Summary

RouterOS is capable of logging various system events and status information. Logs can be saved in routers memory (RAM), disk, file, sent by email or even sent to remote syslog server (RFC 3164).


Video: Logging Basics

Log messages

Sub-menu level: /log

All messages stored in routers local memory can be printed from /log menu. Each entry contains time and date when event occurred, topics that this message belongs to and message itself.

[admin@MikroTik] /log> print 
jan/02/1970 02:00:09 system,info router rebooted 
sep/15 09:54:33 system,info,account user admin logged in from 10.1.101.212 via winbox 
sep/15 12:33:18 system,info item added by admin 
sep/15 12:34:26 system,info mangle rule added by admin 
sep/15 12:34:29 system,info mangle rule moved by admin 
sep/15 12:35:34 system,info mangle rule changed by admin 
sep/15 12:42:14 system,info,account user admin logged in from 10.1.101.212 via telnet 
sep/15 12:42:55 system,info,account user admin logged out from 10.1.101.212 via telnet 
01:01:58 firewall,info input: in:ether1 out:(none), src-mac 00:21:29:6d:82:07, proto UDP, 
10.1.101.1:520->10.1.101.255:520, len 452

If logs are printed at the same date when log entry was added, then only time will be shown. In example above you can see that second message was added on sep/15 current year (year is not added) and the last message was added today so only the time is displayed. 

Print command accepts several parameters that allows to detect new log entries, print only necessary messages and so on.

For example following command will print all log messages where one of the topics is info and will detect new log entries until Ctrl+C is pressed.

[admin@MikroTik] /log > print follow where topics~".info"
12:52:24 script,info hello from script
-- Ctrl-C to quit.

In this example it will print only the dhcp info messages: 

[admin@MikroTik] log/print where topics~"dhcp.info"
11:42:32 dhcp,info defconf deassigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung
11:42:32 dhcp,info defconf assigned 192.168.88.37 for B0:E4:5C:27:EF:F2 Samsung

If print is in follow mode you can hit 'space' on keyboard to insert separator: 

[admin@MikroTik] /log > print follow where topics~".info"
12:52:24 script,info hello from script

= = = = = = = = = = = = = = = = = = = = = = = = = = =

-- Ctrl-C to quit.

Logging configuration

Sub-menu level: /system logging

PropertyDescription
action (name; Default: memory)specifies one of the system default actions or user specified action listed in actions menu
prefix (string; Default: )prefix added at the beginning of log messages
topics (account, async, backup, bfd, bgp, bridge, calc, caps, certificate, container, clock, critical, ddns, debug, dhcp, dns, dot1x, dude, e-mail, error, event, fetch, firewall, gps, gsm, health, hotspot, igmp-proxy, info, interface, ipsec, iscsi, isdn, isis, kvm, l2tp, ldp, lora, lte, manager, mme, mpls, mqtt, mvrp, natpmp, netinstall, netwatch, ntp, ospf, ovpn, packet, pim, poe-out, ppp, pppoe, pptp, queue, radius, radvd, raw, read, rip, route, rpki, rsvp, script, sertcp, simulator, smb, snmp, ssh, sstp, state, store, stp, system, telephony, tftp, timer, tr069, update, upnp, ups, vpls, vrrp, warning, watchdog, web-proxy, wireguard, wireless, write; Default: info)log all messages that falls into specified topic or list of topics.

'!' character can be used before topic to exclude messages falling under this topic. For example, we want to log NTP debug info without too much details:

/system logging add topics=ntp,debug,!packet

Actions

Sub-menu level: /system logging action

PropertyDescription
bsd-syslog (yes|no; Default: )whether to use bsd-syslog as defined in RFC 3164
disk-file-count (integer [1..65535]; Default: 2)specifies number of files used to store log messages, applicable only if action=disk
disk-file-name (string; Default: log)name of the file used to store log messages, applicable only if action=disk
disk-lines-per-file (integer [1..65535]; Default: 100)specifies maximum size of file in lines, applicable only if action=disk
disk-stop-on-full (yes|no; Default: no)whether to stop to save log messages to disk after the specified disk-lines-per-file and disk-file-count number is reached, applicable only if action=disk
email-start-tls (yes | no; Default: no)Whether to use tls when sending email, applicable only if action=email
email-to (string; Default: )email address where logs are sent, applicable only if action=email
memory-lines (integer [1..65535]; Default: 1000)number of records in local memory buffer, applicable only if action=memory
memory-stop-on-full (yes|no; Default: no)whether to stop to save log messages in local buffer after the specified memory-lines number is reached
name (string; Default: )name of an action
remember (yes|no; Default: )whether to keep log messages, which have not yet been displayed in console, applicable if action=echo
remote (IP/IPv6 Address[:Port]; Default: 0.0.0.0:514)remote logging server's IP/IPv6 address and UDP port, applicable if action=remote
src-address (IP address; Default: 0.0.0.0)source address used when sending packets to remote server
syslog-facility (auth, authpriv, cron, daemon, ftp, kern, local0, local1, local2, local3, local4, local5, local6, local7, lpr, mail, news, ntp, syslog, user, uucp; Default: daemon)
syslog-severity (alert, auto, critical, debug, emergency, error, info, notice, warning; Default: auto)Severity level indicator defined in RFC 3164:
  • Emergency: system is unusable
  • Alert: action must be taken immediately
  • Critical: critical conditions
  • Error: error conditions
  • Warning: warning conditions
  • Notice: normal but significant condition
  • Informational: informational messages
  • Debug: debug-level messages
target (disk, echo, email, memory, remote; Default: memory)storage facility or target of log messages
  • disk - logs are saved to the hard drive
  • echo - logs are displayed on the console screen
  • email - logs are sent by email
  • memory - logs are stored in local memory buffer
  • remote - logs are sent to remote host

