Monitor MikroTik with Logstail.com hosted ELK

 

MikroTik and its powerful operating system RouterOS are low cost Routers with advanced capabilities. With Logstail.com we can visualise our mikrotik syslog logs and analyse our Network and security performance.

Step 1. Create a new Syslog Action

At the first step we have to sign-up for a new Logstail.com account here.Then we should create a new mikrotik action that will send syslog data to Logstail.com. To do so we should add the following information to the relevant fields: Name “logstail”, Remote Address: “apps.logstail.com” and Remote Port: “35625”.

 

Step 2. Configure MikroTik to send logs to Logstail.com

At the 2nd step we will develop some rules on MikroTik to send specific topics to our Logstail.com stack.

1st rule: Send Firewall logs

The first rule is sending firewall issues to Logstail.com. We configure a new rule which uses the action we created on the previous step, named “logstail”. This new rule is going to send all topics from “firewall”. Logstail.com requires our unique “User Token”, that can be copied from our main dashboard, to be added as a prefix in order to be able to successfully parse our logs. Our User Token can be found here

  In the Prefix field, we should also add the word “mikrotik” after our “User Token” so as our logs to be distinguished from logs coming from other apps (ex. Apache, Nginx e.t.c.) . After the word “mikrotik” we have to specify a “DeviceId” e.g. “OurRouter” in order to distinguish this MikroTik Router logs from other Mikrotik Routers that we are going to add later. e.g. Prefix= 123456789abcdefgehjklmn mikrotik OurRouter.

2nd Rule: Enable Firewall to log and drop

At this step we will enable logging on our MikroTik firewall. If we have a set of firewall rules already on our mikrotik, we can just simply enable logging. Ex. of firewall rule:

3rd Rule: Monitor Routers Health

At this step and in order to configure our router so as to be able to monitor our Router’s Health and other useful parameters (ex. arp list and firewall connections, Wireless & Hotspot Statistics), we create a scheduler. We write a new scheduler from System-> Scheduler-> Add New and name it “logstail”. Then we copy and paste the following commands into source field:

We schedule it to run every 10 sec or whenever we believe it is better. System health logs are going to be generated via “error” log messages so we need to add a rule to send scheduler’s generated logs.

If we don’t want these logs to appear in memory we should edit the existing “error” rule as:

4th Rule: DNS Requests

In this last step we will configure MikroTik to send router’s DNS requests to Logstail.com, so as to be able to monitor what our local users visit more (Famous Websites). To do so we should add this syslog rule to log DNS requests:

5th Rule: Monitor your CapsMan

If you want to monitor your CapsMan, Logstail.com offers you a nice graph called HeatMap. With this you can monitor the signal strengths of your connected users. In addition you can monitor the utilization of each Access Point. To do so you only have to enable capsman logging.

 

6th Rule: IP Accounting Information

To Monitor IP Accounting Information and get the most out of it you should go to IP->Accounting and Enable Accounting.

 

Be sure to double check that you have the most recent version of the 3rd Rule script (please check it above) that contains IP accounting info in syslog messages that will be sent to Logstail.com.

Step 3. Logs validation on KIBANA.

If we followed the previous steps without (hopefully) errors, we should now be able to validate our logs on Logstail.com hosted KIBANA. We can now go to https://apps.logstail.com/kibana/ and see our logs coming in.  

 

Step 4. Adding some cool Dashboards (Graphs).

At this step, we can add some Logstail.com community prebuilt Kibana Dashboards and Visualizations that will definitely add value to our logs and will help us efficiently analyze them and discover hidden values. To add prebuilt Dashboards, go to https://apps.logstail.com/apps2go/ and install one or more dashboards.

 

MikroTik – Firewall General Overview Dashboard:

MikroTik – All-in-one Dashboard:

MikroTik – Famous sites Dashboard:

MikroTik – Attack on main ports Dashboard:

  When all steps are complete, you’re ready to explore your data!

 

Alternatively you can use our Logstail integrated MikroTik Guide here!

 

If there is anything not clear or you need further support and help, Logstail.com customer support team will be always there for you. Just shoot us an email at support@logstail.com and one of our experts will get back to you as soon as possible.

Happy Logging!

Analyze Nginx logs with ELK stack<<

Leave a Reply

Your email address will not be published.