Log
RouterOS maintains a log of system events, errors, and traffic information. Every log message carries one or more topics (facility and severity tags) that identify its origin and importance. You control what gets logged and where it goes by configuring rules (what topics to capture) and actions (where to send the output — memory, disk, remote syslog server, or email).
Summary
Section titled “Summary”RouterOS logging uses two menus:
| Menu | Purpose |
|---|---|
/system logging | Rules — which topics to capture and which action to send them to |
/system logging action | Actions — destinations for captured messages (memory, disk, remote, email, echo) |
The /log menu provides read-only access to messages stored in memory by the default memory action.
Viewing Logs
Section titled “Viewing Logs”Sub-menu path: /log
Log entries stored in memory can be viewed in the CLI or WinBox.
# Print all logs (paged)/log print
# Print without paging (useful for scripting)/log print without-paging
# Follow live log output (Ctrl+C to stop)/log print follow
# Filter by topic/log print where topics~"error"/log print where topics~"warning|critical"/log print follow where topics~"firewall"
# Filter by message content/log print where message~"login failed"/log print where message~"192.168.1"WinBox
Section titled “WinBox”Open the Log window from the main menu. Use the search/filter bar at the top to narrow entries by topic or message text. Color coding highlights different severity levels.
Log Entry Format
Section titled “Log Entry Format”Each log entry contains three fields:
| Field | Description |
|---|---|
time | Timestamp of the event (wall clock or uptime if clock is not set) |
topics | Comma-separated list of topic tags, e.g. system,info,account |
message | Human-readable description of the event |
A configured prefix on a logging rule prepends a custom tag to the message, useful for identifying which rule captured a message.
Logging Rules
Section titled “Logging Rules”Sub-menu path: /system logging
Rules define which messages to capture and where to send them. Each rule matches log messages by topic and forwards them to a named action.
Rule Properties
Section titled “Rule Properties”| Property | Description |
|---|---|
topics | Comma-separated list of topics to match. Multiple topics in one rule behave as OR — any matching topic triggers the rule. Prefix a topic with ! to exclude it. |
action | Name of the logging action (destination) to send matched messages to |
prefix | Optional string prepended to each message matched by this rule |
Topics
Section titled “Topics”Topics identify the source or severity of a log message. A single log entry can carry multiple topics simultaneously (e.g. dhcp,info).
Severity topics (apply to all subsystems):
| Topic | Description |
|---|---|
debug | Verbose diagnostic output |
info | Normal operational events |
warning | Conditions that may require attention |
error | Errors that affect functionality |
critical | Severe errors requiring immediate attention |
Facility topics (common subsystems):
| Topic | Description |
|---|---|
account | User login and authentication events |
bgp | BGP routing protocol |
caps | CAPsMAN controller events |
dhcp | DHCP server and client |
dns | DNS resolver |
firewall | Firewall rule matches (requires log=yes on firewall rules) |
interface | Interface state changes |
ipsec | IPsec/IKE negotiation |
ospf | OSPF routing protocol |
ppp | PPP/PPPoE connections |
rip | RIP routing protocol |
script | Script execution output |
snmp | SNMP requests |
system | General system events |
wireless | Wi-Fi client associations, roaming, authentication |
Topics can be combined: topics=firewall,warning matches messages tagged with both firewall AND warning.
Default Rules
Section titled “Default Rules”RouterOS ships with default logging rules that send common topics to the memory action:
# View default rules/system logging printDefault rules typically capture info, warning, error, and critical topics to the built-in memory buffer.
Creating Custom Rules
Section titled “Creating Custom Rules”# Log all firewall matches to memory with a prefix/system logging add topics=firewall action=memory prefix=FW
# Log DHCP events separately/system logging add topics=dhcp action=memory prefix=DHCP
# Log wireless events/system logging add topics=wireless action=memory prefix=WLAN
# Log only critical and error-level OSPF events to remote syslog/system logging add topics=ospf,error action=remote/system logging add topics=ospf,critical action=remote
# Exclude debug from a catch-all rule/system logging add topics=!debug action=memoryLogging Actions
Section titled “Logging Actions”Sub-menu path: /system logging action
Actions define destinations for log messages. RouterOS includes several built-in actions and supports creating custom ones.
Action Types
Section titled “Action Types”| Target | Description |
|---|---|
memory | Stores messages in a RAM buffer, accessible via /log print |
disk | Writes messages to a file on router storage |
remote | Sends messages to an external syslog server (UDP, RFC 3164/BSD syslog) |
echo | Prints messages to the console/terminal |
email | Sends messages via email (requires /tool e-mail configured) |
Memory Action
Section titled “Memory Action”| Property | Description |
|---|---|
name | Action identifier |
target | memory |
memory-lines | Number of log lines to keep in the buffer (default: 1000) |
memory-stop-on-full | If yes, stop logging when buffer is full instead of rotating |
# Create a dedicated memory buffer for DHCP logs/system logging action add name=dhcpLog target=memory memory-lines=500
# Bind DHCP topics to it/system logging add topics=dhcp action=dhcpLogDisk (File) Action
Section titled “Disk (File) Action”Logs to a file on the router’s local storage. The directory specified in disk-file-name must already exist — RouterOS will not create directories automatically.
| Property | Description |
|---|---|
name | Action identifier |
target | disk |
disk-file-name | Path and base filename for the log file |
disk-lines-per-file | Maximum lines per file before rotation |
disk-file-count | Number of rotated files to keep |
disk-stop-on-full | Stop logging when storage is full |
# Create a disk logging action/system logging action add \ name=diskLog \ target=disk \ disk-file-name=router \ disk-lines-per-file=1000 \ disk-file-count=10
# Log warnings and above to disk/system logging add topics=warning action=diskLog/system logging add topics=error action=diskLog/system logging add topics=critical action=diskLogEcho Action
Section titled “Echo Action”Prints log messages directly to the active terminal/console. Useful during live troubleshooting sessions.
