GUIDE / MONITORING & LOGGING
Monitoring & logging.
By default RouterOS keeps a small in-memory log that wraps every few hours on a busy router — useful for "what just happened?" and nothing else. To get logs you can actually search through after the fact, forward to a syslog collector. This page covers the local log model, remote syslog, the topic system, and the basic monitoring knobs (SNMP, fetch-based scrapers).
The topic system
Everything RouterOS logs carries one or more topics — facets that let you filter without parsing message bodies. Common ones:
system— boot, login, config-save, reboot.firewall— only when you setlog=yeson a rule (the default firewall doesn't log).dhcp— leases, conflicts.wireless/wifi— assoc / disassoc / roaming.ipsec,l2tp,ppp,wireguard— VPN events.dns— only whencache-max-ttlevents fire; turn on debug for query-level visibility (noisy).account— admin user logins, password changes.critical,error,warning,info,debug— severity facets, layered on top of the subsystem topics.
Filter /log print by topic:
/log print where topics~"firewall"
/log print where topics~"wireless" and topics~"warning"
/log print where message~"failed" Adding a log target
Log destinations live in /system logging action. The
built-in ones are memory (default — 1000 messages,
flushed on reboot), disk (persistent to flash —
careful, flash wear), echo (the SSH/Winbox active
console), and a user-defined remote for syslog.
# Add a syslog remote
/system logging action add name=syslog-central target=remote \
remote=192.168.88.250 remote-port=514 src-address=192.168.88.1 \
bsd-syslog=yes syslog-facility=local0
# Bind topics → that target
/system logging add topics=info,!debug action=syslog-central
/system logging add topics=warning,error,critical action=syslog-central
/system logging add topics=firewall action=syslog-central /system/logging/action add name=syslog-central target=remote \
remote=192.168.88.250 remote-port=514 src-address=192.168.88.1 \
bsd-syslog=yes syslog-facility=local0
/system/logging add topics=info,!debug action=syslog-central
/system/logging add topics=warning,error,critical action=syslog-central
/system/logging add topics=firewall action=syslog-central !debug means "exclude debug-severity messages even when
topics match". RouterOS logging matches with set semantics —
multiple topic specs on the same rule are AND'd together.
Logging firewall hits
Logging is opt-in per rule. Add log=yes log-prefix=...
to the rules you care about. Don't log everything — high-volume
rules (e.g. accept-established) fill the log instantly.
# Log inbound drops only — diagnostic for "why can't I reach this"
/ip firewall filter add chain=input action=drop log=yes log-prefix="input-drop"
# Log address-list hits — useful for "did my Tor block work?"
/ip firewall filter add chain=input action=drop src-address-list=tor-exit \
log=yes log-prefix="tor-drop" /ip/firewall/filter add chain=input action=drop log=yes log-prefix="input-drop"
/ip/firewall/filter add chain=input action=drop src-address-list=tor-exit \
log=yes log-prefix="tor-drop"
The log-prefix is included as the first word of the
log message — easy to grep for, easy to set up syslog facets around.
Don't log to flash
target=disk writes to the router's flash chip. Flash
has a finite write-endurance budget; a chatty subsystem logging at
debug level to disk wears a router out in months. Forward to
syslog instead — the central collector's disk is built for it.
If you must log locally for an air-gapped network: keep
target=memory with a bigger buffer
(/system logging action set memory memory-lines=10000),
not target=disk.
SNMP
For metrics scrape — uptime, interface counters, CPU, memory — the path is SNMP, polled by Prometheus / LibreNMS / Zabbix / whatever you run.
/snmp community add name=mtkf-readonly addresses=192.168.88.250/32 read-access=yes write-access=no
/snmp set enabled=yes contact="ops@example.com" location="rack-1" /snmp/community add name=mtkf-readonly addresses=192.168.88.250/32 read-access=yes write-access=no
/snmp set enabled=yes contact="ops@example.com" location="rack-1"
Restrict addresses= to your monitoring host — leaving
it default-open lets anyone on the LAN query SNMP. The community
string is NOT a secret; SNMP v2c is unauthenticated. SNMPv3 with
user+auth+priv is supported but rarely worth the complexity for
a single-router setup.
Common patterns
Prometheus + an SNMP exporter
The community blocklist's go-to. Run the Prometheus
snmp_exporter with the MikroTik MIB, scrape interface
counters / CPU / memory / DHCP-lease-count, alert on link-down /
high-CPU / disk-write-spike.
Syslog → ELK / Loki
All those log-prefix values pre-tag your logs for
facet search. Rsyslog rules can split them into separate files
based on the prefix.
NetFlow / IPFIX for traffic visibility
RouterOS supports NetFlow v5/v9 + IPFIX export
(/ip traffic-flow). Useful for "who's using all the
bandwidth"-style questions. Higher CPU cost than SNMP polling.
Skip unless you have an actual collector consuming it.