lucius-the
commented
1 month ago Actually in my setup (ROS 7.15.2) that doesn't work either. This (finally) works - updated in file /etc/crowdsec/parsers/s01-parse/mikrotik-logs.yaml:
pattern_syntax:
MIKROTIK_FIREWALL_DROP: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{DATA:tag} .*: in:%{DATA:if_in} out:%{DATA:if_out}, connection-state:%{DATA:connection_state} src-mac %{MAC:src_mac}, proto %{WORD:proto}.*, %{IP:source_ip}:%{INT:src_port}->%{IP:dst_ip}:%{INT:dst_port}, .*, len %{INT:length}"Please note that I don't have a rule on "input", therefore I added .*: in: after the DATA tag. That should catch any chain, not just input.
@a1ad This one is for you.
I troubleshooted the a1ad/mikrotik-logs parser on a ROS 7.9 VM. Nothing was parsing using the original parser:
%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* %{DATA:tag} input: in:%{DATA:if_in} out:%{DATA:if_out}, connection-state:%{DATA:connection_state} src-mac %{MAC:src_mac}, proto %{WORD:proto}.*, %{IP:source_ip}:%{INT:src_port}->%{IP:dst_ip}:%{INT:dst_port}, len %{INT:length}To make it works, I had to remove the
.*between the hostname and tags, as follow:%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} %{DATA:tag} input: in:%{DATA:if_in} out:%{DATA:if_out}, connection-state:%{DATA:connection_state} src-mac %{MAC:src_mac}, proto %{WORD:proto}.*, %{IP:source_ip}:%{INT:src_port}->%{IP:dst_ip}:%{INT:dst_port}, len %{INT:length}It then began to work properly.
I don't know if it is a log format change on Mikrotik side or not. It may necessitate to keep both version for compatibility purpose.