Syslog with Elasticsearch
Syslog with Elasticsearch
Section titled “Syslog with Elasticsearch”| Configuration Guide | md-a5kj5 |
|---|---|
| Date | February 13, 2026 |
| RouterOS Version | 7.x |
| Elasticsearch Version | 8.x |
Overview
Section titled “Overview”Elasticsearch is a powerful NoSQL database that can store and analyze log data from RouterOS devices. Combined with Kibana, it provides a comprehensive solution for centralized logging, searching, and visualization of MikroTik router logs.
This guide covers setting up syslog collection from RouterOS devices to Elasticsearch using the syslog protocol (RFC 5424).
Prerequisites
Section titled “Prerequisites”- RouterOS v7.x device
- Elasticsearch 8.x installed (single node or cluster)
- Kibana 8.x for visualization
- Network connectivity between RouterOS and Elasticsearch on syslog port (UDP/TCP 514)
Elastic Configuration
Section titled “Elastic Configuration”1. Configure Syslog Input
Section titled “1. Configure Syslog Input”In Elasticsearch 8.x, you need to enable the syslog input in elasticsearch.yml:
xpack.security.enabled: truexpack.security.authc.api_key.enabled: true
# Syslog input (UDP)ingest.geoip.downloader.enabled: false2. Install Syslog Pipeline
Section titled “2. Install Syslog Pipeline”Create an ingest pipeline for syslog parsing:
# Create syslog ingest pipelinePUT _ingest/pipeline/syslog{ "description": "Parse RouterOS syslog messages", "processors": [ { "grok": { "field": "message", "patterns": [ "%{SYSLOGTIMESTAMP:timestamp} %{HOSTNAME:host} %{DATA:program}: %{GREEDYDATA:message}" ] } }, { "date": { "field": "timestamp", "formats": ["MMM dd HH:mm:ss"] } } ]}3. Create Index Template
Section titled “3. Create Index Template”# Create index template for RouterOS logsPUT _index_template/routeros-syslog{ "index_patterns": ["routeros-logs-*"], "template": { "mappings": { "properties": { "timestamp": {"type": "date"}, "host": {"type": "keyword"}, "program": {"type": "keyword"}, "message": {"type": "text"}, "topic": {"type": "keyword"}, "router": {"type": "keyword"} } } }}4. Configure Filebeat (Recommended Alternative)
Section titled “4. Configure Filebeat (Recommended Alternative)”Instead of direct syslog ingestion, use Filebeat:
filebeat.inputs:- type: syslog protocol.udp: host: "0.0.0.0:514" protocol.tcp: host: "0.0.0.0:514"
output.elasticsearch: hosts: ["localhost:9200"] index: "routeros-logs-%{[agent.version]}"Enable the syslog module:
filebeat modules enable syslogRouterOS Configuration
Section titled “RouterOS Configuration”1. Create Syslog Action
Section titled “1. Create Syslog Action”# Create syslog action pointing to Elasticsearch server/system logging actionadd name="elastic" remote=10.0.0.100 remote-port=514 \ syslog-facility=local0 syslog-severity=informative \ target=remote2. Configure Logging Topics
Section titled “2. Configure Logging Topics”# Add logging rules for topics you want to send to Elasticsearch/system loggingadd action=elastic topics=infoadd action=elastic topics=warningadd action=elastic topics=erroradd action=elastic topics=criticaladd action=elastic topics=systemadd action=elastic topics=firewalladd action=elastic topics=accounting3. Verify Configuration
Section titled “3. Verify Configuration”# Check logging configuration/system logging print
# Test syslog UDP port connectivity/ping 10.0.0.100 protocol=udp port=514 count=3Using Kibana
Section titled “Using Kibana”1. Access Kibana
Section titled “1. Access Kibana”Open Kibana in your browser and navigate to Discover or create a new index pattern.
2. Create Index Pattern
Section titled “2. Create Index Pattern”- Go to Stack Management → Index Patterns
- Create index pattern:
routeros-logs-* - Set
@timestamportimestampas the time field
3. Create Visualizations
Section titled “3. Create Visualizations”Search for Specific Topics
Section titled “Search for Specific Topics”program:firewall AND message:dropprogram:dhcptopic:errorCommon Dashboard Panels
Section titled “Common Dashboard Panels”| Panel Type | Description | Query |
|---|---|---|
| Firewall Drops | Show dropped packets | program:firewall AND message:drop |
| Error Count | Track errors over time | topic:error |
| System Events | Router system messages | topic:system |
| Bandwidth Alerts | Traffic threshold warnings | program:traffic |
Troubleshooting
Section titled “Troubleshooting”Check Elasticsearch Received Logs
Section titled “Check Elasticsearch Received Logs”# Verify logs are being receivedcurl -XGET 'localhost:9200/routeros-logs-*/_search?pretty&q=*'
# Check index existscurl -XGET 'localhost:9200/_cat/indices/routeros-logs-*'RouterOS Debugging
Section titled “RouterOS Debugging”# Check if syslog is being sent/system logging print
# View local logs/log print
# Enable debug logging temporarily/system logging add topics=debug action=elasticCommon Issues
Section titled “Common Issues”| Issue | Solution |
|---|---|
| No logs in Elasticsearch | Check firewall allows UDP/TCP 514 |
| Index not created | Verify Filebeat/ingest pipeline is running |
| Missing timestamps | Check date processor in ingest pipeline |
| High memory usage | Reduce number of logging topics or use filtering |
Network Verification
Section titled “Network Verification”# Test syslog TCP port connectivity/tool telnet 10.0.0.100 514
# Capture packets to verify sending/tool sniffer start interface=ether1 port=514/tool/sniffer/packet/printSecurity Considerations
Section titled “Security Considerations”- Enable TLS - Use syslog over TLS (RFC 5425) for encrypted transmission
- Firewall Rules - Restrict syslog port to only your Elasticsearch server
- Authentication - Consider using API keys for Filebeat authentication
- Rate Limiting - Configure appropriate logging levels to avoid log flooding