Linux Syslog Server for MikroTik Router Logs – Configuration Guide
Linux servers provide the most cost-effective and reliable solution for centralized MikroTik log collection. This guide teaches you how to build a production-ready syslog server.
Benefits of Linux Syslog Servers
- Zero licensing costs – Free and open-source software
- High performance – Handles thousands of messages per second
- Unlimited storage – No artificial log volume restrictions
- Complete customization – Full control over log processing
- Integration ready – Works with any SIEM platform
Popular Linux Syslog Daemons
- rsyslog – Default on Ubuntu/RHEL, feature-rich, best performance
- syslog-ng – Advanced filtering, reliable TCP transport
- journald – Systemd integration, structured logging
This guide focuses on rsyslog as it ships default with most distributions and offers the best MikroTik compatibility.
2. Linux Syslog Server Architecture
Data Flow Overview
MikroTik Router → UDP Port 514 → Linux Server → rsyslog Daemon → Log Files → Analysis Tools
↓ ↓ ↓ ↓ ↓ ↓
Log Events Network Layer Firewall Processing Rules Rotation Monitoring
File System Structure
/var/log/mikrotik/– Main directory for MikroTik logs/var/log/mikrotik/[hostname]/– Per-device log directories/etc/rsyslog.d/– Configuration files location/var/spool/rsyslog/– Queue and buffer storage
System Requirements by Scale
| Environment | CPU Cores | RAM | Storage | Network |
|---|---|---|---|---|
| Small Office (1-5 routers) | 2 | 4 GB | 50 GB | 100 Mbps |
| Enterprise (10-50 routers) | 4 | 16 GB | 500 GB | 1 Gbps |
| ISP/Large (50+ routers) | 8+ | 32 GB | 1 TB SSD | 10 Gbps |
3. Preparing Your Linux Server
Step 1: Update the Operating System
# For Ubuntu/Debian systems sudo apt update && sudo apt upgrade -y # For RHEL/CentOS/Rocky Linux systems sudo yum update -y
Step 2: Configure Time Synchronization
Accurate timestamps are critical for log analysis. Install and configure NTP:
# Install Chrony NTP daemon sudo apt install chrony -y # Enable and start the service sudo systemctl enable --now chrony # Verify time synchronization timedatectl status chronyc sources
Step 3: Set Static IP Address
Configure a static IP for reliable log delivery. For Ubuntu 20.04+ using Netplan:
# Edit Netplan configuration
sudo nano /etc/netplan/01-netcfg.yaml
# Add this configuration:
network:
version: 2
ethernets:
eth0:
addresses:
- 192.168.1.100/24
gateway4: 192.168.1.1
nameservers:
addresses:
- 8.8.8.8
- 8.8.4.4
# Apply the configuration
sudo netplan apply
# Verify the IP address
ip addr show
Step 4: Create Log Directory Structure
# Create MikroTik log directories
sudo mkdir -p /var/log/mikrotik/{archive,alerts,firewall}
# Set proper permissions
sudo chown -R syslog:adm /var/log/mikrotik
sudo chmod -R 755 /var/log/mikrotik
4. Installing and Configuring rsyslog
Step 1: Install rsyslog
# Install rsyslog and utilities sudo apt install rsyslog rsyslog-doc -y # Verify installation rsyslogd -v # Enable and start service sudo systemctl enable rsyslog sudo systemctl start rsyslog
Step 2: Enable UDP Reception
Edit the main rsyslog configuration file:
sudo nano /etc/rsyslog.conf # Uncomment these lines to enable UDP: module(load="imudp") input(type="imudp" port="514") # Optional: Enable TCP for reliable delivery module(load="imtcp") input(type="imtcp" port="514") # Save and exit
Step 3: Create MikroTik-Specific Configuration
Create a dedicated configuration file for MikroTik logs:
sudo nano /etc/rsyslog.d/30-mikrotik.conf
Add this configuration:
