Motivation
RouterOS has on-device logs, but there are a number of weaknesses in the stock facility:
By default they're written to memory, so they're lost when the device reboots. You may have a device that is spontaneously rebooting at unpredictable times. You can't just sit around and watch the logs, waiting for it to reboot to find out why it did that.
If you fix the prior problem by writing the logs to durable storage, you're likely to burn it out, since the most common options for RouterOS devices are the built-in flash and, on some devices, USB memory sticks or microSD cards. These aren't optimized for frequent writing, which is why RouterOS defaults to in-memory logging in the first place.
If you have more than one RouterOS box at a site, the default leaves you with separate logs on each device, which complicates debugging. If nothing else, centralized logging permits time-correlated debugging. For instance, if you're having a problem with port flapping, the diagnosis changes depending on whether both ends flap at the same time, or if only one end goes up and down.
If a router's security is compromised, the on-device logging immediately becomes untrustworthy. With off-device logging, it's possible that the remote logs will remain intact, permitting post-intrusion auditing.
Method
Although I've chosen to base this article on rsyslog because it's popular, free, and widely-available, there are other standalone syslog daemons. This article is readily adapted to them. In particular, syslog reception is a common feature in network monitoring systems. If you wish to use something other than rsyslog, simply skip the first step.
1. Install & Start rsyslog
I wanted to send logs to my main home server, which happens to run macOS. Since macOS doesn't ship with any syslog facility, we'll use Homebrew to add one, then set it to start in the background automatically:
% brew install rsyslog
% brew services start rsyslog
Other OSes also package rsyslog. I use macOS Homebrew commands here only as an example, so I don't have to repeat everything with slightly different commands for Ubuntu, FreeBSD, etc.
2. Set Up the Router
Now we have to tell the router what messages we want sent to the rsyslog system and how to get them there.
Open a RouterOS CLI on the box however you like — WinBox → New Terminal, WebFig → Terminal, SSH... — then say:
> /system/logging/action
> set [find name="remote"] remote=192.0.2.99 remote-port=10514
That tells the router how to send messages to our server, 192.0.2.99 in this example. The port number (10514) is nonstandard since the Homebrew rsyslog package is configured to run under your normal user account. It would have to run as root to bind to the standard syslog port, 514. If you're running rsyslog on a Linux box, it most likely is listening on 514 instead.
Next, say something like:
> /system logging
> set [find] action=remote
This blindly changes the stock logging rules to send everything to rsyslog. You may wish to set up something more selective, such as sending only errors and warnings to the remote log server, leaving informational messages logged on-device only.
3. Test
Logging into your router over SSH, WinBox, or WebFig should cause a log message to be sent to rsyslog.
Where this message ends up depends on OS specific details. For an Intel-based Mac, you can check it with:
% tail -f /usr/local/var/log/rsyslog-remote.log
On Apple Silicon systems, Homebrew 3 changed it to:
% tail -f /opt/homebrew/var/log/rsyslog-remote.log
Other OSes may put it elsewhere. Linux disros tend to put it in /var/log, for instance.
License
This work is © 2022-2024 by Warren Young and is licensed under CC BY-NC-SA 4.0
