Manual:System/Log: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
mNo edit summary
 
(32 intermediate revisions by 7 users not shown)
Line 1: Line 1:
<h2>Summary</h2>
{{Versions|v3, v4 +}}


<p><b>Sub-menu level:</b> <code>
==Summary==
<br />
: /system logging
: /log
</code>
</p>


<p>
<p>
Line 13: Line 8:
</p>
</p>


<h2>Log messages</h2>
==Log messages==
 
<p id="shbox"><b>Sub-menu level:</b> <code> /log </code>
</p>
<br />
<p>
<p>
All messages stored in routers local memory can be printed from <code>/log</code> menu. Each entry contains time and date when event occurred, topics that this message belongs to and message itself.
All messages stored in routers local memory can be printed from <code>/log</code> menu. Each entry contains time and date when event occurred, topics that this message belongs to and message itself.
Line 26: Line 25:
sep/15 12:42:14 system,info,account user admin logged in from 10.1.101.212 via telnet  
sep/15 12:42:14 system,info,account user admin logged in from 10.1.101.212 via telnet  
sep/15 12:42:55 system,info,account user admin logged out from 10.1.101.212 via telnet  
sep/15 12:42:55 system,info,account user admin logged out from 10.1.101.212 via telnet  
01:01:58 firewall,info input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP,
                          10.1.101.1:520->10.1.101.255:520, len 452
</pre>
</pre>
If logs are printed at the same date when log entry was added, then only time will be shown. In example above you can see that second message was added on sep/15 current year (year is not added) and the last message was added today so only the time is displayed.
</p>
</p>


<b>Note</b> that print command accepts several parameters that allows to detect new log entries, print only necessary messages and so on. For more information about parameters refer to [[Scripting#print_parameters | scripting manual]]
{{ Note | print command accepts several parameters that allows to detect new log entries, print only necessary messages and so on. For more information about parameters refer to [[Scripting#print_parameters | scripting manual]] }}
 
