Logging Configuration

TL;DR (Quick Start)

For the impatient: send logs to a remote syslog server.

/system logging action set [find name=remote] remote=192.168.1.100
/system logging add action=remote topics=info
/system logging add action=remote topics=warning
/system logging add action=remote topics=error

Verify with:

/log print follow

Overview

What this does: RouterOS logging captures system events and status information for monitoring, troubleshooting, and auditing. Logs can be stored in memory (RAM), written to disk files, displayed on console, sent via email, or transmitted to remote syslog servers.

When to use this:

Real-time monitoring of router events
Troubleshooting connectivity or configuration issues
Security auditing (login attempts, firewall matches)
Centralized log collection from multiple routers
Compliance and forensic analysis via SIEM integration

Prerequisites:

Network connectivity to syslog server (for remote logging)
Email server configuration (for email alerts)
Sufficient storage space (for disk logging)

Configuration Steps

Step 1: View Current Logs

Before configuring logging, check the existing log entries stored in memory.

/log print

To monitor logs in real-time:

/log print follow

Press Ctrl+C to stop following.

Step 2: Review Default Configuration

RouterOS includes five default logging actions that cannot be deleted.

/system logging action print

Expected output:

Flags: * - default
 #   NAME    TARGET  REMOTE
 0 * memory  memory
 1 * disk    disk
 2 * echo    echo
 3 * remote  remote  0.0.0.0
 4 * email   email

View the default logging rules:

/system logging print

Step 3: Configure Remote Syslog

Set the syslog server address on the default remote action.

/system logging action set [find name=remote] remote=192.168.1.100

Important: Create separate rules for each severity level. Topics are ANDed together, so topics=info,warning,error will match nothing (no log entry has all three severities simultaneously).

/system logging add action=remote topics=info
/system logging add action=remote topics=warning
/system logging add action=remote topics=error
/system logging add action=remote topics=critical

Step 4: Verify Configuration

Confirm the logging rules are active.

/system logging print

Expected output:

Flags: X - disabled, * - default
 #   TOPICS   ACTION   PREFIX
 0 * info     memory
 1 * error    memory
 2 * warning  memory
 3 * critical echo
 4   info     remote
 5   warning  remote
 6   error    remote
 7   critical remote

Common Scenarios

Scenario: Send Specific Topics to Syslog

Route only firewall and authentication events to the syslog server.

/system logging add action=remote topics=firewall
/system logging add action=remote topics=account
/system logging add action=remote topics=ssh

Scenario: Custom Syslog Action with BSD Format

Create a dedicated syslog action with custom facility for filtering.

/system logging action add name=syslog target=remote \
    remote=192.168.1.100 remote-port=514 \
    syslog-facility=local0 syslog-severity=auto \
    syslog-time-format=bsd-syslog

/system logging add action=syslog topics=info
/system logging add action=syslog topics=error

Scenario: CEF Format for SIEM Integration (v7.18+)

Send logs in Common Event Format for SIEM systems.

/system logging action add name=siem target=remote \
    remote=10.0.0.50 remote-port=514 remote-protocol=tcp \
    remote-log-format=cef cef-event-delimiter="\r\n"

/system logging add action=siem topics=info
/system logging add action=siem topics=firewall

Scenario: Disk Logging for Persistent Storage

Store logs to disk for retention after reboot.

/system logging action add name=disk-log target=disk \
    disk-file-name=log disk-lines-per-file=1000 disk-file-count=5

/system logging add action=disk-log topics=firewall

View disk log files:

/file print where name~"log"

Scenario: USB/External Storage Logging

Avoid NAND wear by logging to external USB storage.

/system logging action add name=usb-log target=disk \
    disk-file-name=usb1/router-log disk-lines-per-file=5000 disk-file-count=10

/system logging add action=usb-log topics=firewall
/system logging add action=usb-log topics=web-proxy

Scenario: Email Alerts for Critical Events

Receive email notifications for critical system events.

First, configure the email server:

/tool e-mail set server=smtp.example.com port=587 \
    start-tls=yes user=alerts@example.com password=yourpassword

Then create the email logging action:

/system logging action add name=email-alerts target=email \
    email-to=admin@example.com email-start-tls=yes

/system logging add action=email-alerts topics=critical
/system logging add action=email-alerts topics=account

Scenario: Separate Memory Buffer for Debugging

Create isolated buffers for specific topics to simplify troubleshooting.

