Monitor MikroTik with Logstail.

com hosted ELK stack

MikroTik routers are combining a powerful operating system (RouterOS) with low cost prices. With Logstail.com and its hosted ELK stack, we can visualise our
Mikrotik syslog logs and analyze our network and security performance.

Step 1. Create a new Syslog Action

In the first step, we have to sign-up for a new Logstail.com account here. Then we should create a new Mikrotik action that will send syslog data to Logstail.com. To
do so we should add the following information to the relevant fields: Name “logstail”, Remote Address: “apps.logstail.com” and Remote Port: “35625”.

/system logging
action add bsd-syslog=no name=logstail remote=95.216.177.82 remote-port=35625 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto
syslog-time-format=bsd-syslog target=remote

Step 2. Configure MikroTik to send logs to Logstail.com

At the second step we will develop some rules on MikroTik to send specific topics to our Logstail.com stack.

1st rule: Send Firewall logs

The first rule is sending firewall issues to Logstail.com. We configure a new rule which uses the action we created on the previous step, named “logstail”. This new
rule is going to send all topics from “firewall”. Logstail.com requires our unique “User Token”, that can be copied from our main dashboard, to be added as a prefix
in order to be able to successfully parse our logs. Our User Token can be found here.

In the Prefix field, we should also add the word “mikrotik” after our “User Token” so as our logs to be distinguished from logs coming from other apps (ex. Apache,
Nginx e.t.c.). After the word “mikrotik” we have to specify a “DeviceId” e.g. “OurRouter” in order to distinguish this MikroTik Router logs from other Mikrotik
Routers that we are going to add later. e.g. Prefix= 123456789abcdefgehjklmn mikrotik OurRouter.

/system logging
add action=logstail disabled=no prefix="710bf9f65bb6566092bf113f44bfb629 mikrotik ThamDang" topics=firewall

2nd Rule: Enable Firewall to log and drop

At this step, we will enable logging on our MikroTik firewall. If we have a set of firewall rules already on our Mikrotik, we can just simply enable logging.
Ex. of firewall rule:

/ip firewall filter

add chain=input in-interface=pppoe-out1 log=yes

3rd Rule: Monitor Routers Health

At this step and in order to configure our router so as to be able to monitor our Router’ s Health and other useful parameters (ex. arp list and firewall connections,
Wireless & Hotspot Statistics), we create a scheduler. We write a new scheduler from System-> Scheduler-> Add New and name it “logstail”. Then we copy and paste
the following commands into source field:

#Ask MyMikroTik about its health

#My Routers CPU Load, On DDOS attacks CPU goes almost 100%
:local cpuload [/system resource get cpu-load];

#Routers Temperature
:local SysTemperature [:tonum [/system health get temperature]];

#Firewall’s Number of firewall connections may indicate an attack

:local Nofwconns [/ip firewall connection print count-only];

#No of members of router;s arp list help us to find how many lan users are up and running
:local Arplist [/ip arp print count-only where complete=yes];

# Send the answer to logstail via syslog

log error ("CPU_Load: $cpuload");
log error ("SysTemperature: $SysTemperature");
log error ("Nofwconns: $Nofwconns");
log error ("Arplist: $Arplist");

if ([/inte wireless registration-table print count-only]=1) do={

:local WirelessSignal [/ interface wireless registration-table get 0 signal-strength-ch0];
:local WirelessCCQ [/interface wireless registration-table get 0 rx-ccq];
log error ("WirelessSignal: $WirelessSignal");
log error ("WirelessCCQ: $WirelessCCQ");
log error ("WirelessClients: 1");}

if ([/inte wireless registration-table print count-only]>1) do={

:local WirelessClients [/interface wireless registration-table print count-only];
log error ("WirelessClients: $WirelessClients");
}

if ([/caps-man manager get enabled]=yes) do={

:local capTotclients [/caps-man registration-table print count-only];
log error ("CapsTotClients: $capTotclients");}

if ([ / ip hotspot active print count-only] > 0 ) do={

:local hotspotactive [/ip hotspot active print count-only];
:local hotspotusers [/ip hotspot user print count-only];

log error ("hotspotactive: $hotspotactive");

log error ("hotspotusers: $hotspotusers");}

/ip accounting snapshot take

foreach syslog in=[/ip accounting snapshot find] do={:log error message="$[/ip accounting snapshot print as-value from=$syslog]"}};

We schedule it to run every 10 sec or whenever we believe it is better.

System health logs are going to be generated via “error” log messages so we need to add a rule to send scheduler’ s generated logs.

/system logging
add action=logstail disabled=no prefix="710bf9f65bb6566092bf113f44bfb629 mikrotik ThamDang" topics=error

If we don’ t want these logs to appear in memory we should edit the existing “error” rule as:

/system logging
set 1 topics=error,!script

4th Rule: DNS Requests

In this last step, we will configure MikroTik to send router’ s DNS requests to Logstail.com, so as to be able to monitor what our local users visit more (Famous
Websites). To do so we should add this syslog rule to log DNS requests:
 /system logging
add action=logstail disabled=no prefix="710bf9f65bb6566092bf113f44bfb629 mikrotik ThamDang" topics=dns,!packet

5th Rule: Monitor your CapsMan

If you want to monitor your CapsMan, Logstail.com offers you a nice graph called HeatMap. With this, you can monitor the signal strengths of your connected users.
In addition, you can monitor the utilization of each Access Point. To do so you only have to enable capsman logging.

/system logging
add action=logstail disabled=no prefix= "710bf9f65bb6566092bf113f44bfb629 mikrotik ThamDang" topics=caps

6th Rule: IP Accounting Information

To Monitor IP Accounting Information and get the most out of it you should go to IP->Accounting and Enable Accounting.

/ip accounting
set account-local-traffic=no enabled=yes threshold=256

Be sure to double check that you have the most recent version of the 3rd Rule script (please check it above) that contains IP accounting info in syslog messages that
will be sent to Logstail.com.

Step 3. Logs validation on Kibana

If we followed the previous steps without (hopefully) errors, we should now be able to validate our logs on Logstail.com hosted Kibana. We can now go
to https://apps.logstail.com/kibana/ and see our logs coming in.
Step 4. Adding some cool Dashboards (Graphs).

At this step, we can add some Logstail.com community prebuilt Kibana Dashboards and Visualizations that will definitely add value to our logs and will help us
efficiently analyze them and discover hidden values. To add prebuilt Dashboards, go to https://apps.logstail.com/apps2go/ and install one or more dashboards.

MikroTik – Firewall General Overview Dashboard:

 MikroTik – All-in-one Dashboard:

MikroTik – Famous sites Dashboard:

MikroTik – Attack on main ports Dashboard:

 When all steps are complete, you’ re ready to explore your data!

Alternatively, you can use our Logstail integrated MikroTik Guide here!
If there is anything not clear or you need further support and help, Logstail.com customer support team will be always there for you. Just shoot us an email
at support@logstail.com and one of our experts will get back to you as soon as possible.

Happy Logging!