ids.alfacom.it/deployment/rsyslog/99-mikrotik.conf

# =============================================================================
# RSYSLOG CONFIG - LOG MIKROTIK IDS
# =============================================================================
# File: /etc/rsyslog.d/99-mikrotik.conf
# Riceve log UDP:514 dai router MikroTik e li salva in file dedicato
# IMPORTANTE: Usa sintassi moderna rsyslog v8+ per evitare conflitti template
# =============================================================================

# Template personalizzato per log MikroTik (formato BSD syslog)
# Formato: Nov 22 08:15:30 HOSTNAME message
# %TIMESTAMP% genera formato: Nov 22 08:15:30
template(name="MikroTikRawFormat" type="string" string="%TIMESTAMP% %HOSTNAME% %msg%\n")

# Ruleset dedicato per log MikroTik
ruleset(name="mikrotik") {
    # Salva in file dedicato usando template raw
    action(
        type="omfile"
        file="/var/log/mikrotik/raw.log"
        template="MikroTikRawFormat"
        FileOwner="ids"
        FileGroup="ids"
        FileCreateMode="0644"
        DirOwner="ids"
        DirGroup="ids"
        DirCreateMode="0755"
    )
    
    # STOP: Non propagare a /var/log/messages per evitare duplicati
    stop
}

# Input UDP:514 per log MikroTik
module(load="imudp")
input(
    type="imudp"
    port="514"
    ruleset="mikrotik"
)