For example following command will print all log messages where one of the topics is info and will detect new log entries until Ctrl+C is pressed
For example following command will print all log messages where one of the topics is info and will detect new log entries until Ctrl+C is pressed
<pre>
<pre>
Line 36: Line 41:
-- Ctrl-C to quit.
-- Ctrl-C to quit.
</pre>
</pre>
<br />
If print is in follow mode you can hit 'space' on keyboard to insert separator:
<pre>
[admin@ZalaisKapots] /log > print follow where topics~".info"
12:52:24 script,info hello from script
= = =  = = =  = = =      = = =  = = =  = = =      = = =  = = =  = = =
-- Ctrl-C to quit.
</pre>
==Logging configuration==
<p id="shbox"><b>Sub-menu level:</b> <code> /system logging </code>
</p>
<br />
<p>
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>action</b></var> (<em>name</em>; Default: <b>memory</b>)</td>
    <td> specifies one of the system default actions or user specified action listed in [[log#Actions | actions menu]]</td>
</tr>
<tr>
    <td><var><b>prefix</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td> prefix added at the beginning of log messages</td>
</tr>
<tr>
    <td><var><b>topics</b></var> (<em>account, bfd, caps, ddns, dns, error, gsm, info, iscsi, l2tp, manager, ntp, packet, pppoe, radvd, rip, script, smb, sstp, system, timer, vrrp, web-proxy, async, bgp, certificate, debug, dot1x, dude, event, hotspot, interface, isdn, ldp, mme, ospf, pim, pptp, raw, route, sertcp, snmp, state, telephony, upnp, warning, wireless, backup, calc, critical, dhcp, e-mail, firewall, igmp-proxy, ipsec, kvm, lte, mpls, ovpn, ppp, radius, read, rsvp, simulator, ssh, store, tftp, ups, watchdog, write</em>; Default: <b>info</b>)</td>
    <td> log all messages that falls into specified topic or list of topics. <br />
<b>'!'</b> character can be used before topic to exclude messages falling under this topic. For example, we want to log [[ Time | NTP]] debug info without too much details: <br />
<code> /system logging add topics=ntp,debug,!packet</code></td>
</tr>
</table>
</p>
===Actions===
<p id="shbox"><b>Sub-menu level:</b> <code> /system logging action</code>
</p>
<br />
<p>
<table class="styled_table">
<tr>
  <th width="40%">Property</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>bsd-syslog</b></var> (<em>yes|no</em>; Default: <b></b>)</td>
    <td>whether to use bsd-syslog as defined in RFC 3164</td>
</tr>
<tr>
    <td><var><b>disk-file-count</b></var> (<em>integer [1..65535]</em>; Default: <b>2</b>)</td>
    <td>specifies number of files used to store log messages, applicable only if action=disk</td>
</tr>
<tr>
    <td><var><b>disk-file-name</b></var> (<em>string</em>; Default: <b>log</b>)</td>
    <td>name of the file used to store log messages, applicable only if action=disk</td>
</tr>
<tr>
    <td><var><b>disk-lines-per-file</b></var> (<em>integer [1..65535]</em>; Default: <b>100</b>)</td>
    <td>specifies maximum size of file in lines, applicable only if action=disk</td>
</tr>
<tr>
    <td><var><b>disk-stop-on-full</b></var> (<em>yes|no</em>; Default: <b>no</b>)</td>
    <td>whether to stop to save log messages to disk after the specified disk-lines-per-file and disk-file-count number is reached, applicable only if action=disk</td>
</tr>
<tr>
    <td><var><b>email-start-tls</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td>Whether to use tls when sending email, applicable only if action=email</td>
</tr>
<tr>
    <td><var><b>email-to</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>email address where logs are sent, applicable only if action=email</td>
</tr>
<tr>
    <td><var><b>memory-lines</b></var> (<em>integer [1..65535]</em>; Default: <b>100</b>)</td>
    <td>number of records in local memory buffer, applicable only if action=memory</td>
</tr>
<tr>
    <td><var><b>memory-stop-on-full</b></var> (<em>yes|no</em>; Default: <b>no</b>)</td>
    <td>whether to stop to save log messages in local buffer after the specified memory-lines number is reached</td>
</tr>
<tr>
    <td><var><b>name</b></var> (<em>string</em>; Default: <b></b>)</td>
    <td>name of an action</td>
</tr>
<tr>
    <td><var><b>remember</b></var> (<em>yes|no</em>; Default: <b></b>)</td>
    <td>whether to keep log messages, which have not yet been displayed in console, applicable if action=echo</td>
</tr>
<tr>
    <td><var><b>remote</b></var> (<em>IP/IPv6 Address[:Port]</em>; Default: <b>0.0.0.0:514</b>)</td>
    <td>remote logging server's IP/IPv6 address and UDP port, applicable if action=remote</td>
</tr>
<tr>
    <td><var><b>src-address</b></var> (<em>IP address</em>; Default: <b>0.0.0.0</b>)</td>
    <td>source address used when sending packets to remote server</td>
</tr>
<tr>
