GUIDE / MONITORING & LOGGING

Monitoring & logging.

By default RouterOS keeps a small in-memory log that wraps every few hours on a busy router — useful for "what just happened?" and nothing else. To get logs you can actually search through after the fact, forward to a syslog collector. This page covers the local log model, remote syslog, the topic system, and the basic monitoring knobs (SNMP, fetch-based scrapers).

The topic system

Everything RouterOS logs carries one or more topics — facets that let you filter without parsing message bodies. Common ones:

  • system — boot, login, config-save, reboot.
  • firewall — only when you set log=yes on a rule (the default firewall doesn't log).
  • dhcp — leases, conflicts.
  • wireless / wifi — assoc / disassoc / roaming.
  • ipsec, l2tp, ppp, wireguard — VPN events.
  • dns — only when cache-max-ttl events fire; turn on debug for query-level visibility (noisy).
  • account — admin user logins, password changes.
  • critical, error, warning, info, debug — severity facets, layered on top of the subsystem topics.

Filter /log print by topic:

/log print where topics~"firewall"
/log print where topics~"wireless" and topics~"warning"
/log print where message~"failed"

Adding a log target

Log destinations live in /system logging action. The built-in ones are memory (default — 1000 messages, flushed on reboot), disk (persistent to flash — careful, flash wear), echo (the SSH/Winbox active console), and a user-defined remote for syslog.

v6 9 lines · 413 bytes
# Add a syslog remote
/system logging action add name=syslog-central target=remote \
  remote=192.168.88.250 remote-port=514 src-address=192.168.88.1 \
  bsd-syslog=yes syslog-facility=local0

# Bind topics → that target
/system logging add topics=info,!debug action=syslog-central
/system logging add topics=warning,error,critical action=syslog-central
/system logging add topics=firewall action=syslog-central
v7 7 lines · 361 bytes
/system/logging/action add name=syslog-central target=remote \
  remote=192.168.88.250 remote-port=514 src-address=192.168.88.1 \
  bsd-syslog=yes syslog-facility=local0

/system/logging add topics=info,!debug action=syslog-central
/system/logging add topics=warning,error,critical action=syslog-central
/system/logging add topics=firewall action=syslog-central

!debug means "exclude debug-severity messages even when topics match". RouterOS logging matches with set semantics — multiple topic specs on the same rule are AND'd together.

Logging firewall hits

Logging is opt-in per rule. Add log=yes log-prefix=... to the rules you care about. Don't log everything — high-volume rules (e.g. accept-established) fill the log instantly.

v6 6 lines · 321 bytes
# Log inbound drops only — diagnostic for "why can't I reach this"
/ip firewall filter add chain=input action=drop log=yes log-prefix="input-drop"

# Log address-list hits — useful for "did my Tor block work?"
/ip firewall filter add chain=input action=drop src-address-list=tor-exit \
  log=yes log-prefix="tor-drop"
v7 3 lines · 187 bytes
/ip/firewall/filter add chain=input action=drop log=yes log-prefix="input-drop"
/ip/firewall/filter add chain=input action=drop src-address-list=tor-exit \
  log=yes log-prefix="tor-drop"

The log-prefix is included as the first word of the log message — easy to grep for, easy to set up syslog facets around.

Don't log to flash

target=disk writes to the router's flash chip. Flash has a finite write-endurance budget; a chatty subsystem logging at debug level to disk wears a router out in months. Forward to syslog instead — the central collector's disk is built for it.

If you must log locally for an air-gapped network: keep target=memory with a bigger buffer (/system logging action set memory memory-lines=10000), not target=disk.

SNMP

For metrics scrape — uptime, interface counters, CPU, memory — the path is SNMP, polled by Prometheus / LibreNMS / Zabbix / whatever you run.

v6 2 lines · 164 bytes
/snmp community add name=mtkf-readonly addresses=192.168.88.250/32 read-access=yes write-access=no
/snmp set enabled=yes contact="ops@example.com" location="rack-1"
v7 2 lines · 164 bytes
/snmp/community add name=mtkf-readonly addresses=192.168.88.250/32 read-access=yes write-access=no
/snmp set enabled=yes contact="ops@example.com" location="rack-1"

Restrict addresses= to your monitoring host — leaving it default-open lets anyone on the LAN query SNMP. The community string is NOT a secret; SNMP v2c is unauthenticated. SNMPv3 with user+auth+priv is supported but rarely worth the complexity for a single-router setup.

Common patterns

Prometheus + an SNMP exporter

The community blocklist's go-to. Run the Prometheus snmp_exporter with the MikroTik MIB, scrape interface counters / CPU / memory / DHCP-lease-count, alert on link-down / high-CPU / disk-write-spike.

Syslog → ELK / Loki

All those log-prefix values pre-tag your logs for facet search. Rsyslog rules can split them into separate files based on the prefix.

NetFlow / IPFIX for traffic visibility

RouterOS supports NetFlow v5/v9 + IPFIX export (/ip traffic-flow). Useful for "who's using all the bandwidth"-style questions. Higher CPU cost than SNMP polling. Skip unless you have an actual collector consuming it.