# Define template for MikroTik log format
template(name="MikroTikFormat" type="string"
string="%timegenerated% %HOSTNAME% [%syslogfacility-text%.%syslogseverity-text%] %syslogtag%%msg%\n"
)
# Define dynamic file path based on hostname
template(name="MikroTikFile" type="string"
string="/var/log/mikrotik/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log"
)
# Rule: Process logs from MikroTik IP range
if $fromhost-ip startswith '192.168.1.' then {
# Write to dynamic file based on hostname
action(type="omfile"
dynaFile="MikroTikFile"
template="MikroTikFormat"
createDirs="on"
dirCreateMode="0755"
fileCreateMode="0644")
# Also maintain a combined log file
action(type="omfile"
file="/var/log/mikrotik/all-routers.log"
template="MikroTikFormat")
# Stop processing to prevent duplicate logging
stop
}
Step 4: Configure Severity-Based Filtering
sudo nano /etc/rsyslog.d/31-mikrotik-severity.conf
# Add severity-based rules:
# Critical alerts (emergency, alert, critical)
if $fromhost-ip startswith '192.168.1.' and $syslogseverity <= 2 then {
action(type="omfile"
file="/var/log/mikrotik/alerts/critical.log"
template="MikroTikFormat")
# Execute alert script
action(type="omprog"
binary="/usr/local/bin/mikrotik-alert.sh")
}
# Error logs
if $fromhost-ip startswith '192.168.1.' and $syslogseverity == 3 then {
action(type="omfile"
file="/var/log/mikrotik/alerts/errors.log"
template="MikroTikFormat")
}
# Firewall-specific logs
if $fromhost-ip startswith '192.168.1.' and $programname == 'firewall' then {
action(type="omfile"
file="/var/log/mikrotik/firewall/firewall.log"
template="MikroTikFormat")
}
Step 5: Restart rsyslog Service
# Test configuration sudo rsyslogd -N1 # Restart service sudo systemctl restart rsyslog # Check status sudo systemctl status rsyslog
5. MikroTik Router Configuration
Step 1: Configure Logging Action via CLI
Connect to your MikroTik router and run these commands:
# Create remote syslog action
/system logging action
add name="syslog-server" target=remote \
remote=192.168.1.100 \
remote-port=514 \
src-address=192.168.1.1 \
bsd-syslog=yes \
syslog-facility=daemon \
syslog-severity=auto
# Show the created action
/system logging action print
Step 2: Configure Logging Rules
# Remove default memory logging to prevent duplication /system logging remove [find action=memory] # Add logging rules for different topics add topics=critical action=syslog-server prefix="CRITICAL" add topics=error action=syslog-server prefix="ERROR" add topics=warning action=syslog-server prefix="WARNING" add topics=system,info action=syslog-server add topics=firewall action=syslog-server prefix="FW" add topics=wireless,info action=syslog-server prefix="WIFI" add topics=dhcp action=syslog-server prefix="DHCP" add topics=hotspot,info action=syslog-server prefix="HOTSPOT" add topics=pppoe,info action=syslog-server prefix="PPPoE" # Keep local logging for critical events add topics=critical action=memory add topics=error action=memory
Step 3: Configure Firewall Logging
# Add logging to firewall rules
/ip firewall filter
add chain=forward action=drop connection-state=invalid \
log=yes log-prefix="DROP-INVALID"
add chain=input action=drop src-address-list=blacklist \
log=yes log-prefix="DROP-BLACKLIST"
# Log connection tracking
/ip firewall connection tracking
set enabled=yes
Step 4: Test Logging
# Generate test log entry /log info "TEST: Syslog configuration test from $[/system identity get name]" /log warning "TEST: Warning message test" /log error "TEST: Error message test" # Check if logs are being sent /system logging action print stats
MikroTik Configuration via WinBox
