MikroTik

Hi, I want to clear log page. It is 7 MiB, I don't want it to keep adding new log informations, I just want to delete past ones so new logs come easily.

you can enter in System Logging, and disable all logging report..thats all you have to do..

ThankYou

I don't want to disable, I just want to clear log information.

If your way is not disabling. Can you tell me how to do that?

This is how I usually do it:
1. Go to system > logging > actions
2. double click the ones you want to change (e.g: disk), change the "Lines" value to 1. It will delete all previous entries.
3. Change it back to the desired number of lines.
4. All done. ^^

This is how I usually do it:
1. Go to system > logging > actions
2. double click the ones you want to change (e.g: disk), change the "Lines" value to 1. It will delete all previous entries.
3. Change it back to the desired number of lines.
4. All done. ^^

Well, I disabled the rules part than enabled it.

Uhhh, you do want to CLEAR the old log entries, no?

Disabling the rules then re-enabling it won't clear the old entries. In fact, it will add a "log rule changed by..." line for every rule you disable, then another one when you enable it.

Oh well, if you managed to do what you want to do... ^_^

You can also reboot. All not stored on disk logs are gone....

But indeed, a nice feature of winbox would be a ´clear log files´ button.

You can also reboot. All not stored on disk logs are gone....

But indeed, a nice feature of winbox would be a ´clear log files´ button.

That didn't worked.

Uhhh, you do want to CLEAR the old log entries, no?

Disabling the rules then re-enabling it won't clear the old entries. In fact, it will add a "log rule changed by..." line for every rule you disable, then another one when you enable it.

Oh well, if you managed to do what you want to do... ^_^

Yes I cleared by disabling I'm using 2.9.x

v3.19 no method described removed the logs saved on disk, they can still be seen in Logs. I did not reboot the router. Maybe after rebooting they will disappear. I changed the settings, disabled, enabled, now all settings are back to normal - critical and warning are set to disk. I hope this does not cause the old logs to remain after a reboot.

But this is stupid. MikroTik team, just make a "clear logs" feature. Thank you.

I logged in today and logs were gone. Router has not been rebooted due to power outage during night. Only logs that were set to memory were there and one line of log on disk. This still feels stupid.

p.s. because of below post I can clarify: I mean that the router has not been rebooted. And that I guess that when it is rebooted due to one reason or other the logs could be gone then and the result from the silly actions taken could be seen then. Which is not good because nobody wants router downtime, right? Right. And ps.2 we are talking about disk logs here. Please reed closely before posting early in the morning

Well, what you write makes no sense.
"Router has not been rebooted due to power outage"
If you have had a power outage your router HAS been rebooted. Or you must have found the first router that doesn't need power to work....

Second, if the router reboots all memory log files are lost due the power loss of the cpu.
So that makes it impossible that you still have memory recorded logs from before the reboot...

Every log line written to disk should be there after a reboot, if not you better check your disk.

Rudy

Add this script, it is a work around...

/system script
add name="Clear Log" policy=ftp,reboot,read,write,policy,winbox,password,sniff source=\
"/system logging action\r\
\nset 0 memory-lines=1\r\
\nset 0 memory-lines=100"

Unfortunately this method no longer works. I have done a feature request for a "clear log" function to be added.

Except hiding malicious actions, what purpose would this have?

Two reasons I can think of, both have affected me over the last few days:
1) For debugging purposes I really don't care about the history at this particular moment in time and would like to clear the log, try something and look at a minimized version of the log that hasn't been filled by my previous 2994 attempts at debugging. It would help a great deal if the log only shows the information that is useful to me at this point in time. It has happened in the past where I've confused a previous runs results with the latest runs result when there is actually a flaw in the script causing it not to run at all. Some scripting errors don't print any output to the log even if critical failures occur and it's easy to confuse results.
2) When debugging issues over a really crappy Internet line, I've noticed that sometimes the log is so overbearing that when you connect in Winbox it tries to load the last months logs it causes the connection to disconnect. It drops you, and then when you log in again it tries to do the same thing again and again until you are lucky enough to be able to close the log window. Then you can do what you actually need to do.

Edit: If I really wanted to hide any malicious actions I could just reboot it which would clear the log anyway...

Make a new logging action=file, then make a new logging rule with this action. after done debugging, delete it.

Make a new logging action=file, then make a new logging rule with this action. after done debugging, delete it.

I'll try that.

What about adding support for a ring buffer where it deletes the oldest and moves everything up as an alternative to "Stop on Full"?

Make a new logging action=file, then make a new logging rule with this action. after done debugging, delete it.

