Log Management

Document revision 1.1 (3-Feb-2003)
This document applies to MikroTik RouterOS v2.7

Table of Contents

Summary

Various system events and status information can be logged. Logs can be saved in a file on the router or sent to a remote server running a syslog daemon. MikroTik provides a shareware Windows Syslog daemon, which can be downloaded from www.mikrotik.com.

Specifications

Packages required : system
License required : Any
Home menu level : /system logging, /log
Protocols utilized : Syslog ( Syslog)
Hardware usage: not significant

Related Documents

Software Package Installation and Upgrading

Description

The logging feature sends all of your actions on the router to a log file or to a logging daemon. Router has several global configuration settings that are applied to logging. Logs have different facilities. Logs from each facility can be configured to be discarded, logged locally or remotely.

General Settings

Submenu level : /syestem logging
[admin@MikroTik] system logging> print                     
    default-remote-address: 0.0.0.0                        
       default-remote-port: 0                              
              buffer-lines: 100                            
[admin@MikroTik] system logging>

Property Description

default-remote-address (IP address; default: 0.0.0.0) - remote log server IP address. Used when remote logging is enabled but no IP address of the remote server is specified
default-remote-port (integer; default: 0 - remote log server UDP port. Used when remote logging is enabled but no UDP port of the remote server is specified
buffer-lines (integer; default: 100) - number of lines kept in local buffer. Contents of the local logs can be viewed using the /log print command. When number of lines in local log buffer is exceeded, lines from the beginning of buffer are deleted

Example

To use the 10.5.13.11 host, listening on 514 port, as the default remote system-log server:
[admin@MikroTik] system logging> print
    default-remote-address: 10.5.13.11
       default-remote-port: 514
              buffer-lines: 100
[admin@MikroTik] system logging>

Log Classification

Submenu level : /system logging facility

Property Description

facility (name) - name of the log group, message type
logging (none | local | remote; default: local) - type of logging:
  • local - logs are stored in local log buffer. Local logs can be viewed using /log print command
  • none - logs from this source are discarded
  • remote - logs are sent to remote log server
    prefix (string; default: "") - local log prefix
    remote-address (IP address; default: "") - remote log server IP address. Used when logging type is remote. If not set, default log server IP address is used
    remote-port (integer; default: "") - Remote log server UDP port. Used when logging type is remote. If not set, default log server UDP port is used
    echo (yes | no; default: no) - whether to echo the message of this type to the active (logged-in) consoles

    Notes

    You cannot add, delete or rename the facilities: they are added and removed with the packages they are associated with.

    System-Echo facility has its default echo property set to yes

    Example

    To force the router to send Firewall-Log to the 10.5.13.11 server, and System-Info, System-Error and System-Warning to the 10.5.13.12 server:
    [admin@MikroTik] system logging facility> set Firewall-Log logging=remote remot
    -address=10.5.13.11 remote-port=514
    [admin@MikroTik] system logging facility> set System-Info,System-Error,System-W
    rning logging=remote remote-address=10.5.13.12 remote-port=514
    [admin@MikroTik] system logging facility> print
      # FACILITY          LOGGING PREFIX           REMOTE-ADDRESS  REMOTE-PORT ECHO
      0 Firewall-Log      remote                   10.5.13.11      514         no
      1 PPP-Account       local                                                no
      2 PPP-Info          local                                                no
      3 PPP-Error         local                                                no
      4 System-Info       remote                   10.5.13.12      514         no
      5 System-Error      remote                   10.5.13.12      514         no
      6 System-Warning    remote                   10.5.13.12      514         no
      7 Telephony-Info    local                                                no
      8 Telephony-Error   local                                                no
      9 Prism-Info        local                                                no
     10 Web-Proxy-Access  local                                                no
     11 ISDN-Info         local                                                no
     12 Hotspot-Account   local                                                no
     13 OSPF-Info         local                                                no
     14 Hotspot-Error     local                                                no
     15 IPsec-Event       local                                                no
     16 IKE-Event         local                                                no
     17 IPsec-Warning     local                                                no
     18 System-Echo       local                                                yes
    
    [admin@MikroTik] system logging facility>
    

    Log Messages

    Submenu level : /log

    Property Description

    time (string) - data and time of the event
    message (string) - message text

    Notes

    print command has new argument - follow, that cam be uset to monitor the log-message list, and see the new messages just as they arrive. Use [Ctrl]+[C] to exit from this mode

    Example

    To view the local logs:
    [admin@MikroTik] log> print
     TIME		      MESSAGE
     jan/28/2003 21:28:34 user admin logged out via console      
     jan/28/2003 21:28:34 user admin logged out via console      
     jan/28/2003 21:54:35 user admin logged in via console       
     jan/28/2003 22:09:24 ipsec peer removed by admin            
     jan/28/2003 22:10:19 ipsec policy changed by admin          
     jan/28/2003 23:18:02 pool our-dhcp-clients added by admin   
     jan/29/2003 05:55:44 log configuration changed by admin     
     jan/29/2003 06:13:33 log configuration changed by admin     
     jan/29/2003 06:13:33 log configuration changed by admin     
    -- more
    
    To monitor the system log:
    [admin@MikroTik] log> print follow
     jan/28/2003 21:28:34 user admin logged out via console        
     jan/28/2003 21:28:34 user admin logged out via console        
     jan/28/2003 21:54:35 user admin logged in via console         
     jan/28/2003 22:09:24 ipsec peer removed by admin
     jan/28/2003 22:10:19 ipsec policy changed by admin
     jan/28/2003 23:18:02 pool our-dhcp-clients added by admin
     jan/29/2003 05:55:44 log configuration changed by admin
     jan/29/2003 06:13:33 log configuration changed by admin
     jan/29/2003 06:13:33 log configuration changed by admin
    -- Ctrl-C to quit. New entries will appear at bottom.
    


    © Copyright 1999-2003, MikroTik