Syslog is not updating
Below you can find configuration example that is relevant to Router OS: /system logging action set [find name=remote] remote=10.0.0.1 /system logging add action=remote topics=info add action=remote topics=critical add action=remote topics=error add action=remote topics=warning With this configuration all logs will be present on the device and on the remote syslog server.
Below you can find configuration lines that are relevant to a Rsyslog server (only lines that should be changed from the default values): #/etc/$Mod Load imudp $UDPServer Address 10.0.0.1 $UDPServer Run 514 $Allowed Sender UDP, 10.0.0.0/24 127.0.0.1 $template Router1Log, "/var/log/Mikro Tik/router1.log" :fromhost-ip, isequal, "10.0.0.2" -?
The syslog protocol is a network logging standard supported by a wide range of network devices, appliances, and servers.
Syslog messages deliver information on network events and errors.
Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall. In either case, make sure that the syslog server and client are both on a dedicated, secure VLAN to prevent untrusted hosts from sending syslogs to the User-ID agent.
If You are using rsyslog instead of syslog, then you will need below change in rsyslog config.
Syslog messages must meet certain criteria for a User-ID agent to parse them (see The Windows User-ID agent accepts syslogs over TCP and UDP only.account, bfd, caps, ddns, dns, error, gsm, info, iscsi, l2tp, manager, ntp, packet, pppoe, radvd, rip, script, smb, sstp, system, timer, vrrp, web-proxy, async, bgp, certificate, debug, dude, event, hotspot, interface, isdn, ldp, mme, ospf, pim, pptp, raw, route, sertcp, snmp, state, telephony, upnp, warning, wireless, backup, calc, critical, dhcp, e-mail, firewall, igmp-proxy, ipsec, kvm, lte, mpls, ovpn, ppp, radius, read, rsvp, simulator, ssh, store, tftp, ups, watchdog, write log all messages that falls into specified topic or list of topics. ' character can be used before topic to exclude messages falling under this topic.For example, we want to log NTP debug info without too much details: Then add a new logging rule with the topic "webproxy" and then newly created action.However, you must use caution when using UDP to receive syslog messages because it is an unreliable protocol and as such there is no way to verify that a message was sent from a trusted syslog server.
Although you can restrict syslog messages to specific source IP addresses, an attacker can still spoof the IP address, potentially allowing the injection of unauthorized syslog messages into the firewall.As a best practice, always use SSL to listen for syslog messages.