- Open WinBox and connect to your router
- Navigate to System → Logging
- Click on Actions tab
- Click + to add new action
- Set the following:
- Name:
syslog-server - Type:
remote - Remote Address:
192.168.1.100 - Remote Port:
514 - BSD Syslog:
✓ - Syslog Facility:
daemon
- Name:
- Click OK to save
- Go to Rules tab
- Add rules for each topic you want to log
6. Firewall Configuration
UFW Configuration (Ubuntu)
# Allow syslog from MikroTik network sudo ufw allow from 192.168.1.0/24 to any port 514 proto udp comment 'Syslog UDP' sudo ufw allow from 192.168.1.0/24 to any port 514 proto tcp comment 'Syslog TCP' # Reload firewall sudo ufw reload # Verify rules sudo ufw status verbose
iptables Configuration
# Allow UDP syslog traffic sudo iptables -A INPUT -p udp --dport 514 -s 192.168.1.0/24 -j ACCEPT -m comment --comment "Syslog UDP" # Allow TCP syslog traffic sudo iptables -A INPUT -p tcp --dport 514 -s 192.168.1.0/24 -j ACCEPT -m comment --comment "Syslog TCP" # Save rules (Ubuntu/Debian) sudo apt install iptables-persistent -y sudo netfilter-persistent save # Save rules (RHEL/CentOS) sudo service iptables save
Firewalld Configuration (RHEL/CentOS)
# Create custom service for syslog sudo firewall-cmd --permanent --new-service=mikrotik-syslog sudo firewall-cmd --permanent --service=mikrotik-syslog --add-port=514/udp sudo firewall-cmd --permanent --service=mikrotik-syslog --add-port=514/tcp # Add service to zone sudo firewall-cmd --permanent --zone=trusted --add-source=192.168.1.0/24 sudo firewall-cmd --permanent --zone=trusted --add-service=mikrotik-syslog # Reload configuration sudo firewall-cmd --reload # Verify configuration sudo firewall-cmd --list-all --zone=trusted
Verify Port Listening
# Check if rsyslog is listening on port 514 sudo netstat -ulnp | grep 514 sudo ss -ulnp | grep 514 sudo lsof -i :514 # Expected output: # udp 0 0 0.0.0.0:514 0.0.0.0:* - rsyslogd # tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN rsyslogd
7. Log Rotation Setup
Create Logrotate Configuration
sudo nano /etc/logrotate.d/mikrotik
# Add this configuration:
# General MikroTik logs
/var/log/mikrotik/*.log
/var/log/mikrotik/*/*.log {
daily
rotate 30
compress
delaycompress
missingok
notifempty
create 0640 syslog adm
sharedscripts
postrotate
/usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Firewall logs - keep longer
/var/log/mikrotik/firewall/*.log {
daily
rotate 90
compress
delaycompress
missingok
notifempty
create 0640 syslog adm
size 100M
postrotate
/usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Alert logs - keep for compliance
/var/log/mikrotik/alerts/*.log {
weekly
rotate 52
compress
delaycompress
missingok
notifempty
create 0640 syslog adm
postrotate
/usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
Test Log Rotation
# Dry run test sudo logrotate -d /etc/logrotate.d/mikrotik # Force immediate rotation sudo logrotate -f /etc/logrotate.d/mikrotik # Check rotated logs ls -la /var/log/mikrotik/
Automated Cleanup Script
sudo nano /usr/local/bin/mikrotik-log-cleanup.sh
#!/bin/bash
# MikroTik Log Cleanup Script
LOG_DIR="/var/log/mikrotik"
DAYS_TO_KEEP=90
ARCHIVE_DIR="${LOG_DIR}/archive"
# Find and compress old logs
find ${LOG_DIR} -name "*.log" -type f -mtime +7 -exec gzip {} \;
# Move old compressed logs to archive
find ${LOG_DIR} -name "*.gz" -type f -mtime +30 -exec mv {} ${ARCHIVE_DIR}/ \;
