rsyslog with Mikrotik
I love Mikrotik firewalls and I recently setup remote syslog on two firewalls and are sending the logs to a raspberry pi running ubuntu 20.04
I followed this guide to make sure my remote server can accept logs from the Mikrotik firewall. I also followed this guide from Mikrotik for rsyslog.conf settings.
Server and firewall IP’s
Ubuntu Server IP’s: 10.1.1.241, 192.168.88.150
Firewall IP’s: 10.1.1.1, 192.168.88.1
Below you will find a summary of the steps I followed to configure my 2 firewalls
update and install
sudo apt update sudo apt upgrade sudo systemctl start rsyslog sudo systemctl enable rsyslog sudo systemctl status rsyslog
sudo vim /etc/rsyslog.conf
add this to the bottom of the file
$ModLoad imudp $UDPServerAddress * #$UDPServerAddress 192.168.88.150 $UDPServerRun 514 $AllowedSender UDP, 10.1.1.0/24 127.0.0.1 192.168.88.0/24 $template Router1Log, "/var/log/MikroTik/router1.log" :fromhost-ip, isequal, "10.1.1.1" -?Router1Log & stop $template Router2Log, "/var/log/MikroTik/router2.log" :fromhost-ip, isequal, "192.168.88.1" -?Router2Log & stop
Now the server should be ready to receive logs from the firewall.
On the firewall add remote host
/system logging action add name="rsyslog" target=remote remote=10.1.1.241 remote-port=514 src-address=10.1.1.1;
Add rules for each event type
system logging add topics=info action=remote; system logging add topics=error action=remote; system logging add topics=warning action=remote; system logging add topics=critical action=remote;
I did this on both firewalls and replaced remote and src-address respectively depending on which network I am connected to. You may need to restart rsyslog to get logs coming in.
sudo systemctl restart rsyslog
You should now start receiving logs in the following two locations