From MikroTik Wiki
Logs are written when Authorization (auth) or Accounting (acct) requests from routers are received.
It is configurable per router which logs must be written (See: HOWTO).
Log data contains:
- Username. Can differ from those registered in user table;
- User IP;
- Host IP. Router's IP;
- NAS Port;
- NAS Port type;
- NAS Post ID;
- ACCT Session ID;
- Calling station ID.
More information on what these fields mean can be found in Mikrotik RouterOS Radius client documentation, Supported RADIUS Attributes.
Sending logs to Syslog
Starting from version 3.24, support for sending logs to SysLog is added. To enable it:
1) Configure per router, which requests to log: accounting/authorization failure/success (See: HOWTO);
2) On the router configure log writing:
/system logging add topics=manager,account action=remote /system logging action set remote target=remote remote=18.104.22.168:514, where 22.214.171.124 and 514 is IP address and UDP port of the remote host, which will receive the logs.
3) Configure your remote host to listen on port 514 (any other port can be used, but it MUSt be UDP port and MUST match the one entered in router's system logging action);
4) Test, if logs are successfully received at the remote host:
4.1) Generate some logs by logging in and out using HotSpot/PPP users;
4.2) Check the Log page. The logs must appear here. Logs are sent to syslog only if they are logged in the User Manager database;
4.3) Check, if logs are received remotely. If you are running Linux, nc can be used:
nc -l -u -p 514, where 514 is the UDP port used. Could be, that root permissions are required to run listening on a UDP port. Another alternative is Wireshark - a multi platform tool for network packet "sniffing". Start a new session and enter
udp port 514
in the filter field. You should see incoming logs appearing.
Syslog message format
The logs are in the following format:
- user-ip - IP of user (NOT the routers IP!): four number in the range 0-255, separated by commas. 0.0.0.0 means "empty address";
- username - username of the user or MAC address, when MAC-authentication used;
- log type: string describing type of the log. Takes one of the following values: "auth ok", "auth fail", "acct ok", "acct fail". Fail means - the user was not successful to authorize or the accounting log was malicious. To track user session activity, only logs having "auth ok" and "acct ok" must be taken in account.
- message - contains message, describing error, in case of failure. can be empty. SysLog messages are limited in size, therefore it could happend, that the end of the message has been cut off.