I have Splunk installed in my home lab and I began using it to search Linux, Windows, and MacOS logs. In this post I’m going to share how I monitor my Mikrotik logs and Swag logs. I’ve recently shared my Mikrotik rsyslog configuration and my SWAG setup

My Mikrotik firewall logs are currently being sent to /var/log/Mikrotik/. After installing the Splunk Universal Forwarder you need to navigate to it’s directory /opt/splunkforwarder/bin. From there run the following commands

./splunk add forward-server
./splunk add monitor /var/log
./splunk add monitor /path/to/appdata/config/log
./splunk restart

The commands above tell the Universal Forwarder where to send the logs (the Splunk Server), what logs to monitor. In our case the Linux logs and our SWAG logs. Now edit the inputs.conf file.


And add the indexes you would like them to go to. Note: Make sure to create indexes you choose to send data to.

disabled = false
index = linux

disabled = false
index = swag

Splunk Search Head SWAG

After adding field extractions using “ as a delimiter You can see myself searching this post.


Splunk SWAG

In the image you can see that I extracted the source IP, HTTP code, HTTP request method, URL, and User Agent.

Splunk Search Head Mikrotik

index=linux source=”/var/log/MikroTik/router*”

Splunk Mikrotik

You can see that I am searching on both of my routers with my search query.

Splunk Mikrotik Rules

From my log extraction I can see what actions are taking place the most. In this case it looks like I have had 9400+ requests on port 80 or 443. What’s cool about this is now any Mikrotik rule that I add to be logged will now show up in Splunk.