Linux Syslog Server for MikroTik Router Logs - Configuration Guide

0 Shares

Linux servers provide the most cost-effective and reliable solution for centralized MikroTik log collection. This guide teaches you how to build a production-ready syslog server.

Benefits of Linux Syslog Servers

Zero licensing costs – Free and open-source software
High performance – Handles thousands of messages per second
Unlimited storage – No artificial log volume restrictions
Complete customization – Full control over log processing
Integration ready – Works with any SIEM platform

Popular Linux Syslog Daemons

rsyslog – Default on Ubuntu/RHEL, feature-rich, best performance
syslog-ng – Advanced filtering, reliable TCP transport
journald – Systemd integration, structured logging

This guide focuses on rsyslog as it ships default with most distributions and offers the best MikroTik compatibility.

2. Linux Syslog Server Architecture

Data Flow Overview

MikroTik Router → UDP Port 514 → Linux Server → rsyslog Daemon → Log Files → Analysis Tools
     ↓                ↓               ↓             ↓                ↓            ↓
  Log Events    Network Layer    Firewall    Processing Rules   Rotation    Monitoring

File System Structure

/var/log/mikrotik/ – Main directory for MikroTik logs
/var/log/mikrotik/[hostname]/ – Per-device log directories
/etc/rsyslog.d/ – Configuration files location
/var/spool/rsyslog/ – Queue and buffer storage

System Requirements by Scale

Environment	CPU Cores	RAM	Storage	Network
Small Office (1-5 routers)	2	4 GB	50 GB	100 Mbps
Enterprise (10-50 routers)	4	16 GB	500 GB	1 Gbps
ISP/Large (50+ routers)	8+	32 GB	1 TB SSD	10 Gbps

3. Preparing Your Linux Server

Step 1: Update the Operating System

# For Ubuntu/Debian systems
sudo apt update && sudo apt upgrade -y

# For RHEL/CentOS/Rocky Linux systems
sudo yum update -y

Step 2: Configure Time Synchronization

Accurate timestamps are critical for log analysis. Install and configure NTP:

# Install Chrony NTP daemon
sudo apt install chrony -y

# Enable and start the service
sudo systemctl enable --now chrony

# Verify time synchronization
timedatectl status
chronyc sources

Step 3: Set Static IP Address

Configure a static IP for reliable log delivery. For Ubuntu 20.04+ using Netplan:

# Edit Netplan configuration
sudo nano /etc/netplan/01-netcfg.yaml

# Add this configuration:
network:
  version: 2
  ethernets:
    eth0:
      addresses:
        - 192.168.1.100/24
      gateway4: 192.168.1.1
      nameservers:
        addresses:
          - 8.8.8.8
          - 8.8.4.4

# Apply the configuration
sudo netplan apply

# Verify the IP address
ip addr show

Step 4: Create Log Directory Structure

# Create MikroTik log directories
sudo mkdir -p /var/log/mikrotik/{archive,alerts,firewall}

# Set proper permissions
sudo chown -R syslog:adm /var/log/mikrotik
sudo chmod -R 755 /var/log/mikrotik

4. Installing and Configuring rsyslog

Step 1: Install rsyslog

# Install rsyslog and utilities
sudo apt install rsyslog rsyslog-doc -y

# Verify installation
rsyslogd -v

# Enable and start service
sudo systemctl enable rsyslog
sudo systemctl start rsyslog

Step 2: Enable UDP Reception

Edit the main rsyslog configuration file:

sudo nano /etc/rsyslog.conf

# Uncomment these lines to enable UDP:
module(load="imudp")
input(type="imudp" port="514")

# Optional: Enable TCP for reliable delivery
module(load="imtcp")
input(type="imtcp" port="514")

# Save and exit

Step 3: Create MikroTik-Specific Configuration

Create a dedicated configuration file for MikroTik logs:

sudo nano /etc/rsyslog.d/30-mikrotik.conf

Add this configuration:

# Define template for MikroTik log format
template(name="MikroTikFormat" type="string"
  string="%timegenerated% %HOSTNAME% [%syslogfacility-text%.%syslogseverity-text%] %syslogtag%%msg%\n"
)

# Define dynamic file path based on hostname
template(name="MikroTikFile" type="string"
  string="/var/log/mikrotik/%HOSTNAME%/%$YEAR%-%$MONTH%-%$DAY%.log"
)