/system logging action add name=dhcp-debug target=memory memory-lines=500
/system logging add action=dhcp-debug topics=dhcp

/log print where buffer=dhcp-debug

Scenario: Firewall Logging with Prefix

Track specific firewall rule matches using prefixes.

First, add firewall rules with logging:

/ip firewall filter add chain=input action=drop log=yes log-prefix="DROP_INPUT:" \
    connection-state=invalid

Then create a logging rule (note: prefix adds text to messages, does not filter by prefix):

/system logging action add name=fw-drops target=memory memory-lines=2000
/system logging add action=fw-drops topics=firewall

Scenario: VRF-Aware Remote Logging (v7.19+)

Send logs through a specific VRF.

/system logging action add name=mgmt-syslog target=remote \
    remote=10.99.0.10 vrf=management

Scenario: Multi-Router Centralized Logging

Assign different syslog facilities to each router for server-side filtering.

# Router 1
/system logging action set remote syslog-facility=local0

# Router 2
/system logging action set remote syslog-facility=local1

# Router 3
/system logging action set remote syslog-facility=local2

Verification

Confirm your logging configuration is working.

Check 1: Verify Remote Syslog Action

/system logging action print where target=remote

Expected: Remote address shows your syslog server IP.

Check 2: Verify Logging Rules

/system logging print

Expected: Rules showing your topics mapped to appropriate actions.

Check 3: Test Remote Logging with Packet Capture

/tool sniffer quick host=192.168.1.100 port=514

Expected: UDP packets to syslog server when log events occur.

Check 4: Generate a Test Log Entry

:log info "Test message from RouterOS"

Then verify it appears:

/log print where message~"Test message"

Troubleshooting

Symptom	Cause	Solution
Remote syslog not receiving logs	Firewall blocking UDP 514	Check outbound firewall rules; allow UDP 514
Remote syslog not receiving logs	Topics combined incorrectly	Create separate rules for each severity (info, warning, error, critical)
Remote syslog not receiving logs	Wrong syslog server IP	Verify with `/system logging action print`
Topics missing in syslog messages	BSD syslog format limitation	Use log prefix or different facilities per topic
Cannot clear memory logs	RouterOS version too old	Upgrade to v7.20+ or reduce memory-lines temporarily
Disk logs wearing out NAND	High-frequency logging	Use USB storage or remote syslog instead
Email alerts not sending	Email not configured	Configure `/tool e-mail` first
Reboot messages not in remote syslog	Network unavailable during boot	Use disk logging for system topic

Common Mistakes

Don’t combine multiple severity levels in one rule - topics=info,warning,error matches nothing because topics are ANDed. Each log entry has only ONE severity level.
Don’t confuse prefix behavior - The prefix property adds text to messages, it does NOT filter by prefix.
Don’t log high-frequency topics to internal NAND - Firewall and web-proxy topics can cause flash wear. Use external storage or remote syslog.
Don’t expect immediate remote logs during reboot - Network isn’t available during early boot/late shutdown. Boot messages only go to memory/disk.
Cannot delete default actions - The five default actions (memory, disk, echo, remote, email) cannot be deleted or renamed. Create new actions instead.

BSD Syslog Topic Workaround: Since BSD format doesn’t include MikroTik topics, use different syslog facilities to identify message sources:

/system logging action add name=dhcp-syslog target=remote remote=192.168.1.100 syslog-facility=local1
/system logging action add name=fw-syslog target=remote remote=192.168.1.100 syslog-facility=local2
/system logging add action=dhcp-syslog topics=dhcp
/system logging add action=fw-syslog topics=firewall

Clear Memory Buffer (v7.20+):

/system logging action clear action=memory

For older versions, the memory-lines trick may work but is unreliable:

/system logging action set memory memory-lines=1
/system logging action set memory memory-lines=1000

Separate Troubleshooting Buffers: Create topic-specific buffers to isolate debug output:

/system logging action add name=vpn-debug target=memory memory-lines=500
/system logging add action=vpn-debug topics=ipsec,debug
/log print where buffer=vpn-debug

Server Compatibility: If your syslog server (Kiwi, Graylog) isn’t receiving logs, try different format combinations:

remote-log-format=syslog vs remote-log-format=default
syslog-time-format=bsd-syslog vs syslog-time-format=iso8601
TCP vs UDP protocol

