Syslog server

Ok time to get syslog server up and running to gather logs from my mikrotik gateway, after all we want to be able to ban attackers on all devices in the end. For this we have all the needed software installed on Ubuntu 14.04 server already and just need to do some configuration. So lets start.

First lets configure mikrotik, open a terminal in Mikrotik and do the necessary configs.

Remote address is the syslog server which is your ubuntu server and src address is your mikrotik. This rule will log everything to the remote server. Thats all that has to be done in the Mikrotik, now lets move on to the Ubuntu machine and configure some more.

Uncomment the following lines in here

Then open 50-default.conf in the folder /etc/rsyslog.d/

there add the following at the bottom:

Then we want to create the mtgw.log and give syslog permission to write to it.

Now lets restart the rslyslog service and logs files should start filling up

Now when something happens on the Mikrotik, mtgw.log should be filled up. Remember we are logging everything now and it might not be needed for everyone but this is just an example. Next thing to do with the logs is let fail2ban gather offending IP’s from the mtgw.log and ban them also to script so that fail2ban sends the information directly to the mikrotik to be banned directly in the gateway.