mikrotik-logs Configuration

« mikrotik-logs »
v0.2 by a1ad
Log parser

Parse Mikrotik logs

Installation

cscli parsers install a1ad/mikrotik-logs

Description

Parser for Mikrotik Logs.

You need to set up a remote syslog server. There is no crowdsec client on the Mikrotik, so log parsing needs to be done on the rsyslog server. Do not forget to set "Firewall" flag in the remote log settings and create a drop rule with logging active. For user authentication you need to set the "error" flag.

---
filenames:
 - /var/log/rsyslog/10.10.10.1/syslog.log
labels:
  type: mikrotik

YAML Configuration

1onsuccess: next_stage
2#debug: true
3filter: "evt.Parsed.program == 'mikrotik'"
4name: a1ad/mikrotik-logs
5description: "Parse Mikrotik logs"
6pattern_syntax:
7  MIKROTIK_FIREWALL_DROP: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* %{DATA:tag} input: in:%{DATA:if_in} out:%{DATA:if_out}, connection-state:%{DATA:connection_state} src-mac %{MAC:src_mac}, proto %{WORD:proto}.*, %{IP:source_ip}:%{INT:src_port}->%{IP:dst_ip}:%{INT:dst_port}, len %{INT:length}"
8  MIKROTIK_AUTH_FAILED: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* login failure for user %{USERNAME:invalid_user} from %{IP:source_ip}"
9nodes:
10  - grok:
11     name: "MIKROTIK_FIREWALL_DROP"
12     apply_on: message
13    statics:
14      - meta: service
15        value: tcp_udp
16      - meta: log_type
17        value: mikrotik_drop
18      - meta: dst_port
19        expression: "evt.Parsed.dst_port"
20  - grok:
21     name : "MIKROTIK_AUTH_FAILED"
22     apply_on: message
23    statics:
24      - meta: service
25        value: mikrotik
26      - meta: log_type
27        value: mikrotik_failed_auth
28      - meta: user
29        expression: "evt.Parsed.invalid_user"
30statics:
31 - meta: source_ip
32   expression: "evt.Parsed.source_ip"
33 - target: evt.StrTime
34   expression: evt.Parsed.timestamp
35

Hub configuration

« mikrotik-logs »v0.2 by a1adLog parser

« mikrotik-logs »
v0.2 by a1ad
Log parser