MikroTik DHCP server logs to rsyslog [TESTED]
Very quick note on how to configure logging for DHCP server running on MikroTik RouterOS, send and store syslog messages on CentOS 7.x using rsyslog. In our configuration MikroTik device will have 1.1.1.1 IP, CentOS (syslog server) will have 2.2.2.2, we will store syslog messages received from 1.1.1.1 address into /var/log/remotelogs/ folder in a file named “desired_file_name.log”.
MikroTik configuration:
/system logging action set 3 remote=2.2.2.2 /system logging add action=remote topics=dhcp
CentOS 7.x configuration:
[root@centos7 ~]# vi /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Rules for remote logs if $fromhost-ip=='1.1.1.1' then /var/log/remotelogs/desired_file_name.log & ~
To avoid duplication of syslog messages received from remote host (1.1.1.1) that could appear in default files like “/var/log/messages” you might want to add “stop” (discard action) as it’s mentioned in rsyslog documentation. Here is an example:
[root@centos7 ~]# vi /etc/rsyslog.conf # Provides UDP syslog reception $ModLoad imudp $UDPServerRun 514 # Rules for remote logs if $fromhost-ip=='1.1.1.1' then { action(type="omfile" file="/var/log/remotelogs/desired_file_name.log") stop } & ~
Then we will need to restart rsyslog service:
[root@centos7 ~]# systemctl restart rsyslog
Then we can generate test log message on MikroTik device:
[admin@MikroTik] > :log info TEST
If our local firewall is not blocking UDP/514 incoming packets you should be able to see that message in target file you specified in configuration:
[root@centos7 ~]# tail -f /var/log/remotelogs/desired_file_name.log | grep TEST 2020-05-25T20:36:20.829911-07:00 host-1-1-1-1.example.com script,info TEST
The last piece is to configure logrotate. I will create a new file in “/etc/logrotate.d/” folder for that:
[root@centos7 ~]# vi /etc/logrotate.d/remotelogs /var/log/remotelogs/*.log { # keep 3 versions online rotate 3 # rotate each day daily # compress/nocompress compress # add a YYYYMMDD extension instead of a number dateext postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript }
You can also forcibly run logrotate to see the result:
[root@centos7 ~]# logrotate -fv /etc/logrotate.d/remotelogs [root@centos7 ~]# ls -lah /var/log/remotelogs/
Good luck!