# Rule: Process logs from MikroTik IP range
if $fromhost-ip startswith '192.168.1.' then {
    # Write to dynamic file based on hostname
    action(type="omfile" 
           dynaFile="MikroTikFile" 
           template="MikroTikFormat"
           createDirs="on"
           dirCreateMode="0755"
           fileCreateMode="0644")
    
    # Also maintain a combined log file
    action(type="omfile" 
           file="/var/log/mikrotik/all-routers.log" 
           template="MikroTikFormat")
    
    # Stop processing to prevent duplicate logging
    stop
}

Step 4: Configure Severity-Based Filtering

sudo nano /etc/rsyslog.d/31-mikrotik-severity.conf

# Add severity-based rules:
# Critical alerts (emergency, alert, critical)
if $fromhost-ip startswith '192.168.1.' and $syslogseverity <= 2 then {
    action(type="omfile" 
           file="/var/log/mikrotik/alerts/critical.log"
           template="MikroTikFormat")
    
    # Execute alert script
    action(type="omprog"
           binary="/usr/local/bin/mikrotik-alert.sh")
}

# Error logs
if $fromhost-ip startswith '192.168.1.' and $syslogseverity == 3 then {
    action(type="omfile" 
           file="/var/log/mikrotik/alerts/errors.log"
           template="MikroTikFormat")
}

# Firewall-specific logs
if $fromhost-ip startswith '192.168.1.' and $programname == 'firewall' then {
    action(type="omfile" 
           file="/var/log/mikrotik/firewall/firewall.log"
           template="MikroTikFormat")
}

Step 5: Restart rsyslog Service

# Test configuration
sudo rsyslogd -N1

# Restart service
sudo systemctl restart rsyslog

# Check status
sudo systemctl status rsyslog

5. MikroTik Router Configuration

Step 1: Configure Logging Action via CLI

Connect to your MikroTik router and run these commands:

# Create remote syslog action
/system logging action
add name="syslog-server" target=remote \
    remote=192.168.1.100 \
    remote-port=514 \
    src-address=192.168.1.1 \
    bsd-syslog=yes \
    syslog-facility=daemon \
    syslog-severity=auto

# Show the created action
/system logging action print

Step 2: Configure Logging Rules

# Remove default memory logging to prevent duplication
/system logging
remove [find action=memory]

# Add logging rules for different topics
add topics=critical action=syslog-server prefix="CRITICAL"
add topics=error action=syslog-server prefix="ERROR"
add topics=warning action=syslog-server prefix="WARNING"
add topics=system,info action=syslog-server
add topics=firewall action=syslog-server prefix="FW"
add topics=wireless,info action=syslog-server prefix="WIFI"
add topics=dhcp action=syslog-server prefix="DHCP"
add topics=hotspot,info action=syslog-server prefix="HOTSPOT"
add topics=pppoe,info action=syslog-server prefix="PPPoE"

# Keep local logging for critical events
add topics=critical action=memory
add topics=error action=memory

Step 3: Configure Firewall Logging

# Add logging to firewall rules
/ip firewall filter
add chain=forward action=drop connection-state=invalid \
    log=yes log-prefix="DROP-INVALID"
    
add chain=input action=drop src-address-list=blacklist \
    log=yes log-prefix="DROP-BLACKLIST"
    
# Log connection tracking
/ip firewall connection tracking
set enabled=yes

Step 4: Test Logging

# Generate test log entry
/log info "TEST: Syslog configuration test from $[/system identity get name]"
/log warning "TEST: Warning message test"
/log error "TEST: Error message test"

# Check if logs are being sent
/system logging action print stats

MikroTik Configuration via WinBox

Open WinBox and connect to your router
Navigate to System → Logging
Click on Actions tab
Click + to add new action
Set the following:
- Name: syslog-server
- Type: remote
- Remote Address: 192.168.1.100
- Remote Port: 514
- BSD Syslog: ✓
- Syslog Facility: daemon
Click OK to save
Go to Rules tab
Add rules for each topic you want to log

6. Firewall Configuration

UFW Configuration (Ubuntu)

