marco/ids.alfacom.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cbfa78de28
ids.alfacom.it/deployment/rsyslog/README.md
marco370 c9b2a8a9a9 Set up system to receive and store MikroTik logs 
Add rsyslog configuration for receiving MikroTik logs via UDP, store them in a dedicated file, and prevent duplicates in system messages.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: b452008c-bd98-4e68-81a9-f20d3f714372
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/DR50xVM
2025-11-21 17:26:52 +00:00

2.3 KiB
Raw Blame History

RSyslog Configuration - IDS MikroTik

Overview

Configurazione RSyslog per ricevere log dai router MikroTik via UDP:514 e salvarli in file dedicato senza duplicare in /var/log/messages.

File

  • 99-mikrotik.conf: Configurazione rsyslog
    • Template custom MikroTikRawFormat (salva log raw)
    • Ruleset dedicato mikrotik con STOP (evita duplicati)
    • Input UDP:514 per log MikroTik
    • Permessi automatici: utente ids, gruppo ids

Installazione Automatica

cd /opt/ids
sudo ./deployment/setup_rsyslog.sh

Lo script:

  1. Rimuove vecchie configurazioni conflittuali
  2. Installa 99-mikrotik.conf in /etc/rsyslog.d/
  3. Crea directory /var/log/mikrotik/ con permessi corretti
  4. Verifica sintassi rsyslog
  5. Configura firewall (UDP:514)
  6. Riavvia rsyslog

Verifica Funzionamento

# Verifica rsyslog in ascolto su UDP:514
netstat -ulnp | grep 514

# Monitora log in arrivo
tail -f /var/log/mikrotik/raw.log

# Verifica permessi
ls -lh /var/log/mikrotik/raw.log
# Output atteso: -rw-r--r-- ids ids

Configurazione Router MikroTik

Configura i router per inviare log al server:

/system logging action
add name=remote-ids target=remote remote=<IP_SERVER> remote-port=514

/system logging
add action=remote-ids topics=firewall

Troubleshooting

Errore: Template già impostato

error: omfile: default template already set via module global parameter

Soluzione: Lo script rimuove automaticamente vecchie configurazioni conflittuali.

Log duplicati in /var/log/messages

La configurazione usa stop nel ruleset per evitare propagazione.

Permessi negati

# Verifica/ripara permessi
sudo chown -R ids:ids /var/log/mikrotik/
sudo chmod 755 /var/log/mikrotik/
sudo chmod 644 /var/log/mikrotik/raw.log

Firewall blocca UDP:514

sudo firewall-cmd --permanent --add-port=514/udp --zone=public
sudo firewall-cmd --reload

File Log

  • Path: /var/log/mikrotik/raw.log
  • Owner: ids:ids
  • Permissions: 0644
  • Format: Raw syslog message (no timestamp/hostname prefix)

Note Tecniche

  • Sintassi moderna: rsyslog v8+ con template(), ruleset(), action()
  • No legacy syntax: Evita conflitti con $ActionFileDefaultTemplate
  • Ruleset dedicato: Isolamento completo per log MikroTik
  • STOP directive: Previene duplicazione in altri file log