MikroTik DHCP server logs to rsyslog [TESTED]

Very quick note on how to configure logging for DHCP server running on MikroTik RouterOS, send and store syslog messages on CentOS 7.x using rsyslog. In our configuration MikroTik device will have 1.1.1.1 IP, CentOS (syslog server) will have 2.2.2.2, we will store syslog messages received from 1.1.1.1 address into /var/log/remotelogs/ folder in a file named “desired_file_name.log”.

MikroTik configuration:

/system logging action set 3 remote=2.2.2.2
/system logging add action=remote topics=dhcp

CentOS 7.x configuration:

[root@centos7 ~]# vi /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Rules for remote logs
if $fromhost-ip=='1.1.1.1' then /var/log/remotelogs/desired_file_name.log
& ~

Then we will need to restart rsyslog service:

[root@centos7 ~]# systemctl restart rsyslog

Then we can generate test log message on MikroTik device:

[admin@MikroTik] > :log info TEST

If our local firewall is not blocking UDP/514 incoming packets you should be able to see that message in target file you specified in configuration:

[root@centos7 ~]# tail -f /var/log/remotelogs/desired_file_name.log | grep TEST

2020-05-25T20:36:20.829911-07:00 host-1-1-1-1.example.com script,info TEST

The last piece is to configure logrotate. I will create a new file in “/etc/logrotate.d/” folder for that:

[root@centos7 ~]# vi /etc/logrotate.d/remotelogs

/var/log/remotelogs/*.log {
# keep 30 versions online
        rotate 3
# rotate each day
        daily
# compress/nocompress
        compress
# add a YYYYMMDD extension instead of a number
        dateext
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

You can also forcibly run logrotate to see the result:

[root@centos7 ~]# logrotate -fv /etc/logrotate.d/remotelogs
[root@centos7 ~]# ls -lah /var/log/remotelogs/

Good luck!

Admin area