I've tried this and it would work okay if I could create my own topic. But because the topic field is hardcoded I have to try and choose one which hopefully won't carry other traffic. This seems like a whole lot of unnecessary stuff just to try and get to a point where I can reduce the amount of noise on the screen. The router should not be compromised in the first place. If the router has been compromised and the person is able to click the "clear log" button then he has already won. I don't see how the lack of a "clear log" button is somehow going to improve security.

1) Go to System Logging Actions Add name=Temp type=disk file-name=mylog
2) Go to System Logging Rules Add topic=info prefix=cheese action=temp
3) Log info "cheese: custom message"

But because the topic field is hardcoded I have to try and choose one which hopefully won't carry other traffic.

Just make one identical to the default you use. Critical/Error/Info/Warning are the defaults that go into your LOG screen.

But because the topic field is hardcoded I have to try and choose one which hopefully won't carry other traffic.

Just make one identical to the default you use. Critical/Error/Info/Warning are the defaults that go into your LOG screen.

I can do that, but if I could create a custom one I could significantly reduce the amount of after-the-fact filtering that I need to do.

Still in my mind a "clear log" button would be a lot easier than having to make all of these changes on production routers. But I guess if it's important to other people as well they will say so.

A nice feature request for ages that would help debugging a lot:
The option to highlight words or rules in the log. Helps keeping visual track of what where happened when.
The option to then copy the highlighted parts from the log to paste in a txt doc or else.

And last but not least, the option to search for specific text by a search box.

When you want to do nonstandard things with logging especially for debugging and monitoring I recommend
to add an external syslog server. Of course logging over the network means you won't get logs about network
disconnections that would be forwarded over that same connection, and you also miss some of the startup
messages that are sent before the network comes up, but on the other hand you can select the syslog software
that you want and have the features that you like (including storing all logs in a searchable "database" more
powerful than you can ever imagine).
This way, the built-in logging system can be kept simple. I usually don't even log to disk, only to memory.

W.r.t. clearing the log: sometimes one can get out of sync when typing usernames and passwords, especially
when using different systems where sometimes the username is already specified in the (ssh or ftp) command
and sometimes it isn't.
When you accidentally enter the password where it asks for the username, it is logged and kept in a place where
you cannot easily delete it.
There should be an option to never log usernames on failed logon attempts. And maybe it should be
possible to overwrite them in the memory and disk logs.

Don't agree.
I am a small operator and still have almost 800 Mikrotik routers. To setup and use syslog to a remote server for all these is ridiculous. Imagine a 10K of bigger operator...
The log is a great troubleshooting tool, even for CPE's....
And indeed, usually the logs are also needed just to find out shortly before and after network issues.....
Many other vendors that in itself have less extended OS systems have a log that can be marked and or selected to copy.... I don't think this would be hard to acheive for MT?

With so many routers it is even more apparent that you need to install a syslog server!
You do not need a separate server for every router, they can all log to the same server.

With so many routers it is even more apparent that you need to install a syslog server!
You do not need a separate server for every router, they can all log to the same server.

And all these logs to be send to a remote server that needs a big data capacity. Logs sometimes are running in many lines per hour, per that many routers, each day, day in day out, again. Sounds a bit waste of resources to me.
Plus we have to set all these routers up to make it happen. Each with their own name etc.
Seems to me a lot of work for something that is already almost there...

Maybe I am thinking wrong....

It sounds you can find a problem for every solution!
Maybe you need to do some calculation of the amount of data and compare that to the size of a standard diskdrive.

I'm with pe1chi and the log clearing camp on this one. Basic on-box log management functionality should be brought up to par with equivalent products.

• Log rotation
• Ability to clear logs locally / manually if needed

Two features, not asking the world of the developers for that.

The other side of the coin:

That said. Any organization of any size especially int the business of providing network services should have at least a syslog server and a SNMP based monitoring solution. Any decent syslog server will let you rotate logs to match the size of disk available. Also, a 8TB SATA drive costs $230 on Amazon here in the US. If you can afford 800 MikroTiks you can afford a hard drive to cram an awful lot of syslog onto.

My MikroTik's are not chatty at all with default syslog settings so in reality you can probably go pick up a Raspberry Pi, a 16gb SD card, an Ethernet cable and some duct tape and tape it under someones desk and be at least twice as good at troubleshooting.

