marco/ids.alfacom.it

History

marco370 495e845a79 Update log format to include timestamps and filter incoming connections Correct the rsyslog template to include timestamps in logs, ensuring compatibility with the Python parser. This change also refactors the log filtering to capture only incoming connections, significantly reducing log volume. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: c2f849f9-105f-452a-bdc3-a956d102c54b Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/6ZTQSoP	2025-11-22 08:54:21 +00:00
..
99-mikrotik.conf	Update log format to include timestamps and filter incoming connections	2025-11-22 08:54:21 +00:00
README.md	Set up system to receive and store MikroTik logs	2025-11-21 17:26:52 +00:00

marco370 495e845a79 Update log format to include timestamps and filter incoming connections

Correct the rsyslog template to include timestamps in logs, ensuring compatibility with the Python parser. This change also refactors the log filtering to capture only incoming connections, significantly reducing log volume.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: c2f849f9-105f-452a-bdc3-a956d102c54b
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/6ZTQSoP

2025-11-22 08:54:21 +00:00

99-mikrotik.conf

Update log format to include timestamps and filter incoming connections

2025-11-22 08:54:21 +00:00

README.md

Set up system to receive and store MikroTik logs

2025-11-21 17:26:52 +00:00

README.md

RSyslog Configuration - IDS MikroTik

Overview

Configurazione RSyslog per ricevere log dai router MikroTik via UDP:514 e salvarli in file dedicato senza duplicare in /var/log/messages.

File

99-mikrotik.conf: Configurazione rsyslog
- Template custom MikroTikRawFormat (salva log raw)
- Ruleset dedicato mikrotik con STOP (evita duplicati)
- Input UDP:514 per log MikroTik
- Permessi automatici: utente ids, gruppo ids

Installazione Automatica

cd /opt/ids
sudo ./deployment/setup_rsyslog.sh

Lo script:

Rimuove vecchie configurazioni conflittuali
Installa 99-mikrotik.conf in /etc/rsyslog.d/
Crea directory /var/log/mikrotik/ con permessi corretti
Verifica sintassi rsyslog
Configura firewall (UDP:514)
Riavvia rsyslog

Verifica Funzionamento

# Verifica rsyslog in ascolto su UDP:514
netstat -ulnp | grep 514

# Monitora log in arrivo
tail -f /var/log/mikrotik/raw.log

# Verifica permessi
ls -lh /var/log/mikrotik/raw.log
# Output atteso: -rw-r--r-- ids ids

Configurazione Router MikroTik

Configura i router per inviare log al server:

/system logging action
add name=remote-ids target=remote remote=<IP_SERVER> remote-port=514

/system logging
add action=remote-ids topics=firewall

Troubleshooting

Errore: Template già impostato

error: omfile: default template already set via module global parameter

Soluzione: Lo script rimuove automaticamente vecchie configurazioni conflittuali.

Log duplicati in /var/log/messages

La configurazione usa stop nel ruleset per evitare propagazione.

Permessi negati

# Verifica/ripara permessi
sudo chown -R ids:ids /var/log/mikrotik/
sudo chmod 755 /var/log/mikrotik/
sudo chmod 644 /var/log/mikrotik/raw.log

Firewall blocca UDP:514

sudo firewall-cmd --permanent --add-port=514/udp --zone=public
sudo firewall-cmd --reload

File Log

Path: /var/log/mikrotik/raw.log
Owner: ids:ids
Permissions: 0644
Format: Raw syslog message (no timestamp/hostname prefix)

Note Tecniche

Sintassi moderna: rsyslog v8+ con template(), ruleset(), action()
No legacy syntax: Evita conflitti con $ActionFileDefaultTemplate
Ruleset dedicato: Isolamento completo per log MikroTik
STOP directive: Previene duplicazione in altri file log