Various system events and status information can be logged. Logs can be saved in a file on the router or sent to a remote server running a syslog daemon. MikroTik provides a shareware Windows Syslog daemon, which can be downloaded from www.mikrotik.com.
Topics covered in this manual:
The Log Management feature is included in the 'system' package. No installation is needed for this feature.
There is no significant resource usage.
The logging feature sends all of your actions on the router to a log file or to a logging daemon. Router has several global configuration settings that are applied to logging. Logs have different facilities. Logs from each facility can be configured to be discarded, logged locally or remotely.
General settings for logging facility can be configured in the /system logging menu:
[admin@MikroTik] system logging> print
default-remote-address: 10.5.13.11
default-remote-port: 514
buffer-lines: 100
General logging parameters:
buffer-lines - Number of lines kept in local buffer. Contents of the local logs can be viewed using the /log print command. When number of lines in local log buffer is exceeded, lines from the beginning of buffer are deleted.
default-remote-address - Remote log server IP address. Used when remote logging is enabled but no IP address of the remote server is specified (IP=0.0.0.0).
default-remote-port - Remote log server UDP port. Used when remote logging is enabled but no UDP port of the remote server is specified (UDP=0).
Individual settings for various logging facilities are in the /system logging facility menu:
[admin@MikroTik] system logging> facility print # FACILITY LOGGING PREFIX REMOTE-ADDRESS REMOTE-PORT 0 Firewall-Log none 1 PPP-Account none 2 PPP-Info remote 10.5.13.10 514 3 PPP-Error none 4 System-Info remote 10.5.13.11 514 5 System-Error remote 10.5.13.11 514 6 System-Warning local
Logging facility parameters:
facility - (Read-only) Name of the log group.
logging - Type of logging.
prefix - Local log prefix.
remote-address - Remote log server IP address. Used when logging type is remote. If not set, default log server IP address is used
remote-port - Remote log server UDP port. Used when logging type is remote. If not set, default log server UDP port is used.
Types of logging:
local - logs are stored in local log buffer. Local logs can be viewed using /log print command.
none - logs from this source are discarded.
remote - logs are sent to remote log server.
Use the /log print command to view the local logs:
[admin@MikroTik] > log print TIME MESSAGE aug/12/2002 16:42:05 user admin logged in via console aug/12/2002 16:42:32 user admin logged in from 10.0.0.250 via ftp aug/12/2002 16:42:57 user admin logged out from 10.0.0.250 via ftp aug/12/2002 16:50:49 user admin logged in from 10.0.0.250 via telnet aug/12/2002 19:20:53 user admin logged in via web aug/12/2002 19:23:10 route changed by admin aug/12/2002 19:23:22 route changed by admin aug/12/2002 19:26:11 route changed aug/12/2002 19:26:28 route changed aug/12/2002 19:37:13 added prefix-list by admin aug/12/2002 19:38:48 pool a added aug/12/2002 19:39:00 pool a removed aug/12/2002 19:39:11 pool a added -- more
To view complete (not truncated) log lines, use the /log print detail command:
[admin@MikroTik] > log print detail
time=aug/12/2002 16:42:32
message="user admin logged in from 10.0.0.250 via ftp"
time=aug/12/2002 16:42:57
message="user admin logged out from 10.0.0.250 via ftp"
...