# Delete very old archived logs
find ${ARCHIVE_DIR} -name "*.gz" -type f -mtime +${DAYS_TO_KEEP} -delete
# Report disk usage
echo "Disk usage report for ${LOG_DIR}:"
du -sh ${LOG_DIR}/*
# Make executable
sudo chmod +x /usr/local/bin/mikrotik-log-cleanup.sh
# Add to crontab
(crontab -l 2>/dev/null; echo "0 2 * * 0 /usr/local/bin/mikrotik-log-cleanup.sh") | crontab -
8. Monitoring and Analysis
Real-Time Log Monitoring
# Monitor all MikroTik logs tail -f /var/log/mikrotik/all-routers.log # Monitor with grep filter tail -f /var/log/mikrotik/all-routers.log | grep --line-buffered "ERROR\|CRITICAL" # Monitor specific router tail -f /var/log/mikrotik/Router-01/*.log # Use multitail for multiple files sudo apt install multitail -y multitail /var/log/mikrotik/*/$(date +%Y-%m-%d).log
Create Monitoring Dashboard Script
sudo nano /usr/local/bin/mikrotik-monitor.sh
#!/bin/bash
# MikroTik Log Monitoring Dashboard
clear
while true; do
echo "=== MikroTik Syslog Monitor - $(date) ==="
echo ""
# Show log statistics
echo "Log Statistics (Last 5 minutes):"
echo "--------------------------------"
TIMEFRAME=$(date -d '5 minutes ago' '+%b %e %H:%M')
echo -n "Total Events: "
grep -c "$TIMEFRAME" /var/log/mikrotik/all-routers.log 2>/dev/null || echo "0"
echo -n "Errors: "
grep "$TIMEFRAME" /var/log/mikrotik/all-routers.log | grep -c "ERROR" 2>/dev/null || echo "0"
echo -n "Warnings: "
grep "$TIMEFRAME" /var/log/mikrotik/all-routers.log | grep -c "WARNING" 2>/dev/null || echo "0"
echo ""
echo "Active Routers:"
echo "---------------"
find /var/log/mikrotik -maxdepth 1 -type d -mmin -5 | grep -v "^/var/log/mikrotik$" | xargs -n1 basename
echo ""
echo "Latest Critical Events:"
echo "----------------------"
grep "CRITICAL" /var/log/mikrotik/alerts/critical.log | tail -5
sleep 5
clear
done
# Make executable
sudo chmod +x /usr/local/bin/mikrotik-monitor.sh
Log Analysis Script
sudo nano /usr/local/bin/mikrotik-daily-report.sh
#!/bin/bash
# Daily MikroTik Log Analysis Report
LOG_DIR="/var/log/mikrotik"
REPORT_FILE="/tmp/mikrotik-report-$(date +%Y%m%d).html"
EMAIL="admin@example.com"
# Start HTML report
cat > ${REPORT_FILE} << 'EOF'
<html>
<head><title>MikroTik Daily Log Report</title></head>
<body>
<h1>MikroTik Daily Log Report</h1>
EOF
echo "<p>Report Date: $(date)</p>" >> ${REPORT_FILE}
# Event Summary
echo "<h2>Event Summary (Last 24 Hours)</h2>" >> ${REPORT_FILE}
echo "<ul>" >> ${REPORT_FILE}
echo "<li>Total Events: $(grep -c "" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "<li>Critical: $(grep -c "CRITICAL" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "<li>Errors: $(grep -c "ERROR" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "<li>Warnings: $(grep -c "WARNING" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "</ul>" >> ${REPORT_FILE}
# Top Firewall Blocks
echo "<h2>Top 10 Blocked IP Addresses</h2>" >> ${REPORT_FILE}
echo "<pre>" >> ${REPORT_FILE}
grep "DROP" ${LOG_DIR}/firewall/firewall.log | \
grep -oE "SRC=[0-9.]+" | \
cut -d= -f2 | \
sort | uniq -c | sort -rn | head -10 >> ${REPORT_FILE}
echo "</pre>" >> ${REPORT_FILE}
# Failed Login Attempts
echo "<h2>Failed Login Attempts</h2>" >> ${REPORT_FILE}
echo "<pre>" >> ${REPORT_FILE}
grep -i "login failure\|failed" ${LOG_DIR}/all-routers.log | tail -20 >> ${REPORT_FILE}
echo "</pre>" >> ${REPORT_FILE}
# Close HTML
echo "</body></html>" >> ${REPORT_FILE}
# Send email report
mail -a "Content-Type: text/html" -s "MikroTik Daily Report" ${EMAIL} < ${REPORT_FILE}
# Make executable
sudo chmod +x /usr/local/bin/mikrotik-daily-report.sh