# Allow syslog from MikroTik network
sudo ufw allow from 192.168.1.0/24 to any port 514 proto udp comment 'Syslog UDP'
sudo ufw allow from 192.168.1.0/24 to any port 514 proto tcp comment 'Syslog TCP'

# Reload firewall
sudo ufw reload

# Verify rules
sudo ufw status verbose

iptables Configuration

# Allow UDP syslog traffic
sudo iptables -A INPUT -p udp --dport 514 -s 192.168.1.0/24 -j ACCEPT -m comment --comment "Syslog UDP"

# Allow TCP syslog traffic
sudo iptables -A INPUT -p tcp --dport 514 -s 192.168.1.0/24 -j ACCEPT -m comment --comment "Syslog TCP"

# Save rules (Ubuntu/Debian)
sudo apt install iptables-persistent -y
sudo netfilter-persistent save

# Save rules (RHEL/CentOS)
sudo service iptables save

Firewalld Configuration (RHEL/CentOS)

# Create custom service for syslog
sudo firewall-cmd --permanent --new-service=mikrotik-syslog
sudo firewall-cmd --permanent --service=mikrotik-syslog --add-port=514/udp
sudo firewall-cmd --permanent --service=mikrotik-syslog --add-port=514/tcp

# Add service to zone
sudo firewall-cmd --permanent --zone=trusted --add-source=192.168.1.0/24
sudo firewall-cmd --permanent --zone=trusted --add-service=mikrotik-syslog

# Reload configuration
sudo firewall-cmd --reload

# Verify configuration
sudo firewall-cmd --list-all --zone=trusted

Verify Port Listening

# Check if rsyslog is listening on port 514
sudo netstat -ulnp | grep 514
sudo ss -ulnp | grep 514
sudo lsof -i :514

# Expected output:
# udp    0    0 0.0.0.0:514    0.0.0.0:*    -    rsyslogd
# tcp    0    0 0.0.0.0:514    0.0.0.0:*    LISTEN    rsyslogd

7. Log Rotation Setup

Create Logrotate Configuration

sudo nano /etc/logrotate.d/mikrotik

# Add this configuration:
# General MikroTik logs
/var/log/mikrotik/*.log
/var/log/mikrotik/*/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 0640 syslog adm
    sharedscripts
    postrotate
        /usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

# Firewall logs - keep longer
/var/log/mikrotik/firewall/*.log {
    daily
    rotate 90
    compress
    delaycompress
    missingok
    notifempty
    create 0640 syslog adm
    size 100M
    postrotate
        /usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

# Alert logs - keep for compliance
/var/log/mikrotik/alerts/*.log {
    weekly
    rotate 52
    compress
    delaycompress
    missingok
    notifempty
    create 0640 syslog adm
    postrotate
        /usr/bin/systemctl reload rsyslog > /dev/null 2>&1 || true
    endscript
}

Test Log Rotation

# Dry run test
sudo logrotate -d /etc/logrotate.d/mikrotik

# Force immediate rotation
sudo logrotate -f /etc/logrotate.d/mikrotik

# Check rotated logs
ls -la /var/log/mikrotik/

Automated Cleanup Script

sudo nano /usr/local/bin/mikrotik-log-cleanup.sh

#!/bin/bash
# MikroTik Log Cleanup Script

LOG_DIR="/var/log/mikrotik"
DAYS_TO_KEEP=90
ARCHIVE_DIR="${LOG_DIR}/archive"

