Splunk Logging of Mikrotik and SWAG

I have Splunk installed in my home lab and I began using it to search Linux, Windows, and MacOS logs. In this post I’m going to share how I monitor my Mikrotik logs and Swag logs. I’ve recently shared my Mikrotik rsyslog configuration and my SWAG setup

My Mikrotik firewall logs are currently being sent to /var/log/Mikrotik/. After installing the Splunk Universal Forwarder you need to navigate to it’s directory /opt/splunkforwarder/bin. From there run the following commands

./splunk add forward-server 10.1.1.236:9997
./splunk add monitor /var/log
./splunk add monitor /path/to/appdata/config/log
./splunk restart

The commands above tell the Universal Forwarder where to send the logs (the Splunk Server), what logs to monitor. In our case the Linux logs and our SWAG logs. Now edit the inputs.conf file.

/opt/splunkforwarder/etc/apps/search/local/inputs.conf

And add the indexes you would like them to go to. Note: Make sure to create indexes you choose to send data to.

[monitor:///var/log]
disabled = false
index = linux

[monitor:///path/to/appdata/config/log]
disabled = false
index = swag

Splunk Search Head SWAG

After adding field extractions using “ as a delimiter You can see myself searching this post.

index=swag

In the image you can see that I extracted the source IP, HTTP code, HTTP request method, URL, and User Agent.

Splunk Search Head Mikrotik

index=linux source=”/var/log/MikroTik/router*”

You can see that I am searching on both of my routers with my search query.

From my log extraction I can see what actions are taking place the most. In this case it looks like I have had 9400+ requests on port 80 or 443. What’s cool about this is now any Mikrotik rule that I add to be logged will now show up in Splunk.