step 6. Reporting
Reporting is a must today. Every entity, from the smallest organization to a big corporation needs metrics to assess the security posture of the company. That’s why our reporting feature is here to solve problems by providing the ability to create PNG, PDF, or CSV reports. You now have two choices, to create ad hoc reports or by definition (eg. predefined intervals). Again, our detailed article can solve any questions that may arise!
Step 7. Insights (Machine Learning)
Machine Learning is here to help, especially when we deal with vast amounts of data like log files! We now offer Anomaly Detection through the Insights tab to help you and your team identify and isolate anomalies from your data! The Insights feature has the ability to detect anomalies in near real-time using advanced algorithms.
Step 8. Full encryption in Transit (optionally)
Encryption in transit is essential to protect against eavesdroppers and malicious users that want to perform Man-in-the-Middle attacks. With this feature, you can stop worrying when your logs are traveling to Logstail platform.
The logs are gathered and transmitted securely to Logstail Server (TLS encryption) by a docker container hosted in your premises.
To deploy the container you just have to install Docker in a system which is accessible from your MikroTik devices and run the following script:
|
1 |
sudo docker run -d --restart=always -p 1514:1514/udp -e TOKEN="OurUserToken" --name ls-mikrotik-shipper logstail/mikrotik-shipper:latest |
The “OurUserToken” value can be found in your initial Logstail interface eg. a5b3e5ce34eac3f71b4cf9de38d32d59f
Then you have to add the new remote actions in your MikroTik devices with this script :
|
1 |
/system logging action add name=logstailTLS remote="DockerContainerIP" remote-port=1514 target=remote |
The “DockerContainerIP” value is the internal IP address of the system you have installed the container eg. 192.168.1.3
Now all you have to do is to change the logging rules to use the new remote action (logstailTLS).
Contact Our Expertsor Sign Up for Free
Conclusion
Logstail.com with its advanced features brings the functionality of ELK Stack to your hands. You don’t have to be an engineer in order to set up and use Elasticsearch anymore. Now you can easily turn your Mikrotik data into actionable insights with just some tweaks. You can maximize the performance of your infrastructure or be notified of potential problems and take the appropriate actions. Sign-up for a free demo in order to realize the power of Logstail.com.
