Ian Redden

Mikrotik RouterOS Firewall Parser (mikrotikfw)

Blog Post created by Ian Redden Employee on Apr 11, 2017

MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik provides hardware and software for Internet connectivity in most of the countries around the world. You can read more about Mikrotik at http://www.mikrotik.com/ or their product line at http://www.routerboard.com/.

 

Sample log events:

Apr 11 12:14:15 192.168.1.1 router %MIKROTIKFW: mangle-pre prerouting: in:bridge out:(none), src-mac 00:0c:29:58:2d:aa, proto TCP (ACK), 192.168.1.15:59231->65.52.235.203:443, NAT (192.168.1.15:59231->123.123.123.123:59231)->65.52.235.203:443, len 52

In order to configure the parser, you need to add a log-prefix to all messages sent, setup a logging action (destination of where events need to be sent) and finally configure which topics get associated with the logging action.

 

Mikrotik Syslog Configuration:
/system logging action set 3 bsd-syslog=yes remote=LOG.DECODER.IP.HERE syslog-facility=syslog syslog-severity=notice syslog-time-format=iso8601
/system logging add action=remote prefix=%MIKROTIKFW topics=firewall

 

For more information on configuring logging within RouterOS, please refer to the Mikrotik WIKI (Manual:System/Log - MikroTik Wiki).

 

Do not change the prefix. The attached parser requires "%MIKROTIKFW"!!

 

Enjoy!

Attachments

Outcomes