MikroTik DHCP server logs to rsyslog [TESTED]

Very quick note on how to configure logging for DHCP server running on MikroTik RouterOS, send and store syslog messages on CentOS 7.x using rsyslog. In our configuration MikroTik device will have IP, CentOS (syslog server) will have, we will store syslog messages received from address into /var/log/remotelogs/ folder in a file named “desired_file_name.log”.

MikroTik configuration:

/system logging action set 3 remote=
/system logging add action=remote topics=dhcp

CentOS 7.x configuration:

[root@centos7 ~]# vi /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Rules for remote logs
if $fromhost-ip=='' then /var/log/remotelogs/desired_file_name.log
& ~

To avoid duplication of syslog messages received from remote host ( that could appear in default files like “/var/log/messages” you might want to add “stop” (discard action) as it’s mentioned in rsyslog documentation. Here is an example:

[root@centos7 ~]# vi /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Rules for remote logs
if $fromhost-ip=='' then { action(type="omfile" file="/var/log/remotelogs/desired_file_name.log") stop }
& ~

Then we will need to restart rsyslog service:

[root@centos7 ~]# systemctl restart rsyslog

Then we can generate test log message on MikroTik device:

[admin@MikroTik] > :log info TEST

If our local firewall is not blocking UDP/514 incoming packets you should be able to see that message in target file you specified in configuration:

[root@centos7 ~]# tail -f /var/log/remotelogs/desired_file_name.log | grep TEST

2020-05-25T20:36:20.829911-07:00 host-1-1-1-1.example.com script,info TEST

The last piece is to configure logrotate. I will create a new file in “/etc/logrotate.d/” folder for that:

[root@centos7 ~]# vi /etc/logrotate.d/remotelogs

/var/log/remotelogs/*.log {
# keep 3 versions online
        rotate 3
# rotate each day
# compress/nocompress
# add a YYYYMMDD extension instead of a number
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true

You can also forcibly run logrotate to see the result:

[root@centos7 ~]# logrotate -fv /etc/logrotate.d/remotelogs
[root@centos7 ~]# ls -lah /var/log/remotelogs/

Good luck!

Admin area