Ok... just spent the better part of a day banging my head on the table with trying to do some simple logging in RB....

I've got an accept filter rule for a port, does some limiting, followed by another rule to log on the same port, followed by a rule to drop excess connections.

I've setup rules and actions for logging, as I wish to have a log file for this single purpose to monitor....

I coudn't understand why the log file was growing, when the log rule didn't have any bytes or packets (wasn't triggered).

It's this kind of thing that's driving me mad with this RouterBoard, but I persevere.

Then, a few moments ago, in a Eureka moment I realised...

"Prefix" in the Logging, Rules is NOT a Prefix Filter.... no, it's smply a prefix for that line in the log file........ it's loggin anything happening in firewall, info.... no wonder the log file was growing and had the prefix but the rule wasn't increasing in bytes & packets.

Granted, I could look into Syslog, get a client/server for the RB to report to and do the sifting/sorting out there, but the point was to setup something simple and quick.

Therefore, unless I'm missing the point, I guess this has turned into a Feature Request for Logging to be able to "Filter By Prefix/log entry begining text" Perhaps with wildcards too. As well as the rule example I gave, I also wanted a log of failed logins. I hd put in the prefix "login failure for user" expecting that to filter system error critical for just login failure entries.

export your '/ip firewall' settings, might be able to get my head around what you are trying to do, and then possibly, where it isn't going right for you?

Basically, in a firewall rule, you pick the log option and put in a prefix....

Then in logging set it up to log to disk with a filename.

You can't log solely that firewall rule, you can only log "firewall", which is all firewall activity and not just that rule.

"Prefix" in the logging options, under System, Logging, Rules, <a rule>, simply adds a prefix to the line before putting it in the log. eg.

<Logging Prefix> <Mangle Rule Prefix> <Actual data>

Granted, this could be useful, but awful lot of prefixes, I originally thought it was a prefix filter, but it's not.

Yes, now I understand and I agree. The prefix field is an action where it will insert that text at the start of every log entry (this is mainly used for syslog to a remote server so you can place the system ID here) it is sadly not a filter for what logs go where.

I think if there was a filter here to test what the log entry starts with would be much better. Even better if you could put rules into the field, in the same way you can with walled garden in hotspot. I.e. you could filter for any log entry that was firewall, but contained a specific string (perhaps an IP or MAC address or port number) and only if that rule tested true, would it put the whole log entry into your nominated location (memory, disk, log file, remote)

This needs suggesting as a new feature.

Anyone from MT watching this thread?

I am not sure what are you trying to accomplish. If you are only trying to split logs from many mikrotik routers to different log files, on a syslog server, you can do this:
for redhat based systems (fedora, centos...)
put inside rsyslog.conf:
:programname,isequal,"YOUR MIKROTIK PREFIX" /var/log/mikrotik/your_filename
then, instead of running basic syslog, run rsyslog daemon.
I hope this helps.

Thirded as a feature request.

While you can do this on remote syslog servers, you may not always have access to a remote syslog server to use. Picture a case where you're trying to install a remote unit and the firewall rules you're troubleshooting are also preventing you from reaching your syslog server. Being able to filter logs while troubleshooting would be a neat thing.

I am not sure what are you trying to accomplish. If you are only trying to split logs from many mikrotik routers to different log files, on a syslog server, you can do this:

AJStevens already stated in his post that he didn't want to do this with a syslog server, he stated he knew how to do this, but I agree with him that this is overkill, it should be able to do this all in one box all by itself.

Thank you fewi - you got it! Time to add this to v4 feature list!

Can we get a mikrotik response regarding this as a feature request please?

These boards are basically just a community forum (though Mikrotik staff posts, it's at their discretion). If you want a response from the company, email support@mikrotik.com