# Schedule daily execution
(crontab -l 2>/dev/null; echo "0 7 * * * /usr/local/bin/mikrotik-daily-report.sh") | crontab -
Create Alert Script
sudo nano /usr/local/bin/mikrotik-alert.sh
#!/bin/bash
# MikroTik Critical Alert Script
# Read log message from stdin
read LOG_MESSAGE
# Extract details
TIMESTAMP=$(echo "$LOG_MESSAGE" | cut -d' ' -f1-3)
HOSTNAME=$(echo "$LOG_MESSAGE" | cut -d' ' -f4)
MESSAGE=$(echo "$LOG_MESSAGE" | cut -d' ' -f5-)
# Send alert email
echo "Critical alert from MikroTik router ${HOSTNAME} at ${TIMESTAMP}: ${MESSAGE}" | \
mail -s "CRITICAL: MikroTik Alert - ${HOSTNAME}" admin@example.com
# Send to Slack (optional)
# curl -X POST -H 'Content-type: application/json' \
# --data "{\"text\":\"Critical: ${HOSTNAME} - ${MESSAGE}\"}" \
# YOUR_SLACK_WEBHOOK_URL
# Log to separate alert file
echo "$(date) - Alert sent for: ${LOG_MESSAGE}" >> /var/log/mikrotik/alerts/sent-alerts.log
# Make executable
sudo chmod +x /usr/local/bin/mikrotik-alert.sh
9. Performance Optimization
rsyslog Performance Tuning
sudo nano /etc/rsyslog.d/10-performance.conf # Add performance optimization settings: # Enable multithreading $WorkerThreads 4 # Set queue parameters $ActionQueueType LinkedList $ActionQueueFileName mikrotik-queue $ActionResumeRetryCount -1 $ActionQueueSaveOnShutdown on $ActionQueueMaxDiskSpace 1g $ActionQueueDiscardMark 9750 $ActionQueueHighWaterMark 8000 $ActionQueueCheckpointInterval 100 $ActionQueueLowWaterMark 2000 # Increase message size for large logs $MaxMessageSize 64k # Rate limiting (messages per second) $SystemLogRateLimitInterval 0 $SystemLogRateLimitBurst 50000 # Use high-precision timestamps $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat $SystemLogUsePIDFromSystem on # Restart rsyslog sudo systemctl restart rsyslog
System Kernel Tuning
sudo nano /etc/sysctl.d/99-syslog-tuning.conf # Add kernel parameters: # Increase UDP buffer sizes net.core.rmem_default = 262144 net.core.rmem_max = 8388608 net.core.wmem_default = 262144 net.core.wmem_max = 8388608 # Increase network backlog net.core.netdev_max_backlog = 10000 net.core.netdev_budget = 600 # Increase connection tracking net.netfilter.nf_conntrack_max = 524288 net.netfilter.nf_conntrack_udp_timeout = 30 # Apply settings sudo sysctl -p /etc/sysctl.d/99-syslog-tuning.conf
Disk I/O Optimization
# Use separate partition for logs sudo fdisk -l sudo mkfs.ext4 /dev/sdb1 sudo mount /dev/sdb1 /var/log/mikrotik # Add to /etc/fstab for persistence echo "/dev/sdb1 /var/log/mikrotik ext4 defaults,noatime,nodiratime 0 2" | sudo tee -a /etc/fstab # Use tmpfs for high-frequency logs (optional) sudo mount -t tmpfs -o size=2G tmpfs /var/log/mikrotik/temp echo "tmpfs /var/log/mikrotik/temp tmpfs size=2G,defaults 0 0" | sudo tee -a /etc/fstab
Monitor Performance
# Create performance monitoring script
sudo nano /usr/local/bin/syslog-performance.sh
#!/bin/bash
# Syslog Performance Monitor
echo "=== Syslog Performance Metrics ==="
echo ""
# CPU usage by rsyslog
echo "CPU Usage:"
ps aux | grep rsyslog | grep -v grep | awk '{print " Process: " $11 " CPU: " $3 "%"}'
# Memory usage
echo ""
echo "Memory Usage:"
ps aux | grep rsyslog | grep -v grep | awk '{print " RSS: " $6/1024 " MB"}'
# Disk I/O
echo ""
echo "Disk I/O (last 1 min):"
iostat -x 1 2 | grep sda | tail -1 | awk '{print " Read: " $4 " KB/s Write: " $5 " KB/s"}'
# Network statistics
echo ""
echo "UDP Statistics:"
netstat -su | grep -A 3 "Udp:"
# Log file statistics
echo ""
echo "Log Files:"
