marco/ids.alfacom.it

History

marco370 c9b2a8a9a9 Set up system to receive and store MikroTik logs Add rsyslog configuration for receiving MikroTik logs via UDP, store them in a dedicated file, and prevent duplicates in system messages. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528 Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: b452008c-bd98-4e68-81a9-f20d3f714372 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/DR50xVM	2025-11-21 17:26:52 +00:00
..
99-mikrotik.conf	Set up system to receive and store MikroTik logs	2025-11-21 17:26:52 +00:00
README.md	Set up system to receive and store MikroTik logs	2025-11-21 17:26:52 +00:00

marco370 c9b2a8a9a9 Set up system to receive and store MikroTik logs

Add rsyslog configuration for receiving MikroTik logs via UDP, store them in a dedicated file, and prevent duplicates in system messages.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 7a657272-55ba-4a79-9a2e-f1ed9bc7a528
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: b452008c-bd98-4e68-81a9-f20d3f714372
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/449cf7c4-c97a-45ae-8234-e5c5b8d6a84f/7a657272-55ba-4a79-9a2e-f1ed9bc7a528/DR50xVM

2025-11-21 17:26:52 +00:00

99-mikrotik.conf

Set up system to receive and store MikroTik logs

2025-11-21 17:26:52 +00:00

README.md

Set up system to receive and store MikroTik logs

2025-11-21 17:26:52 +00:00

README.md

RSyslog Configuration - IDS MikroTik

Overview

Configurazione RSyslog per ricevere log dai router MikroTik via UDP:514 e salvarli in file dedicato senza duplicare in /var/log/messages.

File

99-mikrotik.conf: Configurazione rsyslog
- Template custom MikroTikRawFormat (salva log raw)
- Ruleset dedicato mikrotik con STOP (evita duplicati)
- Input UDP:514 per log MikroTik
- Permessi automatici: utente ids, gruppo ids

Installazione Automatica

cd /opt/ids
sudo ./deployment/setup_rsyslog.sh

Lo script:

Rimuove vecchie configurazioni conflittuali
Installa 99-mikrotik.conf in /etc/rsyslog.d/
Crea directory /var/log/mikrotik/ con permessi corretti
Verifica sintassi rsyslog
Configura firewall (UDP:514)
Riavvia rsyslog

Verifica Funzionamento

# Verifica rsyslog in ascolto su UDP:514
netstat -ulnp | grep 514

# Monitora log in arrivo
tail -f /var/log/mikrotik/raw.log

# Verifica permessi
ls -lh /var/log/mikrotik/raw.log
# Output atteso: -rw-r--r-- ids ids

Configurazione Router MikroTik

Configura i router per inviare log al server:

/system logging action
add name=remote-ids target=remote remote=<IP_SERVER> remote-port=514

/system logging
add action=remote-ids topics=firewall

Troubleshooting

Errore: Template già impostato

error: omfile: default template already set via module global parameter

Soluzione: Lo script rimuove automaticamente vecchie configurazioni conflittuali.

Log duplicati in /var/log/messages

La configurazione usa stop nel ruleset per evitare propagazione.

Permessi negati

# Verifica/ripara permessi
sudo chown -R ids:ids /var/log/mikrotik/
sudo chmod 755 /var/log/mikrotik/
sudo chmod 644 /var/log/mikrotik/raw.log

Firewall blocca UDP:514

sudo firewall-cmd --permanent --add-port=514/udp --zone=public
sudo firewall-cmd --reload

File Log

Path: /var/log/mikrotik/raw.log
Owner: ids:ids
Permissions: 0644
Format: Raw syslog message (no timestamp/hostname prefix)

Note Tecniche

Sintassi moderna: rsyslog v8+ con template(), ruleset(), action()
No legacy syntax: Evita conflitti con $ActionFileDefaultTemplate
Ruleset dedicato: Isolamento completo per log MikroTik
STOP directive: Previene duplicazione in altri file log