MikroTik routers are combining a powerful operating system (RouterOS) with low-cost prices. With Logstail.com and its advanced features built on top of ELK stack, we will visualize our MikroTik logs and analyze our network and security performance and get instant email alerts alongside with encriched reports. The importance of using log management software is highlighted in this article from our blog. In the few following steps we will analyze our logs on the platform, but also benefit from the numerous features of Logstail.

  1. Create a new logging action
  2. Configure MikroTik logging rules to specify which logs to send to Logstail.com
  3. Validate our logs.
  4. Add Mikrotik Graphs/Dashboards
  5. Configure Email Alerting
  6. Configure Reporting
  7. View Logstail’s Mikrotik Insights (using Machine Learning)
  8. Full encryption in Transit

Let’s start!

Step 1. Create a new logging action

In the first step, we have to sign-up for a new Logstail.com account here or login to an existing one.  Then, on RouterOS we should create a new logging action under System -> Logging -> Actions that will send log data to Logstail.com.

To do so we should press “Add New” and add the following information to the relevant fields: Name “SendLogstail” (or any other name), Remote Address: “95.216.177.82” and Remote Port: “35625”.

If we choose to configure with terminal, then this is the command we should execute:

 

Step 2. Configure MikroTik logging rules to specify which logs to send to Logstail.com

In the second step, we will develop some rules on MikroTik to send specific data to our Logstail.com stack.

1st rule: Send Firewall logs

The first rule is sending firewall messages, logs, or firewall events to Logstail.com. We configure a new rule which uses the action we created on the previous step, named “SendLogstail”. This new rule is going to send all messages that fall into the firewall topic from “firewall”. Logstail.com requires your unique “Your stacks’s token”, which can be copied from our main dashboard, to be added as a prefix in order to be able to successfully parse our logs. This token can be found here.

Logstail Mikrotik Monitor

 

 In the Prefix field, we should also add the word “mikrotik” after our “User Token” so as our logs to be distinguished from logs coming from other apps (ex. Apache, Nginx e.t.c.). After the word “mikrotik” we have to specify a “DeviceId” e.g. “OurRouter” or “Router_1” in order to distinguish this MikroTik Router logs from other Mikrotik Routers that we are going to add later.

 

2nd Rule: Enable Firewall to log and drop

In the next action, we enable logging on our MikroTik firewall. If we have a set of firewall filter rules already on our Mikrotik, we can just simply enable logging. This procedure can be done in Action Tab of any firewall rule by selecting Log checkbox.

3rd Rule: Monitor Routers Health

In order to monitor RouterOS and health and other useful parameters (ex. arp list and firewall connections, Wireless & Hotspot Statistics), we have to create a scheduled task. Under System-> Scheduler-> Add New and name it “logstail” (or any name os your choice). Then we copy and paste the following commands into the scheduler task:

 

 System health logs are going to be generated via “error” log messages so we need to add a rule to send scheduler’s generated logs. 

 

 

4th Rule: DNS Requests

In this last step, we will configure MikroTik to send DNS related logs to Logstail.com, so as to be able to monitor what our local users visit more. To do so we should add this logging rule to log DNS requests and replies:

 

5th Rule: Monitor your CapsMan

If they exist in your network Controlled Access Points (CAP) you can monitor your Controlled Access Point system Manager (CAPsMAN) which allows centralization of wireless network management. Logstail.com offers you a nice graph called HeatMap. With this, you can monitor the signal strengths of your connected users. In addition, you can monitor the utilization of each CAP. To do so you only have to enable CapsMan logging.

 

6th Rule: IP Accounting Information

To Monitor IP Accounting Information and get the most out of it you should go to IP->Accounting and Enable Accounting.

 

The final image of the logging rules will be like this:

 

 

Start Free

 

Step 3. Logs validation on Kibana

If we followed the previous steps, we should now be able to validate our logs on Logstail.com main page. We can now go to the Kibana submenu called Discover  https://apps.logstail.com/discover/ and see our logs coming in.

 

Step 4. Adding Apps (Prebuilt Dashboards)

At this step, we can add some Logstail.com community prebuilt Dashboards and Visualizations that will definitely add value to our logs and will help us efficiently analyze them and discover hidden values. To add prebuilt Dashboards, go to Apps tab and install one or more Prebuilt Dashboards. Then you can access these Dashboards from the Kibana submenu called Objects.

Available MikroTik Dashboards

 

MikroTik – Firewall General Overview Dashboard

 

 

MikroTik – All-in-one Dashboard

 

MikroTik – Famous sites Dashboard

 

MikroTik – Attack on main ports Dashboard

 

Step 5. Email Alerting

Our alerting mechanism enables you or your team to be notified about situations that may cause problems to your devices or generally your infrastructure. You can find more detailed guidance about this excellent feature on our blog article! Don’t forget that now you have three (3) options to be alerted, Slack, Webhook and Email! Use them to take benefit of our alerting!

Step 6. Reporting

Reporting is a must today. Every entity, from the smallest organization to a big corporation needs metrics to assess the security posture of the company. That’s why our reporting feature is here to solve problems by providing the ability to create PNG, PDF, or CSV reports. You now have two choices, to create ad hoc reports or by definition (eg. predefined intervals). Again, our detailed article can solve any questions that may arise!

 

 

Step 7. Insights (Machine Learning)

Machine Learning is here to help, especially when we deal with vast amounts of data like log files! We now offer Anomaly Detection through the Insights tab to help you and your team identify and isolate anomalies from your data! The Insights feature has the ability to detect anomalies in near real-time using advanced algorithms. 

Step 8. Full encryption in Transit (optionally)

Encryption in transit is essential to protect against eavesdroppers and malicious users that want to perform Man-in-the-Middle attacks. With this feature, you can stop worrying when your logs are traveling to Logstail platform.

The logs are gathered and transmitted securely to Logstail Server (TLS encryption) by a docker container hosted in your premises.

To deploy the container you just have to install Docker in a system which is accessible from your MikroTik devices and run the following script:

 

The “OurUserToken” value can be found in your initial Logstail interface eg. a5b3e5ce34eac3f71b4cf9de38d32d59f

 Then you have to add the new remote actions in your MikroTik devices with this script :

The “DockerContainerIP” value is the internal IP address of the system you have installed the container eg. 192.168.1.3

Now all you have to do is to change the logging rules to use the new remote action (logstailTLS).

 

 

Start Free

 

Conclusion

Logstail.com with its advanced features brings the functionality of ELK Stack to your hands. You don’t have to be an engineer in order to set up and use Elasticsearch anymore. Now you can easily turn your Mikrotik data into actionable insights with just some tweaks. You can maximize the performance of your infrastructure or be notified of potential problems and take the appropriate actions. Sign-up for a free demo in order to realize the power of Logstail.com.  

5 1 vote
Article Rating