    <td><var><b>syslog-facility</b></var> (<em>auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, ntp, syslog, user, uucp</em>; Default: <b>daemon</b>)</td>
    <td></td>
</tr>
<tr>
    <td><var><b>syslog-severity</b></var> (<em>alert, auto, critical, debug, emergency, error, info, notice, warning</em>; Default: <b>auto</b>)</td>
    <td>Severity level indicator defined in RFC 3164:
    <ul class="bullets">
        <li> Emergency: system is unusable
        <li> Alert: action must be taken immediately
        <li> Critical: critical conditions
        <li> Error: error conditions
        <li> Warning: warning conditions
        <li> Notice: normal but significant condition
        <li> Informational: informational messages
        <li> Debug: debug-level messages
    </ul>
    </td>
</tr>
<tr>
    <td><var><b>target</b></var> (<em>disk, echo, email, memory, remote</em>; Default: <b>memory</b>)</td>
    <td>storage facility or target of log messages
    <ul class="bullets">
        <li> disk - logs are saved to the hard drive [[#Logging_to_file | more>>]]
        <li> echo - logs are displayed on the console screen
        <li> email - logs are sent by email
        <li> memory - logs are stored in local memory buffer
        <li> remote - logs are sent to remote host
    </ul>
    </td>
</tr>
</table>
</p>
{{Note | default actions can not be deleted or renamed. }}
==Topics==
<p>
Each log entry have topic which describes the origin of log message. There can be more than one topic assigned to log message. For example, OSPF debug logs have four different topics: route, ospf, debug and raw.
<pre>
11:11:43 route,ospf,debug SEND: Hello Packet 10.255.255.1 -> 224.0.0.5 on lo0
11:11:43 route,ospf,debug,raw PACKET:
11:11:43 route,ospf,debug,raw    02 01 00 2C 0A FF FF 03 00 00 00 00 E7 9B 00 00
11:11:43 route,ospf,debug,raw    00 00 00 00 00 00 00 00 FF FF FF FF 00 0A 02 01
11:11:43 route,ospf,debug,raw    00 00 00 28 0A FF FF 01 00 00 00 00
</pre>
List of Facility independent topics
<table class="styled_table">
<tr>
  <th width="40%">Topic</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>critical</b></var></td>
    <td>Log entries marked as critical, these log entries are printed to console each time you log in.</td>
</tr>
<tr>
    <td><var><b>debug</b></var></td>
    <td>Debug log entries</td>
</tr>
<tr>
    <td><var><b>error</b></var></td>
    <td>Error messages</td>
</tr>
<tr>
    <td><var><b>info</b></var></td>
    <td>Informative log entry</td>
</tr>
<tr>
    <td><var><b>packet</b></var></td>
    <td>Log entry that shows contents from received/sent packet</td>
</tr>
<tr>
    <td><var><b>raw</b></var></td>
    <td>Log entry that shows raw contents of received/sent packet</td>
</tr>
<tr>
    <td><var><b>warning</b></var></td>
    <td>Warning message.</td>
</tr>
</table>
Topics used by various RouterOS facilities
<table class="styled_table">
<tr>
  <th width="40%">Topic</th>
  <th >Description</th>
</tr>
<tr>
    <td><var><b>account</b></var></td>
    <td>Log messages generated by accounting facility.</td>
</tr>
<tr>
    <td><var><b>async</b></var></td>
    <td>Log messages generated by asynchronous devices</td>
</tr>
<tr>
    <td><var><b>backup</b></var></td>
    <td>Log messages generated by [[Manual:Configuration_Management#System_Backup | backup]] creation facility.</td>
</tr>
<tr>
    <td><var><b>bfd</b></var></td>
    <td>Log messages generated by [[Manual:Routing/BFD]] protocol</td>
</tr>
<tr>
    <td><var><b>bgp</b></var></td>
    <td>Log messages generated by [[Manual:Routing/BGP]] protocol</td>
</tr>
<tr>
    <td><var><b>calc</b></var></td>
    <td>Routing calculation log messages.</td>
</tr>
<tr>
    <td><var><b>caps</b></var></td>
    <td>CAPsMAN wireless device management</td>
</tr>
<tr>
    <td><var><b>certificate</b></var></td>
    <td>Security [[Manual:System/Certificates|certificate]]</td>
</tr>
<tr>
    <td><var><b>dns</b></var></td>
    <td>Name server lookup related information</td>
</tr>
<tr>
    <td><var><b>ddns</b></var></td>
    <td>Log messages generated by [[Manual:Tools/Dynamic DNS]] tool</td>
</tr>
<tr>
    <td><var><b>dude</b></var></td>
    <td>Messages related to the Dude server package [[Manual:The_Dude]] tool</td>
</tr>
<tr>
    <td><var><b>dhcp</b></var></td>
    <td>DHCP [[Manual:IP/DHCP_Client | client]], [[Manual:IP/DHCP_Server | server]] and [[Manual:IP/DHCP_Relay | relay]] log messages</td>
</tr>
<tr>
    <td><var><b>e-mail</b></var></td>
    <td>Messages generated by [[Manual:Tools/email]] tool.</td>
</tr>
<tr>
    <td><var><b>event</b></var></td>
    <td>Log message generated at routing event. For example, new route have been installed in routing table.</td>
</tr>
<tr>
    <td><var><b>firewall</b></var></td>
    <td>Firewall log messages generated when <b>action=log</b> is set in [[Manual:IP/Firewall | firewall]] rule</td>
