Mikrotik logi TCP problem


#1

Hi, help me, I installed the graffoo on linux ubuntu. I download the logs from the mikrotik router, the udp log downloads, tcp does not download, and the same rule is set on the mikrotik. What could be the reason?


(Anmol Sharma) #2

There can be many more possible reasons but you can start debugging from checking if the input type defined for ingesting logs does support logs via TCP or else create a new TCP input type and try sending logs to it and see if the logs starts ingesting.

For reference, you can launch a new input from System > Inputs


(Tess) #3

I’m having quite a hard time understanding your situation. I also have no idea what a “graffoo” is :slight_smile:

To my knowledge Graylog does not download any logs, it only consumes what is uploaded to it through various inputs (as @anmolsharma said).

Could you please explain your setup and your problem in greater detail?


#4

Friends, jestem z innego kraju i tak trudno mi pisać po angielsku.
Chodzi o to że greylog nie zbiera mi logów TCP z mikrotika, z logami UDP wszystko jest ok.


(Tess) #5

First off, Google Translate to the rescue: Dzień dobry! Rozumiem, że jest to niewygodne, ale zasady na forum mówią, że musimy pisać po angielsku.

Right… I will try to summarize:

  • You have two Syslog-type inputs defined, one TCP, one UDP.
  • The Mikrotik boxen aren configured to send their syslogs to either of these.
  • The MT logs arrive correctly at the UDP one, not at the TCP one.

This will come down to basic troubleshooting again… Unfortunately your screenshot does not show the config of both inputs, so we can’t easily compare them. So… basics, basics, basics…

  1. Configure one of your MT boxen to send TCP syslogs to the Graylog host, port 30000.
  2. On the Graylog host, use netstat to verify that the input is listening on 30000.
  3. On the Graylog host, check the firewall to see that the port is open for TCP.
  4. On the MT, test if you can connect to port 30000 on the Graylog host.
  5. Heck, pick another Linux host and try to send random data to the Graylog host, port 30000, using netcat.
  6. If log data is not arriving from the MT, run a Wireshark to see whether you even see network traffic going from the MT to Graylog.

And so on…


#6

Mikrotik sends standard syslog messages over UDP only, so it’s normal if You don’t receive anything over TCP.


(Tess) #7

BOOM! There’s your smoking gun then :smiley:

So it would fail at step 1: “Configure one of your MT boxen to send TCP syslogs to the Graylog host, port 30000.


#8

I’m sorry for English but I’m from another country.
I checked in stages and it did not help
It’s not true that Mikrotik does not receive tcp on syslog-ng tcp worked. I am sending configurations of my mikrotik


(Tess) #9

I don’t see an option in that window to switch between TCP and UDP. , Also, ccording to the MikroTik documentation, I can only find options to send by UDP. Not TCP.

But okay. We are back to basic troubleshooting then! I suggest you follow my steps from earlier.


#10

You should read Mikrotik forums about syslog and tcp
https://forum.mikrotik.com/viewtopic.php?t=58311

From your screenshots it seems like you want to send all Mikrotik connection logs to Graylog. In this case you don’t need MT_TCP input, all logs are coming on MT_UDP, it doesn’t matter if they are tcp or udp on Mikrotik. If you can’t see Mikrotik tcp connections in Graylog, check if they are collected on Mikrotik, by temporary adding new log rule with topic->firewall and action->memory and checking Mikrotik log.


#11

I understand everything, stay with udp and it’s ok
Thank you


(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.