I can't tell you how many organizations I've been to that will complain to no end about how crappy their gear, network or life is but have 0 monitoring. Examples are the best so I'll tell one of many stories that sold me on monitoring. I'm sitting in a meeting when I worked in an enterprise environment with our systems guys and the boos. I'm the network guy. The systems guy says "hey we need to upgrade the load balancers. Why don't we go with the virtual appliances." I say heck ya! That sounds great, physical hardware is pain and is way more expensive. Great we both agree. Lets pick a size. The systems guy, bless his heart, goes, "well the old physical ones have 1 GB interfaces so we should at least get the 1 GB symmetrical license for the virtual appliance." I say well hold on the licensing can be upgraded at anytime non-disruptively. Why don't we see what we are actually using out of that 1 GB. After the initial surprise that this was even being monitored we logged into ZenOSS, what we ran at the time, and had a look. The entire box had seen a fairly sustained load of less than 5 mbps with peaks up to 10 mbps. My boss looked at the pricing and chose the 200 mbps model which was still way overkill and saved the organizations 10s of thousands of dollars both up front and year over year in maintenance.

Most people say oh well you should've known that anyways or "I could've looked at the interfaces live and told you that." The truth is you couldn't have at least with enough of a straight face to tell your boss. Monitoring is good for detecting outages and can be an excellent planning tool. It can identify out of date hardware or software and as we just learned help plan for capacity. More advanced tools can even help you manage those 800 devices through automation.

I'm with pe1chi and the log clearing camp on this one. Basic on-box log management functionality should be brought up to par with equivalent products.

Typical IT guy's reply.

Mikrotik is sold for a great deal to small time self educated operators, like me. I build my 700+ client network over 15 years but still day to day every coin has to be flipped twice before I can spend it on those items with the highest priority. Let alone I have an IT guy helping in setting it all up. The knowledge is not there, nor the money. Maybe not very proffesional but it make my living for the last 15 years and I know there are many more the same like me....
For all those 'simple' guys that occasionally need to look in a log to see what happened a full network wide monitoring system is a bit over the top.

If I got a call from a client with intermittent internet I just log into his CPE and see what happened. Power cuts, Ethernet drops (=cable), wireless disconnects. Etc. simple. Most of the client I don't look into for months not years. For a full scale syslog system there is no need. If the software guys of MT just make a simple 'select' and copy functionality in the already existing log system that's would just make it a bit more handy to work with.

[This serves as an example. Since some months we run a syslog server for our important routers. But we are not changing all CPE's to that... There is a log option available yet and it is good enough. Only some small changes could be made to make it ideal....]

I agree that some better local log management could be very useful.
I recognize not to be an expert here but let me add my two cents to this.
Another use of manuale/scripted cleanup could be to simplify monitoring, e.g. when you want to send some log lines of an event by e-mail, repeating that in a scheduled way and have to control when you ran it last time.

If I got a call from a client with intermittent internet I just log into his CPE and see what happened. Power cuts, Ethernet drops (=cable), wireless disconnects. Etc. simple. Most of the client I don't look into for months not years. For a full scale syslog system there is no need. If the software guys of MT just make a simple 'select' and copy functionality in the already existing log system that's would just make it a bit more handy to work with.

Definitely agree with the select and copy from log.

Well that sure would be helpful. E.g. a button on the log display that says "plain text" and when you click it a page will be shown with all log entries fully shown each on a single line and with a TAB between the fields.
You can then easily cut and paste that into other software.
The same is true for the "Packet Sniffer" output, BTW.

Normis,

Thank you for fixing this security flaw. In the event of an attack, this command could be devastating to one's critical IT infrastructure.

Good thinking by the ROUTEROS/MIKROTIK TEAM!

thasser

Except hiding malicious actions, what purpose would this have?

Cos i just entered password instead of login. And my password is in log file! And everybody can see it!! And i can not delete it!!!!
This is my router and i wish i can do some things with it with some commands.
Please, implement.

Click system->logging->actions->memory and set 1 lines, OK, then set back to 1000 lines.

Thanks, pe1chl! It worked!

Anyway, i believe this should not be hard to implement as command rather then workaround.

Thanks, pe1chl! It worked!

Anyway, i believe this should not be hard to implement as command rather then workaround.

Mmmm, I rather want Mikrotik to focus on improving routing, switching, etc than focus on a button to clear logs.
As you have learned now, it is easy to clear the logs, what is more, you can create your own script to do this whenever you want, even schedule it

But I suppose you can't please everyone all the time

MTs argument is that such a feature would make it easier for an attacker to remove edvidence. I don't think so as there are also other ways around that (like the workaround with setting the lines to 1 and back) or just rebooting the device if logs are only kept in memory or simply wiping the logs on disk.

Btw. that's exactly the reason why centralized logging (remote syslog, etc.) should always be implemented