echo -n " Total Size: "
du -sh /var/log/mikrotik/ 2>/dev/null | cut -f1
echo -n " File Count: "
find /var/log/mikrotik -type f -name "*.log" | wc -l
# Message rate
echo ""
echo "Message Rate (last minute):"
CURRENT=$(wc -l < /var/log/mikrotik/all-routers.log)
sleep 5
NEW=$(wc -l < /var/log/mikrotik/all-routers.log)
RATE=$((($NEW - $CURRENT) * 12))
echo " Approximately $RATE messages/minute"
# Make executable
sudo chmod +x /usr/local/bin/syslog-performance.sh
10. Troubleshooting Guide
Common Issues and Solutions
Issue 1: No Logs Received
- Check network connectivity:
# From MikroTik router /ping 192.168.1.100 count=5 # From Linux server ping -c 5 192.168.1.1
- Verify rsyslog is listening:
sudo netstat -ulnp | grep 514 sudo ss -ulnp | grep :514
- Check firewall rules:
sudo iptables -L -n -v | grep 514 sudo ufw status verbose | grep 514
- Test with tcpdump:
sudo tcpdump -i any -n port 514 -vv
- Send test message:
# From another Linux machine logger -n 192.168.1.100 -P 514 "Test syslog message" # From MikroTik /log info "TEST: Manual test message"
Issue 2: Logs Not Formatted Correctly
# Check rsyslog configuration syntax sudo rsyslogd -N1 # Debug rsyslog processing sudo rsyslogd -dn 2>&1 | grep mikrotik # Verify template application tail -f /var/log/mikrotik/all-routers.log
Issue 3: High CPU Usage
# Check message rate
tail -f /var/log/mikrotik/all-routers.log | pv -l -r > /dev/null
# Identify heavy logging sources
grep -o "^.*\s[0-9.]*\s" /var/log/mikrotik/all-routers.log | \
cut -d' ' -f2 | sort | uniq -c | sort -rn | head
# Add rate limiting
sudo nano /etc/rsyslog.d/40-ratelimit.conf
# Limit to 1000 messages per second per host
$SystemLogRateLimitInterval 1
$SystemLogRateLimitBurst 1000
# Restart rsyslog
sudo systemctl restart rsyslog
Issue 4: Disk Space Issues
# Check disk usage
df -h /var/log
du -sh /var/log/mikrotik/*
# Find large log files
find /var/log/mikrotik -type f -size +100M -exec ls -lh {} \;
# Emergency cleanup
find /var/log/mikrotik -name "*.log" -mtime +7 -delete
find /var/log/mikrotik -name "*.gz" -mtime +30 -delete
# Compress old logs immediately
find /var/log/mikrotik -name "*.log" -mtime +1 -exec gzip {} \;
Debug Mode Testing
# Run rsyslog in debug mode sudo rsyslogd -dn 2>&1 | tee /tmp/rsyslog-debug.log # Check for configuration errors grep -i "error\|warning" /tmp/rsyslog-debug.log # Monitor rsyslog internal messages tail -f /var/log/syslog | grep rsyslog
SELinux Troubleshooting (RHEL/CentOS)
# Check SELinux status getenforce # Check for SELinux denials sudo ausearch -m AVC -ts recent | grep syslog # Allow rsyslog to create directories sudo semanage fcontext -a -t syslogd_var_run_t "/var/log/mikrotik(/.*)?" sudo restorecon -Rv /var/log/mikrotik # Set boolean for network access sudo setsebool -P nis_enabled 1
Verification Commands
# Comprehensive system check script
sudo nano /usr/local/bin/syslog-healthcheck.sh
#!/bin/bash
echo "=== Syslog Server Health Check ==="
echo ""
# Service status
echo "1. Service Status:"
systemctl is-active rsyslog && echo " ✓ rsyslog is running" || echo " ✗ rsyslog is not running"
# Port listening
echo ""
echo "2. Port Status:"
netstat -ulnp 2>/dev/null | grep -q :514 && echo " ✓ UDP 514 listening" || echo " ✗ UDP 514 not listening"
# Disk space
echo ""
echo "3. Disk Space:"
USAGE=$(df /var/log | tail -1 | awk '{print $5}' | sed 's/%//')
if [ $USAGE -lt 80 ]; then
echo " ✓ Disk usage: ${USAGE}%"
else
echo " ✗ Disk usage critical: ${USAGE}%"
fi
# Recent logs
echo ""
echo "4. Recent Logs:"
