cscli parsers install a1ad/mikrotik-logs
Parser for Mikrotik Logs.
You need to set up a remote syslog server. There is no crowdsec client on the Mikrotik, so log parsing needs to be done on the rsyslog server. Do not forget to set "Firewall" flag in the remote log settings and create a drop rule with logging active. For user authentication you need to set the "error" flag.
---
filenames:
- /var/log/rsyslog/10.10.10.1/syslog.log
labels:
type: mikrotik
1onsuccess: next_stage2#debug: true3filter: "evt.Parsed.program == 'mikrotik'"4name: a1ad/mikrotik-logs5description: "Parse Mikrotik logs"6pattern_syntax:7 MIKROTIK_FIREWALL_DROP: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* %{DATA:tag} input: in:%{DATA:if_in} out:%{DATA:if_out}, connection-state:%{DATA:connection_state} src-mac %{MAC:src_mac}, proto %{WORD:proto}.*, %{IP:source_ip}:%{INT:src_port}->%{IP:dst_ip}:%{INT:dst_port}, len %{INT:length}"8 MIKROTIK_AUTH_FAILED: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* login failure for user %{USERNAME:invalid_user} from %{IP:source_ip}"9nodes:10 - grok:11 name: "MIKROTIK_FIREWALL_DROP"12 apply_on: message13 statics:14 - meta: service15 value: tcp_udp16 - meta: log_type17 value: mikrotik_drop18 - meta: dst_port19 expression: "evt.Parsed.dst_port"20 - grok:21 name : "MIKROTIK_AUTH_FAILED"22 apply_on: message23 statics:24 - meta: service25 value: mikrotik26 - meta: log_type27 value: mikrotik_failed_auth28 - meta: user29 expression: "evt.Parsed.invalid_user"30statics:31 - meta: source_ip32 expression: "evt.Parsed.source_ip"33 - target: evt.StrTime34 expression: evt.Parsed.timestamp35