With the hostname and the appname we can filter on these messages In vRLI should start seeing message like the following Now, let's head over to vRLI and see if we have som log entries there. We'll use the an ICMP accept rule for this which uses a different chain than before (forward)Īnd we'll log the action and specify a prefix for it
Let's also add an example from an accept rule so we can work with different log entries. The important part here is that we will use this later on in vRLI so we need to have some kind of a standard thinking about it. the rule number or some other description, but for now I'm fine with this approach. I have my own kind of semi-standard for this where I start with the action, DROP in this case, then I have a short descriptive part to understand the rule. Let's see an example with this default rule that will drop all input that doesn't come from our LAN (and which has not been hit by a previous rule)ĭown in the action section this is set to drop so we'll check the log checkbox and we'll set a prefix. Now to tell our router to push logs to vRLI we have to specify the individual rules to log the action and we can add a prefix to the log entry
Note that we can prefix our messages here and I'll set fw as my prefix which eventually set this as the appname in the syslog message. Here we'll set Firewall as the topic and then select the newly created action. Second we need to create a rule that uses this action. I've set syslog as the facility and info as the severity (I haven't look at the rfc specification to see if this is correct, don't shoot me.) So let's create an action that points to our remote server and select the BSD option. Hostname is now what I have as the identity of my router. Here's a message with the BSD option selected, and a prefix specified in the rule (more on this later). Here's a message without the BSD option selected.
In my case I like the latter so that's what we'll work with. We're a bit ahead of things here, but the difference when outputted to vRLI isn't huge. I know that vRLI supports RFC3164 syslog messages and that is what we'll get if we specify the BSD syslog option here. Note that there are a few ways to do this. To specify a remote Syslog server in the Mikrotik router we'll first create an action where we specify the Remote type and the details for our remote server. The first part of this blog will be how I've configured my Mikrotik router (yours might be different so you might have to adjust accordingly), the second part how I've extracted fields from the Syslog messages.
Since I couldn't find any content packs for Mikrotik I thought I'd take the opportunity to do a walkthrough of how to extract fields from syslog messages to get some value from them. Recently I installed a Mikrotik router at home and since I'm in my lab environment are running vRealize Log Insight (vRLI) and I'm using this as my Syslog server I wanted to push logs from the firewall to vRLI.
0 kommentar(er)
