RouterOS visibility using Elastic Security
Author
Hilton D
Date Published
xHaving visibility into host events gives you an insiders view to what is happening on a desktop or server. This information is the primary domain for detecting threats on endpoints, however this information isn’t always available or is not available at all for non general purpose operating systems.
This article will give you a jumping off point to get logs of all kinds from RouterOS into Elastic using Elastic Agent
Here is an overview of the process
Install the “Custom UDP” Elastic Agent Integration
Toggle the “Syslog Parsing” in the integration
Add the integration to a host on the network that is reachable via the Mikrotik router
Add a logging configuration within /system/logging/
The first three steps are pretty straightforward so I won’t cover those in detail, however the routeros config is a little unintuitive (surprise!) so I’ll provide some example configurations below :
1/system logging action2add bsd-syslog=yes name=elastic remote=192.168.1.2 syslog-time-format=iso8601 target=remote
That will give you an “action”, which is routeros language for a log destination which you can now use with the various logging topics available.
The first thing to note is that you CANNOT add multiple topics to a single action — you need to add each topic individually, for example
1/system logging2add action=elastic topics=firewall3add action=elastic topics=system
The above will tell routeros to send firewall and system logs (privileged actions generally speaking) to Elastic
Now before you add the ssh topic beware — by default routeros will log every packet received by the ssh service and will have a high probability of crashing your router if your memory buffer has no limit!
To avoid this, you can exclude various facilities
1add action=elastic topics=ssh,!packet,!debug
With this data in Elastic, you have heaps of opportunities to detect malicious activity in your routeros devices!
TODO
mangle the syslog data into ECS compatible format using an ingestion pipeline
How to use Mikrotik RouterOs for incident response and network defence, including practical examples.