For those who use a syslog with mikrotik and wish to have sawmill parsing (Mikrotik V6) I have the following regex.
You need to modify the file mikrotik_router.cfg under \program files\sawmill n\LogAnalysisInfo\


Autodetect line

log.format.autodetect_regular_expression = "[a-z,]+ *: [a-z]+:"

Parse line

if (matches_regular_expression(v.syslog_message, '^[a-z,]+ ([^ ]+) [^:]+: [a-z]+:([^ ]+) [a-z]+:([^,]+), [^,]+, proto ([A-Z]+) [^ ]+ ([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)\\:([0-9]+)->([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)\\:([0-9]+), [^,]+, len ([0-9]+)')) then (

This assumes a prefix when you log and the 'type' field will be set to this prefix