Log Topics Reference

Severity Topics (one per log entry)

Topic	Description
`critical`	Critical system events
`error`	Error conditions
`warning`	Warning conditions
`info`	Informational messages
`debug`	Debug-level messages
`packet`	Packet-level details
`raw`	Raw packet data

Common Facility Topics

Topic	Description
`account`	User login/logout events
`bgp`	BGP routing protocol
`dhcp`	DHCP server/client events
`dns`	DNS operations
`firewall`	Firewall rule matches
`interface`	Interface state changes
`ipsec`	IPsec VPN events
`ospf`	OSPF routing protocol
`ppp`	PPP connections
`route`	Routing table changes
`script`	Script execution
`ssh`	SSH access
`system`	System events (startup, shutdown)
`wireless`	Wireless events
`wireguard`	WireGuard VPN events

Topic Exclusion

Use ! to exclude topics:

/system logging add action=remote topics=info,!firewall

This logs all info messages except those also tagged firewall.

Syslog Facility Reference

Facility	Typical Use
`daemon`	Default; general system daemons
`local0` - `local7`	Custom applications; use for multi-router identification
`auth`	Authentication events
`syslog`	Syslog-related messages
`user`	User-level messages

Firewall Logging

Firewall Basics - firewall rules with logging actions
NAT Masquerade - NAT with logging

System Integration

System Backup - include logs in backups
Scheduler - schedule log rotation scripts
SNMP - SNMP traps complement logging

Security Monitoring

User Management - audit user logins
SSH Configuration - log SSH access

Reference

MikroTik Log Documentation
Syslog with Elasticsearch
Version changes:
- v7.20: Added /system logging action clear command
- v7.19: Added VRF support for remote logging
- v7.18: Added CEF format, millisecond timestamps, ISO8601 time format

Key Properties Reference

Logging Action Properties

Property	Type	Default	Description
`name`	string	-	Action identifier (required)
`target`	memory/disk/echo/remote/email	memory	Destination type
`memory-lines`	1-65535	1000	Lines stored in RAM buffer (memory target)
`disk-file-name`	string	log	Base filename (disk target)
`disk-lines-per-file`	1-65535	100	Lines per file before rotation
`disk-file-count`	1-65535	2	Number of rotating files
`remote`	IP[:port]	0.0.0.0:514	Syslog server address
`remote-port`	integer	514	Syslog server port
`remote-protocol`	tcp/udp	udp	Transport protocol
`remote-log-format`	cef/default/syslog	default	Output format
`syslog-facility`	enum	daemon	RFC 3164 facility
`syslog-time-format`	bsd-syslog/iso8601	bsd-syslog	Timestamp format
`vrf`	name	main	VRF for remote logging (v7.19+)
`email-to`	string	-	Recipient address (email target)

Logging Rule Properties

Property	Type	Description
`action`	string	Action name for matching logs
`topics`	string	Comma-separated topic list (ANDed)
`prefix`	string	Text prepended to log messages

Logging Configuration

Logging Configuration

TL;DR (Quick Start)

Overview

Configuration Steps

Step 1: View Current Logs

Step 2: Review Default Configuration

Step 3: Configure Remote Syslog

Step 4: Verify Configuration

Common Scenarios

Scenario: Send Specific Topics to Syslog

Scenario: Custom Syslog Action with BSD Format

Scenario: CEF Format for SIEM Integration (v7.18+)

Scenario: Disk Logging for Persistent Storage

Scenario: USB/External Storage Logging

Scenario: Email Alerts for Critical Events

Scenario: Separate Memory Buffer for Debugging

Scenario: Firewall Logging with Prefix

Scenario: VRF-Aware Remote Logging (v7.19+)

Scenario: Multi-Router Centralized Logging

Verification

Check 1: Verify Remote Syslog Action

Check 2: Verify Logging Rules

Check 3: Test Remote Logging with Packet Capture

Check 4: Generate a Test Log Entry

Troubleshooting

Log Topics Reference

Severity Topics (one per log entry)

Common Facility Topics

Topic Exclusion

Syslog Facility Reference

Related Topics

Firewall Logging

System Integration

Security Monitoring

Reference

Key Properties Reference

Logging Action Properties

Logging Rule Properties