# Find and compress old logs
find ${LOG_DIR} -name "*.log" -type f -mtime +7 -exec gzip {} \;

# Move old compressed logs to archive
find ${LOG_DIR} -name "*.gz" -type f -mtime +30 -exec mv {} ${ARCHIVE_DIR}/ \;

# Delete very old archived logs
find ${ARCHIVE_DIR} -name "*.gz" -type f -mtime +${DAYS_TO_KEEP} -delete

# Report disk usage
echo "Disk usage report for ${LOG_DIR}:"
du -sh ${LOG_DIR}/*

# Make executable
sudo chmod +x /usr/local/bin/mikrotik-log-cleanup.sh

# Add to crontab
(crontab -l 2>/dev/null; echo "0 2 * * 0 /usr/local/bin/mikrotik-log-cleanup.sh") | crontab -

8. Monitoring and Analysis

Real-Time Log Monitoring

# Monitor all MikroTik logs
tail -f /var/log/mikrotik/all-routers.log

# Monitor with grep filter
tail -f /var/log/mikrotik/all-routers.log | grep --line-buffered "ERROR\|CRITICAL"

# Monitor specific router
tail -f /var/log/mikrotik/Router-01/*.log

# Use multitail for multiple files
sudo apt install multitail -y
multitail /var/log/mikrotik/*/$(date +%Y-%m-%d).log

Create Monitoring Dashboard Script

sudo nano /usr/local/bin/mikrotik-monitor.sh

#!/bin/bash
# MikroTik Log Monitoring Dashboard

clear
while true; do
    echo "=== MikroTik Syslog Monitor - $(date) ==="
    echo ""
    
    # Show log statistics
    echo "Log Statistics (Last 5 minutes):"
    echo "--------------------------------"
    TIMEFRAME=$(date -d '5 minutes ago' '+%b %e %H:%M')
    
    echo -n "Total Events: "
    grep -c "$TIMEFRAME" /var/log/mikrotik/all-routers.log 2>/dev/null || echo "0"
    
    echo -n "Errors: "
    grep "$TIMEFRAME" /var/log/mikrotik/all-routers.log | grep -c "ERROR" 2>/dev/null || echo "0"
    
    echo -n "Warnings: "
    grep "$TIMEFRAME" /var/log/mikrotik/all-routers.log | grep -c "WARNING" 2>/dev/null || echo "0"
    
    echo ""
    echo "Active Routers:"
    echo "---------------"
    find /var/log/mikrotik -maxdepth 1 -type d -mmin -5 | grep -v "^/var/log/mikrotik$" | xargs -n1 basename
    
    echo ""
    echo "Latest Critical Events:"
    echo "----------------------"
    grep "CRITICAL" /var/log/mikrotik/alerts/critical.log | tail -5
    
    sleep 5
    clear
done

# Make executable
sudo chmod +x /usr/local/bin/mikrotik-monitor.sh

Log Analysis Script

sudo nano /usr/local/bin/mikrotik-daily-report.sh

#!/bin/bash
# Daily MikroTik Log Analysis Report

LOG_DIR="/var/log/mikrotik"
REPORT_FILE="/tmp/mikrotik-report-$(date +%Y%m%d).html"
EMAIL="admin@example.com"

# Start HTML report
cat > ${REPORT_FILE} << 'EOF'
<html>
<head><title>MikroTik Daily Log Report</title></head>
<body>
<h1>MikroTik Daily Log Report</h1>
EOF

echo "<p>Report Date: $(date)</p>" >> ${REPORT_FILE}

# Event Summary
echo "<h2>Event Summary (Last 24 Hours)</h2>" >> ${REPORT_FILE}
echo "<ul>" >> ${REPORT_FILE}
echo "<li>Total Events: $(grep -c "" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "<li>Critical: $(grep -c "CRITICAL" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "<li>Errors: $(grep -c "ERROR" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "<li>Warnings: $(grep -c "WARNING" ${LOG_DIR}/all-routers.log)</li>" >> ${REPORT_FILE}
echo "</ul>" >> ${REPORT_FILE}

# Top Firewall Blocks
echo "<h2>Top 10 Blocked IP Addresses</h2>" >> ${REPORT_FILE}
echo "<pre>" >> ${REPORT_FILE}
grep "DROP" ${LOG_DIR}/firewall/firewall.log | \
    grep -oE "SRC=[0-9.]+" | \
    cut -d= -f2 | \
    sort | uniq -c | sort -rn | head -10 >> ${REPORT_FILE}
echo "</pre>" >> ${REPORT_FILE}

# Failed Login Attempts
echo "<h2>Failed Login Attempts</h2>" >> ${REPORT_FILE}
echo "<pre>" >> ${REPORT_FILE}
grep -i "login failure\|failed" ${LOG_DIR}/all-routers.log | tail -20 >> ${REPORT_FILE}
echo "</pre>" >> ${REPORT_FILE}

# Close HTML
echo "</body></html>" >> ${REPORT_FILE}

# Send email report
mail -a "Content-Type: text/html" -s "MikroTik Daily Report" ${EMAIL} < ${REPORT_FILE}

# Make executable
sudo chmod +x /usr/local/bin/mikrotik-daily-report.sh

# Schedule daily execution
(crontab -l 2>/dev/null; echo "0 7 * * * /usr/local/bin/mikrotik-daily-report.sh") | crontab -

