Collect MikroTik Firewall Metadata with Lumu VA
Requirements
- MikroTik Router OS 6 or newer.
- Have admin access to create a new Forwarding configuration.
- Have the most recent version of the Lumu Virtual Appliance installed.
These are the general steps you should follow to configure a syslog server on Mikrotik to send all metadata to Lumu:
To setup Lumu Log Forwarder for MikroTik, head to this document
Deploy and Set Up Lumu VA
All the detailed steps and guidance to create, download and install a virtual appliance on your preferred hypervisor or Cloud solution are available in our documentation:
- Deploy Virtual Appliances
- Configure Virtual Appliances and set up collectors.
Set up a Lumu VA Firewall Log Collector
Go to the Lumu Virtual Appliance and refresh the VA Collectors settings by running the command lumu-appliance collectors refresh. If the appliance is running, it must be stopped in order to continue the setup process.
Select the option that refers to Mikrotik Firewall, then input the following data:
- Protocol type: Select the UDP option. Mikrotik uses UDP protocol to send Syslog data.
- Port number: Provide a number between 1024 and 65535, inclusive.
- Timezone: The timezone for VA setup. Use the canonical ID (e.g. America/Chicago). You can use this external article for reference.
Configure Mikrotik to Send Metadata to Lumu VA
You will need to configure MikroTik in order to send logs to the Virtual Appliance. You will need the following:
- An Action of the Remote type
- A Rule of the Firewall type
- Optionally, you can also add an Action Prefix.
You will learn how to setup MikroTik with these requirements in the next section. If you are familiar with MikroTik and this process, feel free to consult the MikroTik documentation directly.
Creating a Remote Action
1. First, login to your RouterOS.2. Head to the left side panel. Click on System(1) to open the menu. Then, click on Logging(2).3. In the panel that activates, locate the Actions(1) tab and click on it. Then, click on the Add New(2) button to add a new Action.You can modify the already existing “remote” action, but we strongly suggest you create a new one to avoid any possible configuration conflicts.4. The Action creation form will open. Here you will need to:a. Provide a meaningful Name(1) for the Action. For this example, we will use the “Lumu” name.b. Select the remote option from the Type(2) dropdown.c. Input the address of the Virtual Appliance you want to receive logs from under the Remote Address(3) field.d. Input the corresponding port for the remote address of the Virtual Appliance you want to receive logs from under the Remote Port(4) field.e. Check the BSD Syslog(5) box.f. Select the syslog option from the Syslog Facility(6) dropdown.g. Once you’re done, click on Apply(7).
Creating a Firewall Rule
1. Return to the Logging panel (follow the Step 2 of this section). This time, click on the Rules(1) tab. As before, click on the Add New(2) button to create a new Rule.2. The Action creation form will open. First, make sure that the Enabled box is ticked. Then, under the Topics(1) dropdown menu, choose the firewall option. Under the Action dropdown menu, choose the name of the Action you created in Step 3a of the Creating a Remote Action section. Since that example had the “Lumu” name, here it will show up as Lumu.When you’re done, click on Apply(3).
Creating an Action Prefix (Optional)
By default, MikroTik does not include in its logs the action that the firewall took on a connection (allowing it through, denying it, etc.). While there is no standard way to add this valuable information to the logs, it is possible to add a custom prefix to the log to help with information gathering and sorting.
1. On the left panel, click on IP(1) to open the menu. Then, click on the Firewall to open the Firewall submenu.
2. Locate the firewall rule to which you want to add the prefix to. If you want to add the prefix to multiple rules, you will have to repeat the process for each one of them. In this case, as an example, we will use the rule called "Lumu Test Rule". Click on the rule to access its configuration.
3. The Rule Settings dialog will open. At the bottom, go to the Action submenu. Here, you will see the Action(1) dropdown menu. When you click on it, a series of actions for the firewall rule will be listed. Select the action you want this firewall action to take. Then, type the prefix you want that action to have in the Log Prefix(2) field.. When you’re done, click on Apply.
It is strongly recommended that the prefix you type in matches the Action you selected.
Related Articles
Collect Firewall Metadata with Lumu VA and Huawei USG Firewall
Requirements A Huawei USG Firewall device. Have admin access to create a new Forwarding configuration. Have the most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on ...Collect Firewall metadata with Lumu VA and WatchGuard
Requirements Admin access to configure a syslog server on WatchGuard. The most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a syslog server on a WatchGuard Firewall to send all ...Collect Firewall Metadata with Lumu VA and Juniper SRX
Requirements Juniper SRX Firewall Junos version 20+. Have admin access to configure a Syslog server on Juniper SRX. Have the most recent version of the Lumu Virtual Appliance installed. These are the general steps you should follow to configure a ...Collect FortiGate Firewall Metadata with FortiAnalyzer and Lumu VA
In scenarios where all your FortiGate deployment logs are centralized within a FortiAnalyzer, you can use it to accelerate the deployment of Lumu and forward all firewall logs at once using the FortiAnalyzer data collection capabilities from Lumu. ...Lumu Virtual Appliance Collectors
To get started with Lumu Virtual Appliances, consult our Introduction to Lumu Virtual Appliances article. The Lumu Virtual Appliance (VA) is a pre-configured lightweight virtual machine solution that collects the network metadata of your entire ...