SysLog

Sayrax · Tue Jun 23, 2020 5:50 pm

Good day! There is a small network. One broadcast domain without vlan. There is a log collector. but Mikrotik intensely refuses to send him. There is no firewall on the collector
Actions:

/system logging action print
name="rsyslog" target=remote remote=192.168.50.5 remote-port=514 src-address=0.0.0.0 bsd-syslog=no syslog-time-format=bsd-syslog syslog-facility=daemon syslog-severity=auto

Rules:

topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote

LogCollector on Centos 7(x64)
/etc/rsyslog.d/server.conf

# UDP syslog reception
$ModLoad imudp.so
$UDPServerRun 514

# Provides TCP syslog reception
$ModLoad imtcp.so
$InputTCPServerRun 514

Used tсpdump but it is empty.
Version RouterOS 6.47. in earlier versions the same.

WeWiNet · Tue Jun 23, 2020 9:09 pm

You need to add into firewall on "output" chain an ACCEPT for traffic to your IP of syslog server ...

Sayrax · Tue Jun 23, 2020 10:50 pm

You need to add into firewall on "output" chain an ACCEPT for traffic to your IP of syslog server ...

Thank. But the OUTPUT table. This refers to outgoing traffic from the server. In this case, syslog.
In Syslog server empty firewall and default policy is ACCEPT
From Mikrotik to LAN default policy ACCEPT without any rules.

Sayrax · Tue Jun 23, 2020 10:52 pm

When I test with telnet. Connecting to the syslog port (514). the server answers me. even makes an entry in the event log. And also on tcpdump the incoming traffic is visible

eworm · Tue Jun 23, 2020 11:04 pm

Rules:

topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote

A message has to contain all topics to match. That's an impossible combination, even info and error are exclusive to each other. Try this:

/system logging
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=critical

Sayrax · Tue Jun 23, 2020 11:12 pm

Rules:
Code: Select all
topics=info,error,critical,system,event,warning,script,wireless,dhcp,ipsec prefix="" action=remote
A message has to contain all topics to match. That's an impossible combination, even info and error are exclusive to each other. Try this:
Code: Select all
/system logging
add action=remote topics=info
add action=remote topics=error
add action=remote topics=warning
add action=remote topics=critical

Thank you so much. Works.

probably worth writing in support. since this is a bug

eworm · Tue Jun 23, 2020 11:17 pm

No, this is not a bug. Why do you think so?

Sayrax · Tue Jun 23, 2020 11:34 pm

No, this is not a bug. Why do you think so?

I see no reason for each topic to write a rule. If for example I have two remote syslog servers.

eworm · Wed Jun 24, 2020 12:27 am

As said before a message has to match all topics given in a rule. So you can use something like this...

/system logging add action=remote topics=info,dhcp

... to match all messages that have topic info and dhcp.

But there is no message that has topics error and info at the same time. So a rule like this will never match.

Well, you could try something like this for a single rule...

/system logging add action=remote topics=!debug

SysLog

SysLog

Re: SysLog

Re: SysLog

Re: SysLog

Re: SysLog

Re: SysLog

Re: SysLog

Re: SysLog

Re: SysLog