Create Alert Script

sudo nano /usr/local/bin/mikrotik-alert.sh

#!/bin/bash
# MikroTik Critical Alert Script

# Read log message from stdin
read LOG_MESSAGE

# Extract details
TIMESTAMP=$(echo "$LOG_MESSAGE" | cut -d' ' -f1-3)
HOSTNAME=$(echo "$LOG_MESSAGE" | cut -d' ' -f4)
MESSAGE=$(echo "$LOG_MESSAGE" | cut -d' ' -f5-)

# Send alert email
echo "Critical alert from MikroTik router ${HOSTNAME} at ${TIMESTAMP}: ${MESSAGE}" | \
    mail -s "CRITICAL: MikroTik Alert - ${HOSTNAME}" admin@example.com

# Send to Slack (optional)
# curl -X POST -H 'Content-type: application/json' \
#     --data "{\"text\":\"Critical: ${HOSTNAME} - ${MESSAGE}\"}" \
#     YOUR_SLACK_WEBHOOK_URL

# Log to separate alert file
echo "$(date) - Alert sent for: ${LOG_MESSAGE}" >> /var/log/mikrotik/alerts/sent-alerts.log

# Make executable
sudo chmod +x /usr/local/bin/mikrotik-alert.sh

9. Performance Optimization

rsyslog Performance Tuning

sudo nano /etc/rsyslog.d/10-performance.conf

# Add performance optimization settings:
# Enable multithreading
$WorkerThreads 4

# Set queue parameters
$ActionQueueType LinkedList
$ActionQueueFileName mikrotik-queue
$ActionResumeRetryCount -1
$ActionQueueSaveOnShutdown on
$ActionQueueMaxDiskSpace 1g
$ActionQueueDiscardMark 9750
$ActionQueueHighWaterMark 8000
$ActionQueueCheckpointInterval 100
$ActionQueueLowWaterMark 2000

# Increase message size for large logs
$MaxMessageSize 64k

# Rate limiting (messages per second)
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 50000

# Use high-precision timestamps
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$SystemLogUsePIDFromSystem on

# Restart rsyslog
sudo systemctl restart rsyslog

System Kernel Tuning

sudo nano /etc/sysctl.d/99-syslog-tuning.conf

# Add kernel parameters:
# Increase UDP buffer sizes
net.core.rmem_default = 262144
net.core.rmem_max = 8388608
net.core.wmem_default = 262144
net.core.wmem_max = 8388608

# Increase network backlog
net.core.netdev_max_backlog = 10000
net.core.netdev_budget = 600

# Increase connection tracking
net.netfilter.nf_conntrack_max = 524288
net.netfilter.nf_conntrack_udp_timeout = 30

# Apply settings
sudo sysctl -p /etc/sysctl.d/99-syslog-tuning.conf

Disk I/O Optimization

# Use separate partition for logs
sudo fdisk -l
sudo mkfs.ext4 /dev/sdb1
sudo mount /dev/sdb1 /var/log/mikrotik

# Add to /etc/fstab for persistence
echo "/dev/sdb1 /var/log/mikrotik ext4 defaults,noatime,nodiratime 0 2" | sudo tee -a /etc/fstab

# Use tmpfs for high-frequency logs (optional)
sudo mount -t tmpfs -o size=2G tmpfs /var/log/mikrotik/temp
echo "tmpfs /var/log/mikrotik/temp tmpfs size=2G,defaults 0 0" | sudo tee -a /etc/fstab

Monitor Performance

# Create performance monitoring script
sudo nano /usr/local/bin/syslog-performance.sh

#!/bin/bash
# Syslog Performance Monitor

echo "=== Syslog Performance Metrics ==="
echo ""

# CPU usage by rsyslog
echo "CPU Usage:"
ps aux | grep rsyslog | grep -v grep | awk '{print "  Process: " $11 " CPU: " $3 "%"}'

# Memory usage
echo ""
echo "Memory Usage:"
ps aux | grep rsyslog | grep -v grep | awk '{print "  RSS: " $6/1024 " MB"}'

# Disk I/O
echo ""
echo "Disk I/O (last 1 min):"
iostat -x 1 2 | grep sda | tail -1 | awk '{print "  Read: " $4 " KB/s Write: " $5 " KB/s"}'