</tr>
<tr>
    <td><var><b>gsm</b></var></td>
    <td>Log messages generated by GSM devices</td>
</tr>
<tr>
    <td><var><b>hotspot</b></var></td>
    <td>[[Manual:IP/Hotspot | Hotspot]] related log entries</td>
</tr>
<tr>
    <td><var><b>igmp-proxy</b></var></td>
    <td>[[Manual:Routing/IGMP-Proxy | IGMP Proxy]] related log entries</td>
</tr>
<tr>
    <td><var><b>ipsec</b></var></td>
    <td>[[Manual:IP/IPsec | IPSec]] log entries</td>
</tr>
<tr>
    <td><var><b>iscsi</b></var></td>
    <td></td>
</tr>
<tr>
    <td><var><b>isdn</b></var></td>
    <td></td>
</tr>
<tr>
    <td><var><b>interface</b></var></td>
    <td></td>
</tr>
<tr>
    <td><var><b>kvm</b></var></td>
    <td>Messages related to the KVM virtual machine functionality</td>
</tr>
<tr>
    <td><var><b>l2tp</b></var></td>
    <td> Log entries generated by [[Manual:Interface/L2TP]] client and server</td>
</tr>
<tr>
    <td><var><b>lte</b></var></td>
    <td>Messasges related to the LTE/4G modem configuration</td>
</tr>
<tr>
    <td><var><b>ldp</b></var></td>
    <td>[[Manual:MPLS/LDP]] protocol related messages</td>
</tr>
<tr>
    <td><var><b>manager</b></var></td>
    <td>[[Manual:User_Manager]] log messages.</td>
</tr>
<tr>
    <td><var><b>mme</b></var></td>
    <td>[[Manual:Routing/MME | MME]] routing protocol messages</td>
</tr>
<tr>
    <td><var><b>mpls</b></var></td>
    <td>[[Manual:MPLS | MPLS]] messages</td>
</tr>
<tr>
    <td><var><b>ntp</b></var></td>
    <td>[[Manual:System/Time | sNTP]] client generated log entries</td>
</tr>
<tr>
    <td><var><b>ospf</b></var></td>
    <td>[[Manual:Routing/OSPF]] routing protocol messages</td>
</tr>
<tr>
    <td><var><b>ovpn</b></var></td>
    <td>[[OpenVPN]] tunnel messages</td>
</tr>
<tr>
    <td><var><b>pim</b></var></td>
    <td>[[Manual:Routing/Multicast | Multicast PIM-SM]] related messages</td>
</tr>
<tr>
    <td><var><b>ppp</b></var></td>
    <td>ppp facility messages</td>
</tr>
<tr>
    <td><var><b>pppoe</b></var></td>
    <td>[[Manual:Interface/PPPoE | PPPoE]] server/client related messages</td>
</tr>
<tr>
    <td><var><b>pptp</b></var></td>
    <td>[[Manual:Interface/PPTP | PPTP]] server/client related messages</td>
</tr>
<tr>
    <td><var><b>radius</b></var></td>
    <td>Log entries generated by [[RADIUS Client]]</td>
</tr>
<tr>
    <td><var><b>radvd</b></var></td>
    <td>IPv6 radv deamon log messages. </td>
</tr>
<tr>
    <td><var><b>read</b></var></td>
    <td>SMS tool messages</td>
</tr>
<tr>
    <td><var><b>rip</b></var></td>
    <td>[[Manual:Routing/RIP | RIP]] routing protocol messages</td>
</tr>
<tr>
    <td><var><b>route</b></var></td>
    <td>Routing facility log entries</td>
</tr>
<tr>
    <td><var><b>rsvp</b></var></td>
    <td>[[MPLS_TE_Tunnels | Resource Reservation Protocol]] generated messages.</td>
</tr>
<tr>
    <td><var><b>script</b></var></td>
    <td>Log entries generated from scripts</td>
</tr>
<tr>
    <td><var><b>sertcp</b></var></td>
    <td>Log messages related to facility responsible for "/ports remote-access"</td>
</tr>
<tr>
    <td><var><b>simulator</b></var></td>
    <td></td>
</tr>
<tr>
    <td><var><b>state</b></var></td>
    <td>[[DHCP Client]] and routing state messages.</td>
</tr>
<tr>
    <td><var><b>store</b></var></td>
    <td>Log entries generated by [[Store]] facility</td>
</tr>
<tr>
    <td><var><b>smb</b></var></td>
    <td>Messages related to the [[Manual:IP/SMB|SMB]] file sharing system</td>
</tr>
<tr>
    <td><var><b>snmp</b></var></td>
    <td>Messages related to [[Manual:SNMP|Simple network management protocol (SNMP)]] configuration</td>
</tr>
<tr>
    <td><var><b>system</b></var></td>
    <td>Generic system messages</td>
</tr>
<tr>
    <td><var><b>telephony</b></var></td>
    <td><em>Obsolete! Previously used by the IP telephony package</em></td>
</tr>
<tr>
    <td><var><b>tftp</b></var></td>
    <td>[[TFTP]] server generated messages</td>
</tr>
<tr>
    <td><var><b>timer</b></var></td>
    <td>Log messages that are related to timers used in RouterOS. For example bgp keepalive logs
<pre>
12:41:40 route,bgp,debug,timer KeepaliveTimer expired
12:41:40 route,bgp,debug,timer    RemoteAddress=2001:470:1f09:131::1
</pre>
</td>
</tr>
<tr>
    <td><var><b>ups</b></var></td>
    <td>Messages generated by UPS monitoring tool</td>
</tr>
<tr>
    <td><var><b>vrrp</b></var></td>
    <td>Messages generated [[Manual:Interface/VRRP|VRRP]]</td>
</tr>
<tr>
    <td><var><b>watchdog</b></var></td>
    <td>[[Watchdog]] generated log entries</td>
</tr>
<tr>
    <td><var><b>web-proxy</b></var></td>
    <td>Log messages generated by web proxy</td>
</tr>
<tr>
    <td><var><b>wireless</b></var></td>
    <td>[[M:Interface/Wireless]] log entries.</td>
</tr>
<tr>
    <td><var><b>write</b></var></td>
    <td>SMS tool messages.</td>
</tr>
</table>
</p>