Topics

 Each log entry have topic which describes the origin of log message. There can be more than one topic assigned to log message. For example, OSPF debug logs have four different topics: route, ospf, debug and raw. 

11:11:43 route,ospf,debug SEND: Hello Packet 10.255.255.1 -> 224.0.0.5 on lo0 
11:11:43 route,ospf,debug,raw PACKET: 
11:11:43 route,ospf,debug,raw 02 01 00 2C 0A FF FF 03 00 00 00 00 E7 9B 00 00 
11:11:43 route,ospf,debug,raw 00 00 00 00 00 00 00 00 FF FF FF FF 00 0A 02 01 
11:11:43 route,ospf,debug,raw 00 00 00 28 0A FF FF 01 00 00 00 00 

 List of Facility independent topics 

TopicDescription
criticalLog entries marked as critical, these log entries are printed to console each time you log in.
debugDebug log entries
errorError messages
infoInformative log entry
packetLog entry that shows contents from received/sent packet
rawLog entry that shows raw contents of received/sent packet
warningWarning message.

 Topics used by various RouterOS facilities 

TopicDescription
accountLog messages generated by accounting facility.
asyncLog messages generated by asynchronous devices
backupLog messages generated by backup creation facility.
bfdLog messages generated by BFD protocol
bgpLog messages generated by BGP protocol
calcRouting calculation log messages.
capsCAPsMAN wireless device management
certificateSecurity certificate
clockLog messages generated by Clock, IP Cloud time changes.
dnsName server lookup related information
ddnsLog messages generated by Dynamic DNS tool
dudeMessages related to the Dude server package The Dude tool
dhcpDHCP client, server and relay log messages
e-mailMessages generated by e-mail tool.
eventLog message generated at routing event. For example, new route have been installed in routing table.
firewallFirewall log messages generated when action=log is set in firewall rule
gsmLog messages generated by GSM devices
hotspotHotspot related log entries
igmp-proxyIGMP Proxy related log entries
ipsecIPSec log entries
iscsi
isdn
interface
kvmMessages related to the KVM virtual machine functionality
l2tpLog entries generated by L2TP client and server
lteMessages related to the LTE/4G modem configuration
ldpLDP protocol related messages
managerUser Manager log messages.
mmeMME routing protocol messages
mplsMPLS messages
ntpsNTP client generated log entries
ospfOSPF routing protocol messages
ovpnOpenVPN tunnel messages
pimMulticast PIM-SM related messages
pppppp facility messages
pppoePPPoE server/client related messages
pptpPPTP server/client related messages
radiusLog entries generated by RADIUS Client
radvdIPv6 radv daemon log messages.
readSMS tool messages
ripRIP routing protocol messages
routeRouting facility log entries
rsvpResource Reservation Protocol generated messages.
scriptLog entries generated from scripts
sertcpLog messages related to facility responsible for "/port remote-access"
simulator
stateDHCP Client and routing state messages.
storeLog entries generated by Store facility
smbMessages related to the SMB file sharing system
snmpMessages related to Simple network management protocol (SNMP) configuration
systemGeneric system messages
telephonyObsolete! Previously used by the IP telephony package
tftpTFTP server generated messages
timerLog messages that are related to timers used in RouterOS. For example bgp keepalive logs
12:41:40 route,bgp,debug,timer KeepaliveTimer expired 
12:41:40 route,bgp,debug,timer     RemoteAddress=2001:470:1f09:131::1 
upsMessages generated by UPS monitoring tool
vrrpMessages generated VRRP
watchdogWatchdog generated log entries
web-proxyLog messages generated by web proxy
wirelessWireless log entries.
writeSMS tool messages.

Examples

Logging to file

To log everything to file, add new log action: 

/system logging action add name=file target=disk disk-file-name=log

and then make everything log using this new action: 

/system logging add action=file

You can log only errors there by issuing command: 

/system logging add topics=error action=file 

This will log into files log.0.txt and log.1.txt.

You can specify maximum size of file in lines by specifying disk-lines-per-file. <file>.0.txt is active file were new logs are going to be appended and once it size will reach maximum it will become <file>.1.txt, and new empty <file>.0.txt will be created.

You can log into USB flashes or into MicroSD/CF (on Routerboards) by specifying it's directory name before file name. For example, if you have accessible usb flash as usb1 directory under /files, you should issue following command:

/system logging action add name=usb target=disk disk-file-name=usb1/log

Logging entries from files will be stored back in the memory after reboot.


  • No labels