I have Splunk installed in my home lab and I began using it to search Linux, Windows, and MacOS logs. In this post I’m going to share how I monitor my Mikrotik logs and Swag logs. I’ve recently shared my Mikrotik rsyslog configuration and my SWAG setup
My Mikrotik firewall logs are currently being sent to
/var/log/Mikrotik/. After installing the Splunk Universal Forwarder you need to navigate to it’s directory
/opt/splunkforwarder/bin. From there run the following commands
./splunk add forward-server 10.1.1.236:9997 ./splunk add monitor /var/log ./splunk add monitor /path/to/appdata/config/log ./splunk restart
The commands above tell the Universal Forwarder where to send the logs (the Splunk Server), what logs to monitor. In our case the Linux logs and our SWAG logs. Now edit the inputs.conf file.
And add the indexes you would like them to go to. Note: Make sure to create indexes you choose to send data to.
[monitor:///var/log] disabled = false index = linux [monitor:///path/to/appdata/config/log] disabled = false index = swag
Splunk Search Head SWAG
After adding field extractions using “ as a delimiter You can see myself searching this post.
In the image you can see that I extracted the source IP, HTTP code, HTTP request method, URL, and User Agent.
Splunk Search Head Mikrotik
You can see that I am searching on both of my routers with my search query.
From my log extraction I can see what actions are taking place the most. In this case it looks like I have had 9400+ requests on port 80 or 443. What’s cool about this is now any Mikrotik rule that I add to be logged will now show up in Splunk.