Graylog can receive Mikrotik logs but little help is needed

Meretagune · February 28, 2020, 10:00pm

I have rather peculiar problem. I need to get Mikrotik remote logs into Graylog server. The Google is full of topics that it can’t be done. I disagree! At first I dig out that the RB450G seires router is sending UDP packet payload like this:

…’.,.L^.`…E…@.@…,…firewall,info RB450G: ---- REMOVED MESSAGE ----
22:43:58.568447 IP 0.0.0.0.44914 > 0.0.0.0.11514: UDP, length 154

And the hap series router is sending rather different packet payload:

…’.,.L^.`…E…@.?.dp
…r,…firewall,info RB951UI: ---- REMOVED MESSAGE ----
22:43:58.662620 IP 0.0.0.0.39551 > 0.0.0.0.11514: UDP, length 150

I almost gave up but then I got it working in my home lab. Graylog version 3.1.3. Now I do not know what to think.

I can see with tcpdump that packets are coming from every type of router but Graylog only reads RB450G router logs.

Technical details:
Home lab Graylog version 3.1.3 (Ubuntu server 16.04.6 LTS)
Production Graylog version 3.2.2 (Ubuntu server 16.04.6 LTS)

Home lab and production configurations and inputs are exactly the same.
server.conf is with defaults:

http_bind_address = 0.0.0.0:9000

Syslog UDP input:
allow_override_date: true
bind_address: 0.0.0.0
expand_structured_data: false
force_rdns: false
number_worker_threads: 4
override_source:
port: 11514
recv_buffer_size: 262144
store_full_message: false

Do I really have to degrade Graylog to version 3.1.3? Still the fact is that tcpdump is showing that the logs are coming to Graylog server and the point must be in log parsing or in server.

jan · February 29, 2020, 1:17pm

if you are unsure what is incoming - change the input to a RAW input. That is just accepting everything like netcat listening on a port.

With that you receive the messages and you are able to check on them how they look and if they follow any syslog style or not.

zoulja · February 29, 2020, 6:09pm

Issue description is not clear actually and I see jan also confused.
What exactly you can’t realize? Receive logs? Parse logs? How exactly you tried to verify it(timestamp related issues are very common)

This part looks unclear

Where exactly you route logs, can you show Mikrotik configuration? Where did you check tcpdump? On graylog side? Can you share pcap file?

Meretagune · March 2, 2020, 11:25am

I’m not unsure what’s coming. As you can see my first post the tcpdump is showing what’s coming into the port where input is listening. I changed my production IP addresses to 0.0.0.0 and removed the message content as well. Sorry zoulja for confusion. Thought that it’s obvious to figure out why there are zeros. Sorry

“What exactly you can’t realize? Receive logs? Parse logs? How exactly you tried to verify it(timestamp related issues are very common)”

I can’t get my production Graylog to read (see) incoming messages from HAP series Mikrotik routers. Verified the input with tcpdump. Please note that there is a difference in UDP packet. But why the Graylog 3.1.3 is reading all incoming packets and 3.2.2 is not?

I was hoping to get some ideas what to check or change. The router configuration is OK and the logs are coming like you can see from my first post. There is something with server or Graylog configuration. My production server have 2 NIC’s and 2 different IP addresses. This is the only difference between the home lab and production server. And the Graylog version to of course.

Tired the RAW input. The result was same. Graylog can read RB450G but not HAP. At first my idea was that the line break in HAP log „?.dp{{line break}}…r,“ (note it from my first post) is the case, but I’m confused because in my home lab it was working. Is it the Graylog version or the 2 NIC’s?

The timestamp is not the issue, I think because I have checked the „allow_override_date: true“? And also just checked that the timestamps are correct. Thanks zoulja for the tip!

Added a snippet from wireshark. Hope it helps a littele…
Capture

Karlis · March 2, 2020, 1:02pm

That’s fake news

I can’t see anything wrong in your setup, very similar to mine. The only difference, I am sending logs as BSD Syslog

add bsd-syslog=yes name=graylog remote=192.168.11.3 remote-port=11514 \
    syslog-facility=syslog target=remote

Meretagune · March 4, 2020, 8:24pm

So I have downgraded the production Graylog server to version 3.1.4 (my home lab is v. 3.1.3) and everything is working fine. My conclusion is that for now I can’t update Graylog server above version 3.1.x.

I hope that this bug will be fixed soon, because Graylog is cool and powerfull tool!

Thank you for everything!

jan · March 5, 2020, 2:28pm

if no bug report is given - no bug can be looked at and might get a fix.

I guess that the send syslog messages are not following the RFC or similar. If you use a RAW input you could have checked that on Graylog … what the actually package contains.

system · March 19, 2020, 2:28pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How can I received logs from Mikrotik router Graylog Add-ons	9	9446	July 24, 2019
Graylog Problem Graylog Central (peer support)	2	450	September 19, 2022
Graylog not reading/picking up Logs Graylog Central (peer support)	2	635	August 23, 2018
Unable to get syslog on graylog Graylog Central (peer support)	3	290	January 18, 2021
Don't receive syslog on graylog Graylog Central (peer support)	12	7820	August 9, 2018

Graylog can receive Mikrotik logs but little help is needed

Related Topics