Lumu Log Forwarder MikroTik Configuration
Requirements
- MikroTik Router OS 6 or newer.
- A configured Log Forwarder Agent.
Configure MikroTik to Send Metadata to Lumu Log Forwarder
You will need to configure MikroTik in order to receive logs from Log Forwarder. You will need the following:
- An Action of the Remote type
- A Rule of the Firewall type
- Optionally, you can also add an Action Prefix.
You will learn how to setup MikroTik with these requirements in the next section. If you are familiar with MikroTik and this process, feel free to consult the MikroTik documentation directly.
Creating a Remote Action
1. First, login to your RouterOS.2. Head to the left side panel. Click on System(1) to open the menu. Then, click on Logging(2).3. In the panel that activates, locate the Actions(1) tab and click on it. Then, click on the Add New(2) button to add a new Action.You can modify the already existing “remote” action, but we strongly suggest you create a new one to avoid any possible configuration conflicts.4. The Action creation form will open. Here you will need to:a. Provide a meaningful Name(1) for the Action. For this example, we will use the “Lumu” name.b. Select the remote option from the Type(2) dropdown.c. Input the address of the Virtual Appliance or Log Forwarder agent you want to receive logs from under the Remote Address(3) field.d. Input the corresponding port for the remote address of the Virtual Appliance or Log Forwarder agent you want to receive logs from under the Remote Port(4) field.e. Check the BSD Syslog(5) box.f. Select the syslog option from the Syslog Facility(6) dropdown.g. Once you’re done, click on Apply(7).
Creating a Firewall Rule
1. Return to the Logging panel (follow the Step 2 of this section). This time, click on the Rules(1) tab. As before, click on the Add New(2) button to create a new Rule.2. The Action creation form will open. First, make sure that the Enabled box is ticked. Then, under the Topics(1) dropdown menu, choose the firewall option. Under the Action dropdown menu, choose the name of the Action you created in Step 3a of the Creating a Remote Action section. Since that example had the “Lumu” name, here it will show up as Lumu.When you’re done, click on Apply(3).
Creating an Action Prefix (Optional)
By default, MikroTik does not include in its logs the action that the firewall took on a connection (allowing it through, denying it, etc.). While there is no standard way to add this valuable information to the logs, it is possible to add a custom prefix to the log to help with information gathering and sorting.
1. On the left panel, click on IP(1) to open the menu. Then, click on the Firewall to open the Firewall submenu.
2. Locate the firewall rule to which you want to add the prefix to. If you want to add the prefix to multiple rules, you will have to repeat the process for each one of them. In this case, as an example, we will use the rule called "Lumu Test Rule". Click on the rule to access its configuration.
3. The Rule Settings dialog will open. At the bottom, go to the Action submenu. Here, you will see the Action(1) dropdown menu. When you click on it, a series of actions for the firewall rule will be listed. Select the action you want this firewall action to take. Then, type the prefix you want that action to have in the Log Prefix(2) field.. When you’re done, click on Apply.
It is strongly recommended that the prefix you type in matches the Action you selected.
Related Articles
Collect MikroTik Firewall Metadata with Lumu VA
Requirements MikroTik Router OS 6 or newer. Have admin access to create a new Forwarding configuration. Have the most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server ...Deploy Collectors with Log Forwarder for Linux
The Lumu Log Forwarder Agent is available for Linux-based operating systems. In this article, you will find the installation procedures, both automatic and manual, for all the supported distributions. Log Forwarder is designed to streamline the data ...Deploy Collectors with Log Forwarder for Windows
Log Forwarder is designed to streamline the data collection processes from third party data collection services. While not as optimized as a fully-fledged Virtual Appliance deployment, it is a great alternative for fast and accessible deployment. ...Collect Firewall Metadata with Lumu VA and Huawei USG Firewall
Requirements A Huawei USG Firewall device. Have admin access to create a new Forwarding configuration. Have the most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on ...Lumu Log Forwarder FortiGate Configuration
In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...