== Logging to file ==  
== Logging to file ==  
Line 45: Line 495:
and then make everything log using this new action:
and then make everything log using this new action:


  /system logging action=file
  /system logging add action=file


You can log only errors there by issuing command:
You can log only errors there by issuing command:


  /system logging topics=error action=file  
  /system logging add topics=error action=file  


This will log into files '''log.0.txt''' and '''log.1.txt'''.  
This will log into files '''log.0.txt''' and '''log.1.txt'''.  
Line 59: Line 509:
  /system logging action add name=usb target=disk disk-file-name=usb1/log
  /system logging action add name=usb target=disk disk-file-name=usb1/log


[[Category:Manual]]
{{Note | Logging entries from files will be stored back in the memory after reboot.}}
[[Category:Unfinished]]
 
== Examples ==
 
=== Webproxy logging ===
 
These two screenshots will show you how to configure the RouterOS logging facility to send Webrpoxy logs to a remote syslog server, in this example, located at 192.168.100.12. The syslog server can be any software that supports receiving syslogs, for example Kiwi syslog.
 
* [[Image:Logging2.png]]
Add a new logging action, with "remote" and the IP of the remote server. Call it whatever you like
 
* [[Image:Logging1.png]]
Then add a new logging rule with the topic "webproxy" and then newly created action. Note that you must have webproxy running on this router already, for this to work. To test, you can temporary change the action to "memory" and see the "log" window if the webproxy visited websites are logged. If it works, change it back to your new remote action
 
''Note: it's a good idea to add another topic in the same rule: '''!debug'''. This would be to ensure you don't get any debug stuff, only the visited sites.''
 