COUNT=$(find /var/log/mikrotik -name "*.log" -mmin -5 | wc -l)
echo " Files modified in last 5 minutes: $COUNT"
# Error check
echo ""
echo "5. Recent Errors:"
grep -i "error\|fail" /var/log/syslog | tail -3
echo ""
echo "=== Check Complete ==="
# Make executable
sudo chmod +x /usr/local/bin/syslog-healthcheck.sh
11. Advanced Configurations
High Availability Setup
# Configure multiple syslog servers on MikroTik /system logging action add name="syslog-primary" target=remote remote=192.168.1.100 remote-port=514 add name="syslog-secondary" target=remote remote=192.168.1.101 remote-port=514 /system logging add topics=critical,error,warning action=syslog-primary add topics=critical,error,warning action=syslog-secondary
Encrypted Syslog with Stunnel
# Install stunnel
sudo apt install stunnel4 -y
# Configure stunnel server
sudo nano /etc/stunnel/rsyslog.conf
[rsyslog]
accept = 6514
connect = 127.0.0.1:514
cert = /etc/stunnel/stunnel.pem
# Generate certificate
sudo openssl req -new -x509 -days 365 -nodes \
-out /etc/stunnel/stunnel.pem \
-keyout /etc/stunnel/stunnel.pem
# Enable and start stunnel
sudo systemctl enable stunnel4
sudo systemctl start stunnel4
Integration with Elasticsearch
# Install Elasticsearch output module
sudo apt install rsyslog-elasticsearch -y
# Configure Elasticsearch output
sudo nano /etc/rsyslog.d/60-elasticsearch.conf
module(load="omelasticsearch")
template(name="mikrotik-json"
type="list") {
constant(value="{")
constant(value="\"@timestamp\":\"")
property(name="timereported" dateFormat="rfc3339")
constant(value="\",\"host\":\"")
property(name="hostname")
constant(value="\",\"severity\":\"")
property(name="syslogseverity-text")
constant(value="\",\"facility\":\"")
property(name="syslogfacility-text")
constant(value="\",\"tag\":\"")
property(name="syslogtag")
constant(value="\",\"message\":\"")
property(name="msg" format="json")
constant(value="\"}")
}
if $fromhost-ip startswith '192.168.1.' then {
action(type="omelasticsearch"
server="localhost"
serverport="9200"
template="mikrotik-json"
searchIndex="mikrotik"
dynSearchIndex="on"
searchType="events"
bulkmode="on"
queue.size="5000"
queue.dequeuebatchsize="300"
action.resumeretrycount="-1")
}
Database Storage with MySQL
# Install MySQL module
sudo apt install rsyslog-mysql -y
# Create database and table
mysql -u root -p
CREATE DATABASE syslog;
USE syslog;
CREATE TABLE mikrotik_logs (
id INT AUTO_INCREMENT PRIMARY KEY,
received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
host VARCHAR(255),
facility INT,
priority INT,
level INT,
tag VARCHAR(50),
message TEXT,
INDEX idx_received (received_at),
INDEX idx_host (host)
);
# Configure rsyslog for MySQL
sudo nano /etc/rsyslog.d/50-mysql.conf
module(load="ommysql")
template(name="sql-template"
type="list"
option.sql="on") {
constant(value="INSERT INTO mikrotik_logs (host, facility, priority, level, tag, message) VALUES ('")
property(name="hostname")
constant(value="',")
property(name="syslogfacility")
constant(value=",")
property(name="syslogpriority")
constant(value=",")
property(name="syslogseverity")
constant(value=",'")
property(name="syslogtag")
constant(value="','")
property(name="msg")
constant(value="')")
}
if $fromhost-ip startswith '192.168.1.' then {
action(type="ommysql"
server="localhost"
db="syslog"
uid="syslog_user"
pwd="password"
template="sql-template")
}
Custom Processing Script
sudo nano /usr/local/bin/mikrotik-processor.py
#!/usr/bin/env python3
import sys
import re
import json
from datetime import datetime
