I export the logs from my Mikrotik router to a remote instance of syslog-ng
and I wanted to send notifications to telegram when a client connects to OpenVPN.
Log explanation
The logs look like this:
Apr 19 18:13:23 C.C.C.C ovpn,info mikrotik: TCP connection established from A.A.A.A
Apr 19 18:13:24 C.C.C.C ovpn,info mikrotik: : using encoding - AES-128-CBC/SHA1
Apr 19 18:13:24 C.C.C.C ovpn,info,account mikrotik: phone logged in, B.B.B.B from A.A.A.A
Apr 19 18:13:24 C.C.C.C ovpn,info mikrotik: ovpn.phone: connected
Apr 19 18:13:39 C.C.C.C ovpn,info mikrotik: ovpn.phone: terminating... - peer disconnected
Apr 19 18:13:40 C.C.C.C ovpn,info,account mikrotik: phone logged out, 17 0 0 0 0 from A.A.A.A
Apr 19 18:13:40 C.C.C.C ovpn,info mikrotik: ovpn.phone: disconnected
For Apr 19 18:13:24 C.C.C.C ovpn,info,account mikrotik: phone logged in, B.B.B.B from A.A.A.A the fields are:
- Date
Apr 19 18:13:24 - Host
C.C.C.C - Message headers
ovpn,info,account - Message
mikrotik: client logged in, B.B.B.B from A.A.A.A - Router hostname
mikrotik - Clients name
phone - Client’s public IP address
A.A.A.A - Client’s private IP address
B.B.B.B
syslog-ng configuration
A valid configuration for syslog-ng will be the following.
destination d_telegram {
telegram(
bot-id("")
chat-id("")
template("${ISODATE} - ${HOST} - ${MESSAGE}")
);
};
filter f_mikrotik_ovpn {
host("C.C.C.C")
and match("ovpn,info,account" value("MSGHDR"))
and match("logged in" value("MESSAGE"));
};
log { source(s_net); filter(f_mikrotik_ovpn); destination(d_telegram); };
Result
This is the resulting message in Telegram.
2022-04-19T18:13:24+02:00 - C.C.C.C - mikrotik: phone logged in, B.B.B.B from A.A.A.A
Expanding a bit
From [...] logged out, 17 0 0 0 0 from [...], 17 0 0 0 0 seems to be a package count. What does it mean? No idea. Mikrotik documentation does not say anything.
Mikrotik uses RFC3164 for remote logging.
Mikrotik defines ovpn as a topic and info and account as facilities. https://help.mikrotik.com/docs/display/ROS/Log