MikroTik DHCP server logs to rsyslog [TESTED]

Tuesday, May 26, 2020 161 comments

Very quick note on how to configure logging for DHCP server running on MikroTik RouterOS, send and store syslog messages on CentOS 7.x using rsyslog. In our configuration MikroTik device will have 1.1.1.1 IP, CentOS (syslog server) will have 2.2.2.2, we will store syslog messages received from 1.1.1.1 address into /var/log/remotelogs/ folder in a file named “desired_file_name.log”.

MikroTik configuration:

/system logging action set 3 remote=2.2.2.2
/system logging add action=remote topics=dhcp

CentOS 7.x configuration:

[root@centos7 ~]# vi /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Rules for remote logs
if $fromhost-ip=='1.1.1.1' then /var/log/remotelogs/desired_file_name.log
& ~

To avoid duplication of syslog messages received from remote host (1.1.1.1) that could appear in default files like “/var/log/messages” you might want to add “stop” (discard action) as it’s mentioned in rsyslog documentation. Here is an example:

[root@centos7 ~]# vi /etc/rsyslog.conf

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514

# Rules for remote logs
if $fromhost-ip=='1.1.1.1' then { action(type="omfile" file="/var/log/remotelogs/desired_file_name.log") stop }
& ~

Then we will need to restart rsyslog service:

[root@centos7 ~]# systemctl restart rsyslog

Then we can generate test log message on MikroTik device:

[admin@MikroTik] > :log info TEST

If our local firewall is not blocking UDP/514 incoming packets you should be able to see that message in target file you specified in configuration:

[root@centos7 ~]# tail -f /var/log/remotelogs/desired_file_name.log | grep TEST

2020-05-25T20:36:20.829911-07:00 host-1-1-1-1.example.com script,info TEST

The last piece is to configure logrotate. I will create a new file in “/etc/logrotate.d/” folder for that:

[root@centos7 ~]# vi /etc/logrotate.d/remotelogs

/var/log/remotelogs/*.log {
# keep 3 versions online
        rotate 3
# rotate each day
        daily
# compress/nocompress
        compress
# add a YYYYMMDD extension instead of a number
        dateext
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

You can also forcibly run logrotate to see the result:

[root@centos7 ~]# logrotate -fv /etc/logrotate.d/remotelogs
[root@centos7 ~]# ls -lah /var/log/remotelogs/

Good luck!

Posted by Alexey at 05:21:06 in MikroTik
MikroTik The Dude 6.46.3 or older can not connect to RouterOS 6.46.4 or newer. »
« Cyclades-TS3000 Console Access and Terminal Server

Admin area