Messing With Mikrotik - Part II

# /etc/syslog-ng/syslog-ng.conf
# Used for capturing syslog streams to home log server
#Comments
#
@version: 3.25
@include "scl.conf"
##########
# Global Options
##########
options {
# Enable or disable directory creation
create-dirs(yes);
# Default group for those created directories
dir-group("splunk");
# Default group for output files
group("splunk");
# Permissions on directory
dir-perm(0640);
# Hostname rewriting
keep-hostname(yes);
# Normalize hostname lower()
normalize-hostnames(yes);
# Permissions on Files
perm(0640);
# DNS settings
use-dns(no);
dns-cache(no);
};##########
# Sources
##########
source s_local {
# internal message generation
internal();
system();
};
#####
# 1234 - Mikrotik Router
#####
source s_network_1234udp {
network(
port(1234)
transport("udp")
max-connections(100)
so-rcvbuf(268435456)
log-fetch-limit(10000)
);
};
source s_network_1234tcp {
network(
port(1234)
transport("tcp")
max-connections(100)
so-rcvbuf(268435456)
log-fetch-limit(10000)
);
};
##########
# Destinations
##########
destination d_messages { file("/var/log/messages"); };
destination d_router { file("/opt/data/syslog/$SOURCEIP/router-$R_YEAR-$R_MONTH-$R_DAY-$R_HOUR.log"); };
##########
# Filters
##########
##### Router
filter f_router {(netmask(192.168.85.1))};
##########
# Log Paths
##########
# Internal Logs
log {
source(s_local);
destination(d_messages);
};
# Mikrotik Logs
log {
source(s_network_1234udp);
source(s_network_1234tcp);
filter(f_router);
destination(d_router);
flags(final);
};
#######
# End of Configuration
#######
netstat -pant | grep -e ":1234"
ssh admin@192.168.85.1/ip traffic-flow set enabled=yes/ip traffic-flow target add dst-address=192.168.85.191 port=1234 version=9/ip firewall filter print
##Note: You'll see your firewall filters here. You can't log 0 by default, but setting everything else to yes has the desired affect
/ip firewall filter set log=yes 1,2,3,4,5,6,7,8,9,10,11
Oct 19 14:18:28 192.168.85.1 firewall,info forward: in:ether1 out:bridge, src-mac 00:b2:4e:33:f2:19, proto UDP, x.x.x.x:53722->192.168.85.12:62181, NAT x.x.x.x:53722 ->(x.x.x.x:51233->192.168.85.12:62181), len 78
192.168.85.14 x.x.x.x 282 7
# inputs.conf located in /opt/splunk/etc/apps/trex/local/[monitor:///opt/data/syslog/*/*.log]
host_segment = 4
sourcetype = trex:mikrotik
index = networking
# props.conf located in /opt/splunk/etc/apps/trex/local[trex:mikrotik]
EXTRACT-clientip = (?<src_ip>192\.168\.85\.\d+)
EXTRACT-mac = (?<mac>\w+\:\w+\:\w+\:\w+\:\w+\:\w+)
TRANSFORMS-firewall = trash,firewall_keep
# transforms.conf located in /opt/splunk/etc/apps/trex/local[firewall_keep]
REGEX = firewall
DEST_KEY = queue
FORMAT = indexQueue
[trash]
REGEX = (.)
DEST_KEY = queue
FORMAT = nullQueue
# Python for pulling mikrotik accounting logsfrom urllib.request import urlopen
html = urlopen("http://router.home/accounting/ip.cgi").read().decode('utf-8')
print(html)
* * * * * python3 /opt/splunk/etc/apps/mercer/bin/mikrotik_accounting.py > /opt/data/scripts/accounting_raw.log && cat /opt/data/scripts/accounting_raw.log | sed "s/*//g" > /opt/data/scripts/accounting.log
# inputs.conf located in /opt/splunk/etc/apps/trex/local/[monitor:///opt/data/scripts/accounting.log]
host = 192.168.85.1
sourcetype = trex:mikrotik:accounting
index = networking
# props.conf located in /opt/splunk/etc/apps/trex/local[trex:mikrotik:accounting]
LINE_BREAKER = ([\r\n]+)
DATETIME_CONFIG = CURRENT
EXTRACT-accounting = (?<src_ip>\d+\.\d+\.\d+\.\d+) (?<dst_ip>\d+\.\d+\.\d+\.\d+) (?<bytes>\d+) (?<packets>\d+)
import paramikohostname = "192.168.85.1"
username = "admin"
password = "**************"
commands = [
"/ip firewall mangle print stats all"
]
# initialize SSH Clientclient = paramiko.SSHClient()# add to known hostsclient.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
client.connect(hostname=hostname, username=username, password=password)
except:
print("[!] Cannot Connect to the SSH Server")
exit()
# execute the commands
for command in commands:
print("="*5, command, "="*5)
stdin, stdout, stderr = client.exec_command(command)
print(stdout.read().decode())
err = stderr.read().decode()
if err:
print(err)
59 23 * * * python3 /opt/splunk/etc/apps/mercer/bin/mikrotik_mangle.py > /opt/data/scripts/mangle.log00 01-23 * * * python3 /opt/splunk/etc/apps/mercer/bin/mikrotik_mangle.py > /opt/data/scripts/mangle.log00 00 * * * python3 /opt/splunk/etc/apps/mercer/bin/counter_reset.py
# inputs.conf[monitor:///opt/data/scripts/mangle.log]
host = 192.168.85.1
sourcetype = trex:mikrotik:mangle
index = networking
# props.conf
[mercer:mikrotik:mangle]
#DATETIME_CONFIG = CURRENT
SHOULD_LINEMERGE = true
EXTRACT-mangleFields = (?<type>postrouting)\s+passthrough\s+(?<bytes>.*?)\s{2,}(?<packets>.*?)$

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
T-Rex

T-Rex

A data loving dinosaur, usually found on http://splk.it/slack Trust Cohort 2018,2019,2020,2021; Amateur Cook, (he/him)