# Network statistics
echo ""
echo "UDP Statistics:"
netstat -su | grep -A 3 "Udp:"

# Log file statistics
echo ""
echo "Log Files:"
echo -n "  Total Size: "
du -sh /var/log/mikrotik/ 2>/dev/null | cut -f1
echo -n "  File Count: "
find /var/log/mikrotik -type f -name "*.log" | wc -l

# Message rate
echo ""
echo "Message Rate (last minute):"
CURRENT=$(wc -l < /var/log/mikrotik/all-routers.log)
sleep 5
NEW=$(wc -l < /var/log/mikrotik/all-routers.log)
RATE=$((($NEW - $CURRENT) * 12))
echo "  Approximately $RATE messages/minute"

# Make executable
sudo chmod +x /usr/local/bin/syslog-performance.sh

10. Troubleshooting Guide

Common Issues and Solutions

Issue 1: No Logs Received

Check network connectivity:

# From MikroTik router
/ping 192.168.1.100 count=5

# From Linux server
ping -c 5 192.168.1.1

Verify rsyslog is listening:

sudo netstat -ulnp | grep 514
sudo ss -ulnp | grep :514

Check firewall rules:

sudo iptables -L -n -v | grep 514
sudo ufw status verbose | grep 514

Test with tcpdump:
```
sudo tcpdump -i any -n port 514 -vv
```

Send test message:

# From another Linux machine
logger -n 192.168.1.100 -P 514 "Test syslog message"

# From MikroTik
/log info "TEST: Manual test message"

Issue 2: Logs Not Formatted Correctly

# Check rsyslog configuration syntax
sudo rsyslogd -N1

# Debug rsyslog processing
sudo rsyslogd -dn 2>&1 | grep mikrotik

# Verify template application
tail -f /var/log/mikrotik/all-routers.log

Issue 3: High CPU Usage

# Check message rate
tail -f /var/log/mikrotik/all-routers.log | pv -l -r > /dev/null

# Identify heavy logging sources
grep -o "^.*\s[0-9.]*\s" /var/log/mikrotik/all-routers.log | \
    cut -d' ' -f2 | sort | uniq -c | sort -rn | head

# Add rate limiting
sudo nano /etc/rsyslog.d/40-ratelimit.conf

# Limit to 1000 messages per second per host
$SystemLogRateLimitInterval 1
$SystemLogRateLimitBurst 1000

# Restart rsyslog
sudo systemctl restart rsyslog

Issue 4: Disk Space Issues

# Check disk usage
df -h /var/log
du -sh /var/log/mikrotik/*

# Find large log files
find /var/log/mikrotik -type f -size +100M -exec ls -lh {} \;

# Emergency cleanup
find /var/log/mikrotik -name "*.log" -mtime +7 -delete
find /var/log/mikrotik -name "*.gz" -mtime +30 -delete

# Compress old logs immediately
find /var/log/mikrotik -name "*.log" -mtime +1 -exec gzip {} \;

Debug Mode Testing

# Run rsyslog in debug mode
sudo rsyslogd -dn 2>&1 | tee /tmp/rsyslog-debug.log

# Check for configuration errors
grep -i "error\|warning" /tmp/rsyslog-debug.log

# Monitor rsyslog internal messages
tail -f /var/log/syslog | grep rsyslog

SELinux Troubleshooting (RHEL/CentOS)

# Check SELinux status
getenforce

# Check for SELinux denials
sudo ausearch -m AVC -ts recent | grep syslog

# Allow rsyslog to create directories
sudo semanage fcontext -a -t syslogd_var_run_t "/var/log/mikrotik(/.*)?"
sudo restorecon -Rv /var/log/mikrotik

# Set boolean for network access
sudo setsebool -P nis_enabled 1

Verification Commands

# Comprehensive system check script
sudo nano /usr/local/bin/syslog-healthcheck.sh

#!/bin/bash
echo "=== Syslog Server Health Check ==="
echo ""

# Service status
echo "1. Service Status:"
systemctl is-active rsyslog && echo "  ✓ rsyslog is running" || echo "  ✗ rsyslog is not running"

