Documentation Center
AlienVault® USM Anywhere™

MikroTik Router

When you configure MikroTik Router to send log data to USM Anywhere, you can use the MikroTik Router plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor MikroTik
Device Type Router/switch
Connection Type Syslog

Integrating MikroTik Router

Before you configure the MikroTik Router integration, you must have the IP Address of the USM Anywhere Sensor.

To configure MikroTik Router to send Syslog messages to USM Anywhere

  1. Open a terminal in the MikroTik Router.
  2. Apply the following configuration:

    /system logging action

    set 0 memory-lines=100

    set 1 disk-file-count=30 disk-file-name=<your disk file_name> disk-lines-per-file=500

    set 3 remote=<USM Anywhere IP Address>

     

    # Add topics to be stored in syslog server.zaib

    /system logging

    add action=remote topics=critical

    add action=remote topics=error

    add action=remote topics=info

    add action=remote topics=warning

Alternatively, you can specify the same configuration options from the Router user interface:

  1. Configure syslog to use the USM Anywhere IP Address.

    Important: To use the RFC 3164 syslog format, you must select BSD Syslog. The Syslog Facility and Syslog Severity settings must also be enabled for the syslog message parsing to function properly.

  2. Specify remote logging options.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • bytes_out
  • customfield_0
  • customheader_0
  • customheader_1
  • destination_address
  • destination_port
  • event_category
  • event_description
  • event_name
  • event_severity
  • event_subcategory
  • plugin_device
  • plugin_device_type
  • plugin_rule
  • rep_device_inbound_interface
  • rep_device_outbound_interface
  • source_address
  • source_hostname
  • source_mac
  • source_port
  • source_username
  • total_packets
  • transport_protocol

Additional Resources and Troubleshooting

https://wiki.mikrotik.com/wiki/Manual:System/Log#Example:Webproxy_logging

For troubleshooting, refer to the vendor documentation:

https://wiki.mikrotik.com/wiki/Manual:Troubleshooting_tools