def process_log(line):
"""Process MikroTik log line"""
# Parse log components
pattern = r'^(\w+ \d+ \d+:\d+:\d+) ([\w-]+) \[(\w+)\.(\w+)\] (\w+): (.*)$'
match = re.match(pattern, line)
if match:
log_data = {
'timestamp': match.group(1),
'hostname': match.group(2),
'facility': match.group(3),
'severity': match.group(4),
'program': match.group(5),
'message': match.group(6)
}
# Check for specific patterns
if 'login failure' in log_data['message'].lower():
# Alert on failed login
with open('/var/log/mikrotik/alerts/failed-logins.log', 'a') as f:
f.write(f"{datetime.now()}: {log_data['hostname']} - {log_data['message']}\n")
if 'firewall' in log_data['program'].lower():
# Extract firewall data
src_ip = re.search(r'SRC=([0-9.]+)', log_data['message'])
dst_ip = re.search(r'DST=([0-9.]+)', log_data['message'])
if src_ip and dst_ip:
firewall_data = {
'timestamp': log_data['timestamp'],
'router': log_data['hostname'],
'src_ip': src_ip.group(1),
'dst_ip': dst_ip.group(1),
'action': 'DROP' if 'DROP' in log_data['message'] else 'ACCEPT'
}
# Save to JSON file
with open('/var/log/mikrotik/firewall/processed.json', 'a') as f:
json.dump(firewall_data, f)
f.write('\n')
# Process stdin
for line in sys.stdin:
process_log(line.strip())
# Make executable
sudo chmod +x /usr/local/bin/mikrotik-processor.py
# Add to rsyslog configuration
sudo nano /etc/rsyslog.d/70-processor.conf
module(load="omprog")
if $fromhost-ip startswith '192.168.1.' then {
action(type="omprog"
binary="/usr/local/bin/mikrotik-processor.py")
}
12. Conclusion and Next Steps
Implementation Checklist
- ✓ Linux server prepared with static IP
- ✓ Time synchronization configured
- ✓ rsyslog installed and configured
- ✓ Firewall rules implemented
- ✓ MikroTik routers configured for remote logging
- ✓ Log rotation configured
- ✓ Monitoring scripts deployed
- ✓ Performance optimizations applied
- ✓ Backup procedures in place
- ✓ Documentation completed
Recommended Next Steps
- Deploy monitoring dashboard – Consider Grafana for visualization
- Implement alerting – Set up Prometheus AlertManager
- Automate compliance reports – Schedule regulatory reports
- Plan disaster recovery – Create backup syslog servers
- Integrate with SIEM – Connect to Security Information and Event Management platform
Maintenance Schedule
| Task | Frequency | Command/Action |
|---|---|---|
| Check disk space | Daily | df -h /var/log |
| Verify log reception | Daily | /usr/local/bin/syslog-healthcheck.sh |
| Review error logs | Weekly | grep ERROR /var/log/mikrotik/alerts/errors.log |
| Test log rotation | Monthly | sudo logrotate -d /etc/logrotate.d/mikrotik |
| Update system | Monthly | sudo apt update && sudo apt upgrade |
| Archive old logs | Quarterly | /usr/local/bin/mikrotik-log-cleanup.sh |
Additional Resources
- rsyslog Documentation
- MikroTik Logging Manual
- RFC 3164 – BSD Syslog Protocol
- RFC 5424 – Syslog Protocol
Support and Community
- MikroTik Forum:
forum.mikrotik.com - rsyslog Mailing List:
rsyslog@lists.adiscon.net - Stack Overflow: Tag questions with
rsyslogandmikrotik
Final Notes
This configuration provides a production-ready syslog server for MikroTik routers. Regular monitoring and maintenance ensure reliable log collection. Adjust configurations based on your specific network size and requirements.
Remember to test all configurations in a lab environment before deploying to production. Document any customizations for future reference and team knowledge sharing.
Check our list of MikroTik guides.