=== Rsyslog ===
 
It is possible to send all logs to a remote syslog server, one example of a syslog server is Rsyslog. Below you can find configuration example that is relevant to RouterOS:
<pre>
/system logging action
set [find name=remote] remote=10.0.0.1
/system logging
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning
</pre>
 
With this configuration all logs will be present on the device and on the remote syslog server. Below you can find configuration lines that are relevant to a Rsyslog server (only lines that should be changed from the default values):
<pre>
#/etc/rsyslog.conf
$ModLoad imudp
$UDPServerAddress 10.0.0.1
$UDPServerRun 514
$AllowedSender UDP, 10.0.0.0/24 127.0.0.1
 
$template Router1Log, "/var/log/MikroTik/router1.log"
:fromhost-ip, isequal, "10.0.0.2" -?Router1Log
& stop
</pre>
 
For security reasons you should only allow Rsyslog to listen to a certain address, this limits the instance to a single interface. You should also specify only certain IP addresses that are allowed to send their logs to the particular syslog server.
 
{{ Note | Never rely on a single security measure, you should also implement proper Firewall on the machine running Rsyslog, to limit access to the server. }}
 
[[Category:Manual|L]]
[[Category:Monitoring|L]]

Latest revision as of 13:06, 15 July 2020

Applies to RouterOS: v3, v4 +

Summary


RouterOS is capable of logging various system events and status information. Logs can be saved in routers memory (RAM), disk, file, sent by email or even sent to remote syslog server (RFC 3164).

Log messages

Sub-menu level: /log


All messages stored in routers local memory can be printed from /log menu. Each entry contains time and date when event occurred, topics that this message belongs to and message itself.

[admin@ZalaisKapots] /log> print 
jan/02/1970 02:00:09 system,info router rebooted 
sep/15 09:54:33 system,info,account user admin logged in from 10.1.101.212 via winbox 
sep/15 12:33:18 system,info item added by admin 
sep/15 12:34:26 system,info mangle rule added by admin 
sep/15 12:34:29 system,info mangle rule moved by admin 
sep/15 12:35:34 system,info mangle rule changed by admin 
sep/15 12:42:14 system,info,account user admin logged in from 10.1.101.212 via telnet 
sep/15 12:42:55 system,info,account user admin logged out from 10.1.101.212 via telnet 
01:01:58 firewall,info input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 
                          10.1.101.1:520->10.1.101.255:520, len 452

If logs are printed at the same date when log entry was added, then only time will be shown. In example above you can see that second message was added on sep/15 current year (year is not added) and the last message was added today so only the time is displayed.

Note: print command accepts several parameters that allows to detect new log entries, print only necessary messages and so on. For more information about parameters refer to scripting manual


For example following command will print all log messages where one of the topics is info and will detect new log entries until Ctrl+C is pressed

[admin@ZalaisKapots] /log > print follow where topics~".info"
12:52:24 script,info hello from script
-- Ctrl-C to quit.


If print is in follow mode you can hit 'space' on keyboard to insert separator:

[admin@ZalaisKapots] /log > print follow where topics~".info"
12:52:24 script,info hello from script

 = = =   = = =   = = =      = = =   = = =   = = =      = = =   = = =   = = =

-- Ctrl-C to quit.

Logging configuration

Sub-menu level: /system logging


Property Description
action (name; Default: memory) specifies one of the system default actions or user specified action listed in actions menu
prefix (string; Default: ) prefix added at the beginning of log messages
topics (account, bfd, caps, ddns, dns, error, gsm, info, iscsi, l2tp, manager, ntp, packet, pppoe, radvd, rip, script, smb, sstp, system, timer, vrrp, web-proxy, async, bgp, certificate, debug, dot1x, dude, event, hotspot, interface, isdn, ldp, mme, ospf, pim, pptp, raw, route, sertcp, snmp, state, telephony, upnp, warning, wireless, backup, calc, critical, dhcp, e-mail, firewall, igmp-proxy, ipsec, kvm, lte, mpls, ovpn, ppp, radius, read, rsvp, simulator, ssh, store, tftp, ups, watchdog, write; Default: info) log all messages that falls into specified topic or list of topics.

