Monitor Mikrotik with hosted ELK


Mikrotik and its powerfull operating system RouterOS are low cost Routers with advanced capabilities. With we can visualise our mikrotik syslog logs and analyse our Network and security performance.

Step 1. Create a new Syslog Action

At the first step we have to sign-up for a new account here and then we should create a new mikrotik action that will send syslog data to To do so we should add the following information to the relevant fields: Name “logstail”, Remote Address: “” and Remote Port: “35625”.


Step 2. Configure Mikrotik to send logs to

At the 2nd step we will develop some rules on MikroTik to send specific topics to our stack.

1st rule: Send Firewall logs

The first rule is sending firewall issues to We configure a new rule which uses the action we created on the previous step, named “logstail”. This new rule is going to send all topics from “firewall”. requires our unique “User Token”, that can be copied from our main dashboard, to be added as a prefix in order to be able to successfully parse our logs. Our User Token can be found here.


In the Prefix field, we should also add the word “mikrotik” after our “User Token” so as our logs to be distinguished from logs coming from other apps (ex. Apache, Nginx e.t.c.) . After the word “mikrotik” we have to specify a “DeviceId” e.g. “OurRouter” in order to distinguish this Mikrotik Router logs from other Mikrotik Routers that we are going to add later.
e.g. Prefix= 123456789abcdefgehjklmn mikrotik OurRouter

2nd Rule: Enable Firewall to log and drop

At this step we will enable logging on our MikroTik firewall. If we have a set of firewall rules already on our mikrotik, we can just simply enable logging.

Ex. of firewall rule

3rd Rule: Monitor Routers Health

At this step and in order to configure our router so as to be able to monitor our Router’s Health and other useful parameters (ex. arp list and firewall connections, Wireless & Hotspot Statistics), we create a scheduler. We write a new scheduler from System-> Scheduler-> Add New and name it “logstail”. Then we copy and paste the following commands into source field:

We schedule it to run every 10 sec or whenever we believe it is better.

System health logs are going to be generated via “error” log messages so we need to add a rule to send scheduler’s generated logs.

If we don’t want these logs to appear in memory we should edit the existing “error” rule as:

4th Rule: DNS Requests

In this last step we will configure mikrotik to send router’s dns requests to, so as to be able to monitor what our local users visit more (Famous Websites).
To do so we should add this syslog rule to log DNS requests:

5th Rule: Monitor your CapsMan

If you want to monitor your CapsMan, offers you a nice graph called HeatMap. With this you can monitor the signal strengths of your connected users. In addition you can monitor the utilization of each Access Point. To do so you only have to enable capsman logging.


6th Rule: IP Accounting Information

To Monitor IP Accounting Information and get the most out of it you should go to IP->Accounting and Enable Accounting.


Be sure to double check that you have the most recent version of the 3rd Rule script (please check it above) that contains ip accounting info in syslog messages that will be sent to

Step 3. Logs validation on KIBANA.

If we followed the previous steps without (hopefully) errors, we should now be able to validate our logs on hosted KIBANA. We can now go to and see our logs coming in.

Step 4. Adding some cool Dashboards (Graphs).

In this last but important and meaningful step, we will add some Apps2Go. They are community prebuilt KIBANA Dashboards (Graphs) and Visualizations that will definitely add value to our logs and will help us efficiently analyze them and discover hidden values.
To add prebuilt Dashboards, we go to and click on our desired Dashboards and visualizations images.

A json file will be downloaded to our computer which can be easily imported to our hosted KIBANA (KIBANA ->Management-> Saved Objects -> Import).

CAPSMAN monitoring.
The following Graph shows a generic view of CAPSMAN status.

Now we can easily Monitor specific CAPSMAN devices by selecting/click on the device Name. 
 now has more options: We can select a specific cAP antenna and monitor logged in users alongside with the initial registration signal strength of each user.

Finally you can focus on a specific device by selecting its mac address and monitor how many times it was registered to CapsMan and at which cAP antenna it was connected. There is also a HeatMap where you can monitor this mac address registration over time.





If there is anything not clear or you need further support and help, customer support team will be always there for you. Just shoot us an email at and one of our experts will get back to you as soon as possible.

Happy Logging!

Analyze Nginx logs with ELK stack<<

Leave a Reply

Your email address will not be published.