# Port listening
echo ""
echo "2. Port Status:"
netstat -ulnp 2>/dev/null | grep -q :514 && echo "  ✓ UDP 514 listening" || echo "  ✗ UDP 514 not listening"

# Disk space
echo ""
echo "3. Disk Space:"
USAGE=$(df /var/log | tail -1 | awk '{print $5}' | sed 's/%//')
if [ $USAGE -lt 80 ]; then
    echo "  ✓ Disk usage: ${USAGE}%"
else
    echo "  ✗ Disk usage critical: ${USAGE}%"
fi

# Recent logs
echo ""
echo "4. Recent Logs:"
COUNT=$(find /var/log/mikrotik -name "*.log" -mmin -5 | wc -l)
echo "  Files modified in last 5 minutes: $COUNT"

# Error check
echo ""
echo "5. Recent Errors:"
grep -i "error\|fail" /var/log/syslog | tail -3

echo ""
echo "=== Check Complete ==="

# Make executable
sudo chmod +x /usr/local/bin/syslog-healthcheck.sh

11. Advanced Configurations

High Availability Setup

# Configure multiple syslog servers on MikroTik
/system logging action
add name="syslog-primary" target=remote remote=192.168.1.100 remote-port=514
add name="syslog-secondary" target=remote remote=192.168.1.101 remote-port=514

/system logging
add topics=critical,error,warning action=syslog-primary
add topics=critical,error,warning action=syslog-secondary

Encrypted Syslog with Stunnel

# Install stunnel
sudo apt install stunnel4 -y

# Configure stunnel server
sudo nano /etc/stunnel/rsyslog.conf

[rsyslog]
accept = 6514
connect = 127.0.0.1:514
cert = /etc/stunnel/stunnel.pem

# Generate certificate
sudo openssl req -new -x509 -days 365 -nodes \
    -out /etc/stunnel/stunnel.pem \
    -keyout /etc/stunnel/stunnel.pem

# Enable and start stunnel
sudo systemctl enable stunnel4
sudo systemctl start stunnel4

Integration with Elasticsearch

# Install Elasticsearch output module
sudo apt install rsyslog-elasticsearch -y

# Configure Elasticsearch output
sudo nano /etc/rsyslog.d/60-elasticsearch.conf

module(load="omelasticsearch")

template(name="mikrotik-json"
  type="list") {
    constant(value="{")
    constant(value="\"@timestamp\":\"")
    property(name="timereported" dateFormat="rfc3339")
    constant(value="\",\"host\":\"")
    property(name="hostname")
    constant(value="\",\"severity\":\"")
    property(name="syslogseverity-text")
    constant(value="\",\"facility\":\"")
    property(name="syslogfacility-text")
    constant(value="\",\"tag\":\"")
    property(name="syslogtag")
    constant(value="\",\"message\":\"")
    property(name="msg" format="json")
    constant(value="\"}")
}

if $fromhost-ip startswith '192.168.1.' then {
    action(type="omelasticsearch"
           server="localhost"
           serverport="9200"
           template="mikrotik-json"
           searchIndex="mikrotik"
           dynSearchIndex="on"
           searchType="events"
           bulkmode="on"
           queue.size="5000"
           queue.dequeuebatchsize="300"
           action.resumeretrycount="-1")
}

Database Storage with MySQL

# Install MySQL module
sudo apt install rsyslog-mysql -y

# Create database and table
mysql -u root -p
CREATE DATABASE syslog;
USE syslog;
CREATE TABLE mikrotik_logs (
    id INT AUTO_INCREMENT PRIMARY KEY,
    received_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
    host VARCHAR(255),
    facility INT,
    priority INT,
    level INT,
    tag VARCHAR(50),
    message TEXT,
    INDEX idx_received (received_at),
    INDEX idx_host (host)
);

# Configure rsyslog for MySQL
sudo nano /etc/rsyslog.d/50-mysql.conf

module(load="ommysql")

template(name="sql-template"
  type="list"
  option.sql="on") {
    constant(value="INSERT INTO mikrotik_logs (host, facility, priority, level, tag, message) VALUES ('")
    property(name="hostname")
    constant(value="',")
    property(name="syslogfacility")
    constant(value=",")
    property(name="syslogpriority")
    constant(value=",")
    property(name="syslogseverity")
    constant(value=",'")
    property(name="syslogtag")
    constant(value="','")
    property(name="msg")
    constant(value="')")
}

if $fromhost-ip startswith '192.168.1.' then {
    action(type="ommysql"
           server="localhost"
           db="syslog"
           uid="syslog_user"
           pwd="password"
           template="sql-template")
}

