Manual:System/Log
RouterOS is capable of logging various system events and status information. Logs can be saved in routers memory (RAM), disk, file, sent by email or even sent to remote syslog server (RFC 3164).
Log messages
All messages stored in routers local memory can be printed from /log menu. Each entry contains time and date when event occurred, topics that this message belongs to and message itself.
[admin@ZalaisKapots] /log> print jan/02/1970 02:00:09 system,info router rebooted sep/15 09:54:33 system,info,account user admin logged in from 10.1.101.212 via winbox sep/15 12:33:18 system,info item added by admin sep/15 12:34:26 system,info mangle rule added by admin sep/15 12:34:29 system,info mangle rule moved by admin sep/15 12:35:34 system,info mangle rule changed by admin sep/15 12:42:14 system,info,account user admin logged in from 10.1.101.212 via telnet sep/15 12:42:55 system,info,account user admin logged out from 10.1.101.212 via telnet 01:01:58 firewall,info input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 10.1.101.1:520->10.1.101.255:520, len 452
If logs are printed at the same date when log entry was added, then only time will be shown. In example above you can see that second message was added on sep/15 current year (year is not added) and the last message was added today so only the time is displayed.
Note: print command accepts several parameters that allows to detect new log entries, print only necessary messages and so on. For more information about parameters refer to scripting manual
For example following command will print all log messages where one of the topics is info and will detect new log entries until Ctrl+C is pressed
[admin@ZalaisKapots] /log > print follow where topics~".info" 12:52:24 script,info hello from script -- Ctrl-C to quit.
If print is in follow mode you can hit ‘space’ on keyboard to insert separator:
[admin@ZalaisKapots] /log > print follow where topics~".info" 12:52:24 script,info hello from script = = = = = = = = = = = = = = = = = = = = = = = = = = = -- Ctrl-C to quit.
Logging configuration
Sub-menu level: /system logging
‘!’ character can be used before topic to exclude messages falling under this topic. For example, we want to log NTP debug info without too much details:
Actions
Sub-menu level: /system logging action
- Emergency: system is unusable
- Alert: action must be taken immediately
- Critical: critical conditions
- Error: error conditions
- Warning: warning conditions
- Notice: normal but significant condition
- Informational: informational messages
- Debug: debug-level messages
- disk — logs are saved to the hard drive more>>
- echo — logs are displayed on the console screen
- email — logs are sent by email
- memory — logs are stored in local memory buffer
- remote — logs are sent to remote host
Note: default actions can not be deleted or renamed.
Topics
Each log entry have topic which describes the origin of log message. There can be more than one topic assigned to log message. For example, OSPF debug logs have four different topics: route, ospf, debug and raw.
11:11:43 route,ospf,debug SEND: Hello Packet 10.255.255.1 -> 224.0.0.5 on lo0 11:11:43 route,ospf,debug,raw PACKET: 11:11:43 route,ospf,debug,raw 02 01 00 2C 0A FF FF 03 00 00 00 00 E7 9B 00 00 11:11:43 route,ospf,debug,raw 00 00 00 00 00 00 00 00 FF FF FF FF 00 0A 02 01 11:11:43 route,ospf,debug,raw 00 00 00 28 0A FF FF 01 00 00 00 00
List of Facility independent topics
Topic | Description |
---|---|
critical | Log entries marked as critical, these log entries are printed to console each time you log in. |
debug | Debug log entries |
error | Error messages |
info | Informative log entry |
packet | Log entry that shows contents from received/sent packet |
raw | Log entry that shows raw contents of received/sent packet |
warning | Warning message. |
Topics used by various RouterOS facilities
12:41:40 route,bgp,debug,timer KeepaliveTimer expired 12:41:40 route,bgp,debug,timer RemoteAddress=2001:470:1f09:131::1
Logging to file
To log everything to file, add new log action:
/system logging action add name=file target=disk disk-file-name=log
and then make everything log using this new action:
/system logging add action=file
You can log only errors there by issuing command:
/system logging add topics=error action=file
This will log into files log.0.txt and log.1.txt.
You can specify maximum size of file in lines by specifying disk-lines-per-file. .0.txt is active file were new logs are going to be appended and once it size will reach maximum it will become .1.txt, and new empty .0.txt will be created.
You can log into USB flashes or into MicroSD/CF (on Routerboards) by specifying it’s directory name before file name. For example, if you have accessible usb flash as usb1 directory under /files, you should issue following command:
/system logging action add name=usb target=disk disk-file-name=usb1/log
Note: Logging entries from files will be stored back in the memory after reboot.
Examples
Webproxy logging
These two screenshots will show you how to configure the RouterOS logging facility to send Webrpoxy logs to a remote syslog server, in this example, located at 192.168.100.12. The syslog server can be any software that supports receiving syslogs, for example Kiwi syslog.
Add a new logging action, with «remote» and the IP of the remote server. Call it whatever you like
Then add a new logging rule with the topic «webproxy» and then newly created action. Note that you must have webproxy running on this router already, for this to work. To test, you can temporary change the action to «memory» and see the «log» window if the webproxy visited websites are logged. If it works, change it back to your new remote action
Note: it’s a good idea to add another topic in the same rule: !debug. This would be to ensure you don’t get any debug stuff, only the visited sites.
Rsyslog
It is possible to send all logs to a remote syslog server, one example of a syslog server is Rsyslog. Below you can find configuration example that is relevant to RouterOS:
/system logging action set [find name=remote] remote=10.0.0.1 /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning
With this configuration all logs will be present on the device and on the remote syslog server. Below you can find configuration lines that are relevant to a Rsyslog server (only lines that should be changed from the default values):
#/etc/rsyslog.conf $ModLoad imudp $UDPServerAddress 10.0.0.1 $UDPServerRun 514 $AllowedSender UDP, 10.0.0.0/24 127.0.0.1 $template Router1Log, "/var/log/MikroTik/router1.log" :fromhost-ip, isequal, "10.0.0.2" -?Router1Log & stop
For security reasons you should only allow Rsyslog to listen to a certain address, this limits the instance to a single interface. You should also specify only certain IP addresses that are allowed to send their logs to the particular syslog server.
Note: Never rely on a single security measure, you should also implement proper Firewall on the machine running Rsyslog, to limit access to the server.