使用Splunk查看MikroTik logs 2.6(图形管理)

管理员 rosjb 7月前 1019

转自MikroTik官方论坛:https://forum.mikrotik.com/viewtopic.php?f=23&t=137338    
   
使用Splunk监控和绘制来自MikroTik路由器的各种数据是一种很好的免费方式,可以帮助您显示网络中正在发生的事情。

Splunk可以免费使用,每天最多可以记录500MB数据


安装

1a)首先你得下载和安装Splunk软件(windows和linux都有) 

PS:首先你得去注册个账号才能下载:https://www.splunk.com/en_us/download/splunk-enterprise.html

1c)更改许可证组. 非常重要的一步!

      1.打开网页界面:右上角设置-授权-更改许可证组-Free 许可证-保存

      2.允许UDP514端口:右上角设置-数据输入-UDP-右上角新本地UDP-端口填写514-下一步-选择来源类型:syslog-检查-提交

1d)下载 Splunk spl文件: MikroTik2.6.spl.zip(拉到最底下附件下载)

        安装程序文件

       1.解压缩文件,得到一个后缀spl文件

       2.点击左上角回到首页-应用右边的齿轮-从文件安装应用(右上角)-选择文件(刚下载好解压缩完的文件)

       3.随后点右上角设置-服务器控件-重启下

2a)Syslog(开始设置routeros路由)

     1.打开控制台直接输入命令:

       /system logging action add name=logserver target=remote remote=192.168.1.50 remote-port=514 ## 红色部分换成你存储syslog系统日志的主机ip--(如果没有就换成你安装Splunk的电脑主机IP,别搞错了)

      2.继续控制台命令:       

/system logging add action=logserver prefix=MikroTik topics=dhcp

/system logging add action=logserver prefix=MikroTik topics=!debug


2b)选择你想要的log日志

   这条我暂时还没看懂,不影响后面使用,应该是选择哪些规则需要统计到log里

2c)继续控制台命令

/ip accounting set enabled=yes threshold=2560

       

2d) 添加统计脚本: 脚本名: Data_to_Splunk_using_Syslog

# Collect accounting traffic # v 2.2 # ---------------------------------- # Collect system resource # ---------------------------------- :local cpuload ([/system resource get cpu-load]) :local freemem ([/system resource get free-memory]/1048576) :local totmem ([/system resource get total-memory]/1048576) :local freehddspace ([/system resource get free-hdd-space]/1048576) :local totalhddspace ([/system resource get total-hdd-space]/1048576) :local up ([/system resource get uptime]) :log info message="script=resource free_memory=$freemem MB total_memory=$totmem MB free_hdd_space=$freehddspace MB total_hdd_space=$totalhddspace MB cpu_load=$cpuload uptime=$up" # Take a snapshoot if ([/ip accounting get enabled]=yes) do={ /ip accounting snapshot take # Send data to loggin server foreach logline in=[/ip accounting snapshot find] do={:log info message="$[/ip accounting snapshot print as-value from=$logline]"}} # Finding dynmaic lines used in uPnP # ---------------------------------- :foreach logline in=[/ip firewall nat find dynamic=yes] do={:log info message="$[/ip firewall nat print as-value from=$logline]"} # Collect system information # ---------------------------------- :local version ([/system resource get version]) :local board ([/system resource get board-name]) :local model ([/system routerboard get model]); :local serial ([/system routerboard get serial-number]) :local identity ([/system identity get name]) :log info message="script=sysinfo version=\"$version\" board-name=\"$board\" model=\"$model\" serial=$serial identity=\"$identity\"" # Collect system health # ---------------------------------- :local voltage ([/system health get voltage]/10) :local temperature ([/system health get temperature]) :log info message="script=health voltage=$voltage V temperature=$temperature C" # Sends wireless client data to log server # ---------------------------------- :do {   :if ([:len [/interface wireless find ]]>0) do={      :foreach logline in=[/interface wireless registration-table find] do={         :log info message="$[/interface wireless registration-table print  as-value from=$logline]"}      }   } on-error={} # Collect DHCP Pool information # ---------------------------------- /ip pool {   :local poolname   :local pooladdresses   :local poolused   :local minaddress   :local maxaddress   :local findindex   :local tmpint   :local maxindex #  :put ("IP Pool Statistics") #  :put ("------------------") # Iterate through IP Pools   :foreach p in=[find] do={      :set poolname [get $p name]      :set pooladdresses 0      :set poolused 0 #   Iterate through current pool's IP ranges      :foreach r in=[:toarray [get $p range]] do={ #      Get min and max addresses         :set findindex [:find [:tostr $r] "-"]         :if ([:len $findindex] > 0) do={            :set minaddress [:pick [:tostr $r] 0 $findindex]            :set maxaddress [:pick [:tostr $r] ($findindex + 1) [:len [:tostr $r]]]         } else={            :set minaddress [:tostr $r]            :set maxaddress [:tostr $r]         } #       Convert to array of octets (replace '.' with ',')         :for x from=0 to=([:len [:tostr $minaddress]] - 1) do={            :if ([:pick [:tostr $minaddress] $x ($x + 1)] = ".") do={               :set minaddress ([:pick [:tostr $minaddress] 0 $x] . "," . \                                       [:pick [:tostr $minaddress] ($x + 1) [:len [:tostr $minaddress]]]) }         }         :for x from=0 to=([:len [:tostr $maxaddress]] - 1) do={            :if ([:pick [:tostr $maxaddress] $x ($x + 1)] = ".") do={               :set maxaddress ([:pick [:tostr $maxaddress] 0 $x] . "," . \                                       [:pick [:tostr $maxaddress] ($x + 1) [:len [:tostr $maxaddress]]]) }         } #      Calculate available addresses for current range         :if ([:len [:toarray $minaddress]] = [:len [:toarray $maxaddress]]) do={            :set maxindex ([:len [:toarray $minaddress]] - 1)            :for x from=$maxindex to=0 step=-1 do={ #             Calculate 256^($maxindex - $x)               :set tmpint 1               :if (($maxindex - $x) > 0) do={                  :for y from=1 to=($maxindex - $x) do={ :set tmpint (256 * $tmpint) }               }               :set tmpint ($tmpint * ([:tonum [:pick [:toarray $maxaddress] $x]] - \                                                    [:tonum [:pick [:toarray $minaddress] $x]]) )               :set pooladdresses ($pooladdresses + $tmpint) #         for x            } #      if len array $minaddress = $maxaddress         } #      Add current range to total pool's available addresses         :set pooladdresses ($pooladdresses + 1) #   foreach r      }          :set poolused [:len [used find pool=[:tostr $poolname]]] #   Send data    #      :log info message=("pool=" . $poolname  . " used=" . $poolused . " total=" . $pooladdresses)          :log info message=("script=pool pool=$poolname used=$poolused total=$pooladdresses") # foreach p   } # /ip pool }


2e)添加脚本的执行时间和间隔(控制台命令):

    /system scheduler add interval=5m name="Data to Splunk" on-event=Data_to_Splunk_using_Syslog


安装完毕,有任何问题可以在这里提问,一起讨论研究!~

效果图:







上传的附件:
最新回复 (2)
  • 一级用户 2966440 4月前
    0 引用 2
    为什么我无法统计数据,提示无法新建搜索
  • 管理员 rosjb 2月前
    0 引用 3
    2966440 为什么我无法统计数据,提示无法新建搜索
    数据没对接好吧应该是,不过你想使用统计功能建议你使用zabbix,这个开源软件比较专业
返回
发新帖