Help Document

MikroTik overview

MikroTik routers run RouterOS, offering advanced routing, firewall, and VPN features. They are widely used for their flexibility, affordability, and strong network management capabilities.

MikroTik extension scope

The MikroTik extension for Log360Cloud enables integration of MikroTik logs into the Log360 Cloud ecosystem. This extension provides features such as log collection, parsing, reporting, alerting, correlation, and advanced log search capabilities.

Configuring MikroTik syslog forwarding by Web Interface

  1. Login into the MikroTik web interface.
  2. Go to System -> Logging -> Actions -> remote

    3. MikroTik

  3. This will open the configuration console.

    4. MikroTik

  4. In the Remote Address field, add the Log360 Cloud agent's IP address.
  5. Set the Remote Port to 514.
    6. Note: Check if the BSD Syslog is enabled. This is mandatory for the syslogs to be forwarded with timestamp values.
  6. Click OK to save the configuration.
  7. Go to System -> Logging -> Rules.

    8. MikroTik

  8. Select the Syslog message topics you want to send to Log360 Cloud by marking them and setting the associated action to remote. If you are forwarding all logs to Log360 Cloud agents, the configuration should appear as follows:

    9. MikroTik

Configuring MikroTik syslog forwarding by command-line interface(CLI)

  1. Use Telnet or SSH to access the MikroTik router from your command-line interface.
  2. Run the following command to access the logging action configuration

    /system logging action

  3. Run the following command to view existing actions:

    print

  4. Look for an entry named "remote". This is the action that forwards logs to a remote syslog server.
  5. Replace Log360CloudAgentIP with the IP address of your Log360 Cloud agent

    set [find name=remote] remote=<Log360CloudAgentIP> remote-port=513

  6. Run the following to verify:

    print

  7. Ensure the remote IP address is correctly updated and the remote-port is set to 513 (default syslog port).
  8. Navigate to the logging rules section

    /system logging

  9. Print the current logging rules

    print

  10. Identify the rule numbers based on the topics listed. Use those numbers to assign the remote action. Example (sending all logs to remote):

    set action=remote 0,1,2,3

  11. Run the following to verify that the action fields are now set to remote:

    print

Configuring in Log360 Cloud

In Log360 Cloud, the format of the logs collected from MikroTik devices will not be automatically identified as they follow the Basic Syslog Structure (RFC 3164).

User must manually assign "Mikrotik" as the log type. To implement this:

  1. Login to your Log360 Cloud console.
  2. Navigate to Settings → Configuration → Log Source Configuration → Device Management → Devices → Syslog Devices.

    3. MikroTik

  3. In the Syslog Devices page, select the devices and click the update Edit icon This will open the Update Device window.
  4. Click the Log Source Type dropdown and select MikroTik.

    5. MikroTik

    MikroTik

Audited MikroTik Events

Category Events
Logon events Logins, Logoff, Failed logons
Allowed traffic Allowed traffic
Denied traffic Denied connections
Interface status Interface up, Interface down
Firewall rule management Rules added, Rules deleted, Rules modified
User account management Users added, Users modified, Users deleted, Group added, Group deleted, Group modified
DHCP events DHCP lease assignment, DHCP lease acquisition
DNS events DNS configuration changes, Resolved DNS queries
Routing events Static route management, Policy based route management, Route table management
System events Configuration changes, Clock update, System reboot
Severity events Warning events, Debug events, Notice events, Error events, Critical events, Emergency events, Alert events

Viewing MikroTik reports

To view MikroTik reports, navigate to the Reports tab and select MikroTik from the Custom Reports sub-tab.

MikroTik

Enable MikroTik correlation rules

To view the correlation rules, navigate to the Correlation tab -> Manage Rules.

In the Manage Rules page, select MikroTik as the Rule Category to filter out the related correlation rules. You can enable them manually by selecting the rule and clicking on Activate in the Rule Status column.

MikroTik

Enabling MikroTik Alerts

To view the Alerts, navigate to the Alerts tab -> Manage Alert Profiles.

  1. In the Manage Alert Profiles page, select Custom Alert Profiles as the Alert Profile Type. Click the search icon and add MikroTik to filter out the alert profile(s). Select the profile(s) and click the green check mark icon Enable to enable the alert profile.

    2. MikroTik

  2. To associate the log source, click the edit icon to open the Edit Alert Profile window. In the Log Source field, click the add button and select the configured log source for MikroTik. Click Update to save the changes.

    3. MikroTik

© 2025 Zoho Corporation Pvt. Ltd. All rights reserved.