'!' character can be used before topic to exclude messages falling under this topic. For example, we want to log NTP debug info without too much details:

/system logging add topics=ntp,debug,!packet

Actions

Sub-menu level: /system logging action


Property Description
bsd-syslog (yes|no; Default: ) whether to use bsd-syslog as defined in RFC 3164
disk-file-count (integer [1..65535]; Default: 2) specifies number of files used to store log messages, applicable only if action=disk
disk-file-name (string; Default: log) name of the file used to store log messages, applicable only if action=disk
disk-lines-per-file (integer [1..65535]; Default: 100) specifies maximum size of file in lines, applicable only if action=disk
disk-stop-on-full (yes|no; Default: no) whether to stop to save log messages to disk after the specified disk-lines-per-file and disk-file-count number is reached, applicable only if action=disk
email-start-tls (yes | no; Default: no) Whether to use tls when sending email, applicable only if action=email
email-to (string; Default: ) email address where logs are sent, applicable only if action=email
memory-lines (integer [1..65535]; Default: 100) number of records in local memory buffer, applicable only if action=memory
memory-stop-on-full (yes|no; Default: no) whether to stop to save log messages in local buffer after the specified memory-lines number is reached
name (string; Default: ) name of an action
remember (yes|no; Default: ) whether to keep log messages, which have not yet been displayed in console, applicable if action=echo
remote (IP/IPv6 Address[:Port]; Default: 0.0.0.0:514) remote logging server's IP/IPv6 address and UDP port, applicable if action=remote
src-address (IP address; Default: 0.0.0.0) source address used when sending packets to remote server
syslog-facility (auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, ntp, syslog, user, uucp; Default: daemon)
syslog-severity (alert, auto, critical, debug, emergency, error, info, notice, warning; Default: auto) Severity level indicator defined in RFC 3164:
  • Emergency: system is unusable
  • Alert: action must be taken immediately
  • Critical: critical conditions
  • Error: error conditions
  • Warning: warning conditions
  • Notice: normal but significant condition
  • Informational: informational messages
  • Debug: debug-level messages
target (disk, echo, email, memory, remote; Default: memory) storage facility or target of log messages
  • disk - logs are saved to the hard drive more>>
  • echo - logs are displayed on the console screen
  • email - logs are sent by email
  • memory - logs are stored in local memory buffer
  • remote - logs are sent to remote host

Note: default actions can not be deleted or renamed.


Topics

Each log entry have topic which describes the origin of log message. There can be more than one topic assigned to log message. For example, OSPF debug logs have four different topics: route, ospf, debug and raw.

11:11:43 route,ospf,debug SEND: Hello Packet 10.255.255.1 -> 224.0.0.5 on lo0 
11:11:43 route,ospf,debug,raw PACKET: 
11:11:43 route,ospf,debug,raw     02 01 00 2C 0A FF FF 03 00 00 00 00 E7 9B 00 00 
11:11:43 route,ospf,debug,raw     00 00 00 00 00 00 00 00 FF FF FF FF 00 0A 02 01 
11:11:43 route,ospf,debug,raw     00 00 00 28 0A FF FF 01 00 00 00 00 


List of Facility independent topics

Topic Description
critical Log entries marked as critical, these log entries are printed to console each time you log in.
debug Debug log entries
error Error messages
info Informative log entry
packet Log entry that shows contents from received/sent packet
raw Log entry that shows raw contents of received/sent packet
warning Warning message.