# Echo is a built-in action — just create a rule pointing to it/system logging add topics=debug,wireless action=echoRemote Syslog Action
Section titled “Remote Syslog Action”Forwards log messages to an external syslog server using the BSD syslog protocol (RFC 3164, UDP). This is the primary method for centralizing logs from multiple routers.
| Property | Description |
|---|---|
name | Action identifier |
target | remote |
remote | IP address of the syslog server |
remote-port | UDP port (default: 514) |
bsd-syslog | Use BSD syslog framing (yes/no) |
syslog-facility | Syslog facility code to use when forwarding |
syslog-severity | Override the severity in outgoing messages |
Common syslog facility values:
| Facility | Name |
|---|---|
kernel | kernel messages |
user | user-level messages |
mail | mail system |
daemon | system daemons |
auth | security/authentication messages |
syslog | messages generated internally by syslogd |
local0–local7 | locally defined facilities (commonly used for network devices) |
Email Action
Section titled “Email Action”Sends log messages via email. Requires /tool e-mail to be configured with SMTP server details.
# Configure SMTP settings first
# Create a custom email logging action/system logging action add name=emailAction target=email
# Add a rule to send critical events by email/system logging add topics=critical action=emailActionRemote Syslog Configuration
Section titled “Remote Syslog Configuration”Sending logs to a central syslog server is the recommended approach for production routers. It provides longer retention, correlation across devices, and alerting without storing logs on the router itself.
Basic Remote Syslog Setup
Section titled “Basic Remote Syslog Setup”# Step 1: Create a remote logging action/system logging action add \ name=to-syslog \ target=remote \ remote=192.0.2.10 \ remote-port=514 \ bsd-syslog=yes \ syslog-facility=local0
# Step 2: Create rules to forward relevant topics/system logging add topics=info action=to-syslog/system logging add topics=warning action=to-syslog/system logging add topics=error action=to-syslog/system logging add topics=critical action=to-syslogForwarding Security-Relevant Topics Only
Section titled “Forwarding Security-Relevant Topics Only”For SIEM integration or security monitoring, forward only the topics relevant to security events:
/system logging add topics=account action=to-syslog prefix=AUTH/system logging add topics=firewall action=to-syslog prefix=FW/system logging add topics=critical action=to-syslog prefix=CRITUsing a Non-Standard Port
Section titled “Using a Non-Standard Port”Some syslog collectors (e.g., Graylog, Logstash) listen on custom ports:
/system logging action add \ name=to-graylog \ target=remote \ remote=10.10.1.50 \ remote-port=5514 \ bsd-syslog=yes \ syslog-facility=local1Examples
Section titled “Examples”Complete Security Logging Setup
Section titled “Complete Security Logging Setup”This example configures local disk logging for retention and remote syslog for real-time monitoring:
# 1. Create disk action for local retention/system logging action add \ name=secDisk \ target=disk \ disk-file-name=security \ disk-lines-per-file=2000 \ disk-file-count=10
# 2. Create remote syslog action/system logging action add \ name=secRemote \ target=remote \ remote=10.0.0.50 \ remote-port=514 \ bsd-syslog=yes \ syslog-facility=local0
# 3. Log security topics to both destinations/system logging add topics=account action=secDisk prefix=AUTH/system logging add topics=firewall action=secDisk prefix=FW/system logging add topics=critical action=secDisk prefix=CRIT/system logging add topics=error action=secDisk prefix=ERR
/system logging add topics=account action=secRemote prefix=AUTH/system logging add topics=firewall action=secRemote prefix=FW/system logging add topics=critical action=secRemote prefix=CRIT/system logging add topics=error action=secRemote prefix=ERRTemporary Debug Logging
Section titled “Temporary Debug Logging”Enable verbose debug logging during troubleshooting, then clean it up:
# Enable debug logging temporarily/system logging add topics=wireless,debug action=memory prefix=DBG-WIFI
# Reproduce the issue, then search logs/log print where topics~"wireless" where message~"association"
# Remove the debug rule when done/system logging remove [find prefix=DBG-WIFI]Separate Memory Buffers per Subsystem
Section titled “Separate Memory Buffers per Subsystem”# Create dedicated memory buffers/system logging action add name=bufDhcp target=memory memory-lines=500/system logging action add name=bufWireless target=memory memory-lines=1000/system logging action add name=bufFirewall target=memory memory-lines=2000
# Bind topics to each buffer/system logging add topics=dhcp action=bufDhcp prefix=DHCP/system logging add topics=wireless action=bufWireless prefix=WLAN/system logging add topics=firewall action=bufFirewall prefix=FWRelated Information
Section titled “Related Information”- Syslog with Elasticsearch — Centralized log analysis using Elastic Stack
- Netwatch — Monitor host availability and trigger scripts on state changes
- SNMP — Alternative monitoring protocol for metrics collection
- Traffic Flow — NetFlow/IPFIX export for traffic analytics