rsyslog with Mikrotik

I love Mikrotik firewalls and I recently setup remote syslog on two firewalls and are sending the logs to a raspberry pi running ubuntu 20.04

I followed this guide to make sure my remote server can accept logs from the Mikrotik firewall. I also followed this guide from Mikrotik for rsyslog.conf settings.

Server and firewall IP’s

Ubuntu Server IP’s: 10.1.1.241, 192.168.88.150

Firewall IP’s: 10.1.1.1, 192.168.88.1

Below you will find a summary of the steps I followed to configure my 2 firewalls

Ubuntu Server

update and install

sudo apt update
sudo apt upgrade

sudo systemctl start rsyslog
sudo systemctl enable rsyslog
sudo systemctl status rsyslog

configure rsyslog

sudo vim /etc/rsyslog.conf

add this to the bottom of the file

$ModLoad imudp
$UDPServerAddress *
#$UDPServerAddress 192.168.88.150
$UDPServerRun 514
$AllowedSender UDP, 10.1.1.0/24 127.0.0.1 192.168.88.0/24

$template Router1Log, "/var/log/MikroTik/router1.log"
:fromhost-ip, isequal, "10.1.1.1" -?Router1Log
& stop


$template Router2Log, "/var/log/MikroTik/router2.log"
:fromhost-ip, isequal, "192.168.88.1" -?Router2Log
& stop

Now the server should be ready to receive logs from the firewall.

Mikrotik Firewall

On the firewall add remote host

/system logging action add name="rsyslog" target=remote remote=10.1.1.241 remote-port=514 src-address=10.1.1.1;

Add rules for each event type

system logging add topics=info action=remote;
system logging add topics=error action=remote;
system logging add topics=warning action=remote;
system logging add topics=critical action=remote;

I did this on both firewalls and replaced remote and src-address respectively depending on which network I am connected to. You may need to restart rsyslog to get logs coming in.

sudo systemctl restart rsyslog

You should now start receiving logs in the following two locations

/var/log/MikroTik/router1.log
/var/log/MikroTik/router2.log