Topics used by various RouterOS facilities

Topic Description
account Log messages generated by accounting facility.
async Log messages generated by asynchronous devices
backup Log messages generated by backup creation facility.
bfd Log messages generated by Manual:Routing/BFD protocol
bgp Log messages generated by Manual:Routing/BGP protocol
calc Routing calculation log messages.
caps CAPsMAN wireless device management
certificate Security certificate
dns Name server lookup related information
ddns Log messages generated by Manual:Tools/Dynamic DNS tool
dude Messages related to the Dude server package Manual:The_Dude tool
dhcp DHCP client, server and relay log messages
e-mail Messages generated by Manual:Tools/email tool.
event Log message generated at routing event. For example, new route have been installed in routing table.
firewall Firewall log messages generated when action=log is set in firewall rule
gsm Log messages generated by GSM devices
hotspot Hotspot related log entries
igmp-proxy IGMP Proxy related log entries
ipsec IPSec log entries
iscsi
isdn
interface
kvm Messages related to the KVM virtual machine functionality
l2tp Log entries generated by Manual:Interface/L2TP client and server
lte Messasges related to the LTE/4G modem configuration
ldp Manual:MPLS/LDP protocol related messages
manager Manual:User_Manager log messages.
mme MME routing protocol messages
mpls MPLS messages
ntp sNTP client generated log entries
ospf Manual:Routing/OSPF routing protocol messages
ovpn OpenVPN tunnel messages
pim Multicast PIM-SM related messages
ppp ppp facility messages
pppoe PPPoE server/client related messages
pptp PPTP server/client related messages
radius Log entries generated by RADIUS Client
radvd IPv6 radv deamon log messages.
read SMS tool messages
rip RIP routing protocol messages
route Routing facility log entries
rsvp Resource Reservation Protocol generated messages.
script Log entries generated from scripts
sertcp Log messages related to facility responsible for "/ports remote-access"
simulator
state DHCP Client and routing state messages.
store Log entries generated by Store facility
smb Messages related to the SMB file sharing system
snmp Messages related to Simple network management protocol (SNMP) configuration
system Generic system messages
telephony Obsolete! Previously used by the IP telephony package
tftp TFTP server generated messages
timer Log messages that are related to timers used in RouterOS. For example bgp keepalive logs
12:41:40 route,bgp,debug,timer KeepaliveTimer expired 
12:41:40 route,bgp,debug,timer     RemoteAddress=2001:470:1f09:131::1 
ups Messages generated by UPS monitoring tool
vrrp Messages generated VRRP
watchdog Watchdog generated log entries
web-proxy Log messages generated by web proxy
wireless M:Interface/Wireless log entries.
write SMS tool messages.

Logging to file

To log everything to file, add new log action:

/system logging action add name=file target=disk disk-file-name=log

and then make everything log using this new action:

/system logging add action=file

You can log only errors there by issuing command:

/system logging add topics=error action=file 

This will log into files log.0.txt and log.1.txt.

You can specify maximum size of file in lines by specifying disk-lines-per-file. <file>.0.txt is active file were new logs are going to be appended and once it size will reach maximum it will become <file>.1.txt, and new empty <file>.0.txt will be created.

You can log into USB flashes or into MicroSD/CF (on Routerboards) by specifying it's directory name before file name. For example, if you have accessible usb flash as usb1 directory under /files, you should issue following command:

/system logging action add name=usb target=disk disk-file-name=usb1/log

Note: Logging entries from files will be stored back in the memory after reboot.


Examples

Webproxy logging

These two screenshots will show you how to configure the RouterOS logging facility to send Webrpoxy logs to a remote syslog server, in this example, located at 192.168.100.12. The syslog server can be any software that supports receiving syslogs, for example Kiwi syslog.

Add a new logging action, with "remote" and the IP of the remote server. Call it whatever you like

Then add a new logging rule with the topic "webproxy" and then newly created action. Note that you must have webproxy running on this router already, for this to work. To test, you can temporary change the action to "memory" and see the "log" window if the webproxy visited websites are logged. If it works, change it back to your new remote action

Note: it's a good idea to add another topic in the same rule: !debug. This would be to ensure you don't get any debug stuff, only the visited sites.

Rsyslog

It is possible to send all logs to a remote syslog server, one example of a syslog server is Rsyslog. Below you can find configuration example that is relevant to RouterOS:

/system logging action
set [find name=remote] remote=10.0.0.1
/system logging
add action=remote topics=info
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=warning

With this configuration all logs will be present on the device and on the remote syslog server. Below you can find configuration lines that are relevant to a Rsyslog server (only lines that should be changed from the default values):

#/etc/rsyslog.conf
$ModLoad imudp
$UDPServerAddress 10.0.0.1
$UDPServerRun 514
$AllowedSender UDP, 10.0.0.0/24 127.0.0.1

$template Router1Log, "/var/log/MikroTik/router1.log"
:fromhost-ip, isequal, "10.0.0.2" -?Router1Log
& stop

For security reasons you should only allow Rsyslog to listen to a certain address, this limits the instance to a single interface. You should also specify only certain IP addresses that are allowed to send their logs to the particular syslog server.

Note: Never rely on a single security measure, you should also implement proper Firewall on the machine running Rsyslog, to limit access to the server.