Skip to content

Instantly share code, notes, and snippets.

@rossigee

rossigee/gist:052ff68cd59b32df7f78b3b7234b5c3b

Last active August 25, 2023 04:46
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save rossigee/052ff68cd59b32df7f78b3b7234b5c3b to your computer and use it in GitHub Desktop.
Save rossigee/052ff68cd59b32df7f78b3b7234b5c3b to your computer and use it in GitHub Desktop.
Download ZIP
Some fluent-bit parsers for RFC3134 parsing of Mikrotik logs
Raw
gistfile1.txt
[PARSER]
Name syslog-rfc3164-safe
Format regex
Regex /\<(?<pri>[0-9]+)\>(?<time>\w{3}\s+\d+\s\d{2}:\d{2}:\d{2})\s(?<host>[^ ]*)\s(?<ident>[a-zA-Z0-9_\/\.\-\+,]*)(\[(?<pid>\d+)\])*:?\s(?<message>.*)/
Time_Key time
Time_Format %b %d %H:%M:%S
Time_Keep On
[PARSER]
Name ssh_access_logs_mikrotik
Format regex
Regex /(?<user>\w+)\s+(?<action>.+)\s+from\s+(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+via\s+(?<method>\w+)/
[PARSER]
Name dhcp_logs_mikrotik
Format regex
Regex /(?<action>\w+)\s+(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+for\s+(?<mac>[A-Fa-f0-9:]+)\s+(?<client>.+)/
[PARSER]
Name firewall_logs_mikrotik
Format regex
Regex /in:(?<in_iface>\w+)\s+out:(?<out_iface>\w+),\s+connection-state:(?<conn_state>\w+)\s+src-mac\s+(?<src_mac>[A-Fa-f0-9:]+),\s+proto\s+(?<proto>\w+),\s+(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<src_port>\d+)->(?<dest_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(?<dst_port>\d+),\s+len\s+(?<length>\d+)/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment