syslog configuration

nickb · Thu Apr 12, 2007 9:37 pm

I've configured all of my routers to use my syslog server, which works perfectly fine (Cisco routers, Ascend MAX RAS, and 3Com Total Control RAS log to it perfectly), however none of my Mikrotik routers show up in the log messages.

I thought perhaps it was configuration, so I tried 2 other syslog servers and none of them worked. Are there any specific configuration changes that need to be made on the standard Linux syslog server to get ROS to log to it?

My configuration is simple, it's basically impossible to configure the syslog wrong on the ROS - there's nothing to put in besides the IP and port!

Anyways, here's my configuration:

set remote name="remote" target=remote remote=<ip_addr>:514

andrewluck · Thu Apr 12, 2007 9:47 pm

You need to tell the router what to send to Syslog.

e.g.

/ system logging
add topics=info prefix="" action=remote disabled=no
add topics=error prefix="" action=remote disabled=no
add topics=warning prefix="" action=remote disabled=no
add topics=critical prefix="" action=remote disabled=no
add topics=critical prefix="" action=disk disabled=no
add topics=ike prefix="" action=memory disabled=no

Regards

Andrew

nickb · Thu Apr 12, 2007 9:51 pm

Yes, it should be sending everything to the syslog. I have a rule stating to send "info,warning,critical,firewall,error,pppoe,account" to the syslog server.

csickles · Thu Apr 12, 2007 9:57 pm

Just to test that it is sending, I would try the syslog server from MikroTik.
You could also try SYSLOG2ODBC..

I have used both and both work W/MikroTik..

If it is a windows based syslog box, remember to check the D@#@#M Microsoft firewall settings..

Dont just remember the settings, GO LOOK, They can change on ther own... I am NOT kidding.. I had one do it to me today... I turned it off, rebooted and it turned back on... I turned it back off, rebooted and it stayed off...

Thet Da324324med firewall is only good for making Admin's lifes misirable..

Craig

nickb · Thu Apr 12, 2007 10:14 pm

We're a linux shop, no Windows servers to try syslogging to. It really ought to work logging to a standard syslog server, anyways.

I checked with the tcpdump utility, the syslog server isn't even receiving any packets from the ROS boxes, so the problem must be that the ROS boxes aren't /sending/ the packets.

csickles · Thu Apr 12, 2007 10:58 pm

I just configured a 532 to push to a MikroTik syslog server and it was ok...
I am looking at another syslog server... I will post in a second....

nickb · Mon Apr 16, 2007 8:37 pm

Well, I scared up a window box and tried the MT syslog server from the download page. Multiple ROS boxes set to log to that box with this configuration:

# apr/16/2007 13:36:01 by RouterOS 2.9.35
#
/ system logging 
add topics=info,!firewall prefix="" action=disk disabled=no 
add topics=critical prefix="" action=echo disabled=no 
add topics=error prefix="" action=disk disabled=no 
add topics=warning prefix="" action=disk disabled=no 
add topics=info prefix="" action=memory disabled=no 
add topics=firewall prefix="" action=FirewallHits disabled=no 
add topics=info,account,warning,critical,error,pppoe,system prefix="ArcoPPPoE" \
    action=remote disabled=no 
/ system logging action 
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no 
set disk name="disk" target=disk disk-lines=300 disk-stop-on-full=no 
set echo name="echo" target=echo remember=yes 
set remote name="remote" target=remote remote=1.2.3.4:514 
add name="FirewallHits" target=disk disk-lines=300 disk-stop-on-full=no

The only configuration variable between systems is the "Prefix" setting, otherwise, all are identical.

None log anything to the syslog server, even with the MT syslog daemon!

Either I've got something configured wrong, or syslogging is broken. If I had to bet, I'd bet it's my configuration - but I don't see how this could be not working. It's pretty simple configuration stuff, hard to screw up!

csickles · Mon Apr 16, 2007 9:24 pm

set remote name="remote" target=remote remote=1.2.3.4:514

I am guessing this has been edited??

What is the layout IE can you ping back and forth?? I know stupid question, but check...

Your ROS Version is 7 back... Try upgrading a test box..

I tried another Syslog server "Syslog Turbo" it works... but I dont like the design...

Also check for any filtering between the router and the windows host.
IE and drops (or drop all remaining) in your filerwall chains that bay be "eating" your syslog packets...

Craig

changeip · Mon Apr 16, 2007 9:40 pm

1.2.3.4 isn't a valid IP. I assume that's intentional for posting.

Try logging 1 topic per entry ... I believe it's an AND clause, which means youll never match that rule.

Sam

csickles · Tue Apr 17, 2007 12:04 am

I see what you are saying...
That would suck... It looks like it should be a "OR"... but it would make sense as to why nothing is getting logged...

Craig

nickb · Thu Apr 19, 2007 1:46 am

I just changed the "remote" rule to contain only "account", and upon logging another session in, a syslog entry appears.

This seems odd to me, should this not be "everything listed here, take this action"? That would be much more intuitive.

Also, whoever wrote http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router should pay more attention, because they wrote:

Once we have set the IP we can go ahead and add a rule to log everything to the daemon

/system logging add action=remote topics=info,warning,critical,firewall,error prefix="RouterId"

Which is exactly what I first attempted to use, and does not work.

syslog configuration

syslog configuration

Who is online