Monitor logs, send email alert / run script

From MikroTik Wiki
Revision as of 08:03, 13 December 2013 by Skot (talk | contribs) (Created page with "== Description == This script monitors the logs for particular words/phrases, and then excludes results based on a second set of words/phrases. If new matching logs are found, a...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Description

This script monitors the logs for particular words/phrases, and then excludes results based on a second set of words/phrases. If new matching logs are found, an email is sent / a script is run / whatever...

Todo

  • The startBuf array really needs to be an array for easier editing / implementation.
  • Need to change the time stamp to be a date + time stamp, to eliminate the very slim possibility that a new log exactly 24h later would not be detected.

Instructions

Create a new schedule. Set the duration to how often you want to check for new logs. If the duration is too long, there may be a number of "new" matching logs but only the most recent will be "detected".

The Script

Paste the script into the new schedule.

:local scheduleName "mySchedule"
:local emailAddress "myEmail"
:local startBuf [:toarray [/log find message~"logged in" || message~"login failure"]]
:local removeThese ("telnet","whatever string you want")
 
:local lastTime [/system scheduler get [find name="$scheduleName"] comment]
 
:local currentBuf ""; :set currentBuf [:toarray $currentBuf]
 
:foreach i in=$startBuf do={
  :local toggle 1
  :foreach j in=[:toarray $removeThese] do={
    :if ([:typeof [:find [/log get $i message] "$j"]] = "num") do={
      :set toggle 0
    }
  }
  :if ($toggle = 1) do={
    :set currentBuf ($currentBuf , $i)
  }
}
 
:local currentLineCount [ :len $currentBuf ]
  
if ($currentLineCount > 0) do={
   :local currentTime "$[ /log get [ :pick $currentBuf ($currentLineCount -1) ] time ]"
  
   :if ([:len $currentTime] = 15 ) do={
      :set currentTime [ :pick $currentTime 7 15 ]
   }
     
   :local output "$currentTime $[/log get [ :pick $currentBuf ($currentLineCount-1) ] message ]"
     
   :if (([:len $lastTime] < 1) || (([:len $lastTime] > 0) && ($lastTime != $currentTime))) do={
      /system scheduler set [find name="$scheduleName"] comment=$currentTime
      /tool e-mail send to="$emailAddress" subject="MikroTik alert $currentTime" body="$output"
   }
}

Config

Change the first few config items.


:local scheduleName "mySchedule"

Change this to the name of your schedule.


:local emailAddress "myEmail"

Put your email address here.


:local startBuf [:toarray [/log find message~"logged in" || message~"login failure"]]

This currently detects two strings. It can be changed to more or less strings if desired. Remove: || message~"login failure" if you only want to use one string, or if you want more strings, add this same code at the end (but before the last two end brackets).


:local removeThese ("telnet","whatever string you want")

Edit the quoted items for strings you want to be filtered out of the results. For example, if you want all "logged in" logs found, but you do not want any of the "logged in via telnet" logs included, simply include the word "telnet" in the array and these logs will be excluded. Double quote additional strings and separate them with commas. If you don't want any logs filtered, simply declare the variable :local removeThese, or leave double quotes :local removeThese ("")

Other Notes

If you would rather run a script or whatever (instead of sending email), simply remove the second line, and change the "/tool email" line near the bottom to do whatever you want.


Original forum thread here: [[1]]