Custom Processing Script

sudo nano /usr/local/bin/mikrotik-processor.py

#!/usr/bin/env python3
import sys
import re
import json
from datetime import datetime

def process_log(line):
    """Process MikroTik log line"""
    # Parse log components
    pattern = r'^(\w+ \d+ \d+:\d+:\d+) ([\w-]+) \[(\w+)\.(\w+)\] (\w+): (.*)$'
    match = re.match(pattern, line)
    
    if match:
        log_data = {
            'timestamp': match.group(1),
            'hostname': match.group(2),
            'facility': match.group(3),
            'severity': match.group(4),
            'program': match.group(5),
            'message': match.group(6)
        }
        
        # Check for specific patterns
        if 'login failure' in log_data['message'].lower():
            # Alert on failed login
            with open('/var/log/mikrotik/alerts/failed-logins.log', 'a') as f:
                f.write(f"{datetime.now()}: {log_data['hostname']} - {log_data['message']}\n")
        
        if 'firewall' in log_data['program'].lower():
            # Extract firewall data
            src_ip = re.search(r'SRC=([0-9.]+)', log_data['message'])
            dst_ip = re.search(r'DST=([0-9.]+)', log_data['message'])
            
            if src_ip and dst_ip:
                firewall_data = {
                    'timestamp': log_data['timestamp'],
                    'router': log_data['hostname'],
                    'src_ip': src_ip.group(1),
                    'dst_ip': dst_ip.group(1),
                    'action': 'DROP' if 'DROP' in log_data['message'] else 'ACCEPT'
                }
                # Save to JSON file
                with open('/var/log/mikrotik/firewall/processed.json', 'a') as f:
                    json.dump(firewall_data, f)
                    f.write('\n')

# Process stdin
for line in sys.stdin:
    process_log(line.strip())

# Make executable
sudo chmod +x /usr/local/bin/mikrotik-processor.py

# Add to rsyslog configuration
sudo nano /etc/rsyslog.d/70-processor.conf

module(load="omprog")

if $fromhost-ip startswith '192.168.1.' then {
    action(type="omprog"
           binary="/usr/local/bin/mikrotik-processor.py")
}

12. Conclusion and Next Steps

Implementation Checklist

✓ Linux server prepared with static IP
✓ Time synchronization configured
✓ rsyslog installed and configured
✓ Firewall rules implemented
✓ MikroTik routers configured for remote logging
✓ Log rotation configured
✓ Monitoring scripts deployed
✓ Performance optimizations applied
✓ Backup procedures in place
✓ Documentation completed

Recommended Next Steps

Deploy monitoring dashboard – Consider Grafana for visualization
Implement alerting – Set up Prometheus AlertManager
Automate compliance reports – Schedule regulatory reports
Plan disaster recovery – Create backup syslog servers
Integrate with SIEM – Connect to Security Information and Event Management platform

Maintenance Schedule

Task	Frequency	Command/Action
Check disk space	Daily	`df -h /var/log`
Verify log reception	Daily	`/usr/local/bin/syslog-healthcheck.sh`
Review error logs	Weekly	`grep ERROR /var/log/mikrotik/alerts/errors.log`
Test log rotation	Monthly	`sudo logrotate -d /etc/logrotate.d/mikrotik`
Update system	Monthly	`sudo apt update && sudo apt upgrade`
Archive old logs	Quarterly	`/usr/local/bin/mikrotik-log-cleanup.sh`

Additional Resources

Support and Community

MikroTik Forum: forum.mikrotik.com
rsyslog Mailing List: rsyslog@lists.adiscon.net
Stack Overflow: Tag questions with rsyslog and mikrotik

Final Notes

This configuration provides a production-ready syslog server for MikroTik routers. Regular monitoring and maintenance ensure reliable log collection. Adjust configurations based on your specific network size and requirements.

Remember to test all configurations in a lab environment before deploying to production. Document any customizations for future reference and team knowledge sharing.

Check our list of MikroTik guides.