You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Mikrotik parser is not parcing lines with TCP packets, only UDP.
My Logs:
2024-01-14T13:31:24.184+02:00 192.168.10.2 HOST=192.168.10.2 HOST_FROM=192.168.10.2 LEGACY_MSGHDR="firewall,info " MESSAGE="CRW_IN input: in:WAN out:(unknown 0), connection-state:new proto TCP (SYN), 31.220.3.120:61000->111.111.111.111:19827, len 44" PROGRAM=firewall,info SOURCE=s_network_udp
2024-01-14T13:31:24.184+02:00 192.168.10.2 HOST=192.168.10.2 HOST_FROM=192.168.10.2 LEGACY_MSGHDR="firewall,info " MESSAGE="CRW_IN input: in:WAN out:(unknown 0), connection-state:new proto TCP (SYN), 31.220.3.120:61000->111.111.111.111:49928, len 44" PROGRAM=firewall,info SOURCE=s_network_udp
2024-01-14T13:31:24.184+02:00 192.168.10.2 HOST=192.168.10.2 HOST_FROM=192.168.10.2 LEGACY_MSGHDR="firewall,info " MESSAGE="CRW_IN input: in:WAN out:(unknown 0), connection-state:new src-mac 40:a6:b7:7f:9a:00, proto UDP, 42.91.179.78:9209->111.111.111.111:20767, len 143" PROGRAM=firewall,info SOURCE=s_network_udp
(Interface and public IP are eddited).
My WAN interface is a PPPoE connection.
I managed to narrow it down to UDP vs TCP by allowing very few logs to be generated and with metrics was able to identify that the parser only parses UDP packets. I think it is discarding TCP field because it has an additional value TCP (SYN).
Expected behavior
Parser should parse TCP and UDP packets from Mikrotik logs ROS 7.11
Describe the bug
Mikrotik parser is not parcing lines with TCP packets, only UDP.
My Logs:
2024-01-14T13:31:24.184+02:00 192.168.10.2 HOST=192.168.10.2 HOST_FROM=192.168.10.2 LEGACY_MSGHDR="firewall,info " MESSAGE="CRW_IN input: in:WAN out:(unknown 0), connection-state:new proto TCP (SYN), 31.220.3.120:61000->111.111.111.111:19827, len 44" PROGRAM=firewall,info SOURCE=s_network_udp
2024-01-14T13:31:24.184+02:00 192.168.10.2 HOST=192.168.10.2 HOST_FROM=192.168.10.2 LEGACY_MSGHDR="firewall,info " MESSAGE="CRW_IN input: in:WAN out:(unknown 0), connection-state:new proto TCP (SYN), 31.220.3.120:61000->111.111.111.111:49928, len 44" PROGRAM=firewall,info SOURCE=s_network_udp
2024-01-14T13:31:24.184+02:00 192.168.10.2 HOST=192.168.10.2 HOST_FROM=192.168.10.2 LEGACY_MSGHDR="firewall,info " MESSAGE="CRW_IN input: in:WAN out:(unknown 0), connection-state:new src-mac 40:a6:b7:7f:9a:00, proto UDP, 42.91.179.78:9209->111.111.111.111:20767, len 143" PROGRAM=firewall,info SOURCE=s_network_udp
(Interface and public IP are eddited).
My WAN interface is a PPPoE connection.
I managed to narrow it down to UDP vs TCP by allowing very few logs to be generated and with metrics was able to identify that the parser only parses UDP packets. I think it is discarding TCP field because it has an additional value TCP (SYN).
Expected behavior
Parser should parse TCP and UDP packets from Mikrotik logs ROS 7.11
Additional context
Acquisition Metrics:
+---------------------------------------+------------+--------------+----------------+------------------------+
| Source | Lines read | Lines parsed | Lines unparsed | Lines poured to bucket |
+---------------------------------------+------------+--------------+----------------+------------------------+
| file:/var/log/rsyslog/messages-kv.log | 692 | 417 | 275 | 295 |
+---------------------------------------+------------+--------------+----------------+------------------------+
Bucket Metrics:
+--------------------------------+---------------+-----------+--------------+--------+---------+
| Bucket | Current Count | Overflows | Instantiated | Poured | Expired |
+--------------------------------+---------------+-----------+--------------+--------+---------+
| a1ad/mikrotik-scan-multi_ports | 19 | - | 294 | 295 | 275 |
+--------------------------------+---------------+-----------+--------------+--------+---------+
Parser Metrics:
+--------------------------------+------+--------+----------+
| Parsers | Hits | Parsed | Unparsed |
+--------------------------------+------+--------+----------+
| a1ad/mikrotik-logs | 692 | 417 | 275 |
| child-a1ad/mikrotik-logs | 967 | 417 | 550 |
| crowdsecurity/dateparse-enrich | 417 | 417 | - |
| crowdsecurity/geoip-enrich | 417 | 417 | - |
| crowdsecurity/non-syslog | 692 | 692 | - |
| crowdsecurity/whitelists | 417 | 417 | - |
+--------------------------------+------+--------+----------+
Local API Metrics:
+----------------------+--------+------+
| Route | Method | Hits |
+----------------------+--------+------+
| /v1/alerts | GET | 1 |
| /v1/decisions/stream | GET | 185 |
| /v1/heartbeat | GET | 15 |
| /v1/watchers/login | POST | 2 |
+----------------------+--------+------+
Local API Machines Metrics:
+-----------+---------------+--------+------+
| Machine | Route | Method | Hits |
+-----------+---------------+--------+------+
| localhost | /v1/alerts | GET | 1 |
| localhost | /v1/heartbeat | GET | 15 |
+-----------+---------------+--------+------+
Local API Bouncers Metrics:
+------------------+----------------------+--------+------+
| Bouncer | Route | Method | Hits |
+------------------+----------------------+--------+------+
| mikrotik-bouncer | /v1/decisions/stream | GET | 185 |
+------------------+----------------------+--------+------+
Local API Decisions:
+--------------------------------+----------+--------+-------+
| Reason | Origin | Action | Count |
+--------------------------------+----------+--------+-------+
| a1ad/mikrotik-bf | CAPI | ban | 100 |
| a1ad/mikrotik-scan-multi_ports | CAPI | ban | 103 |
| a1ad/mikrotik-scan-multi_ports | crowdsec | ban | 12 |
| crowdsecurity/ssh-bf | CAPI | ban | 14758 |
| crowdsecurity/ssh-slow-bf | CAPI | ban | 39 |
+--------------------------------+----------+--------+-------+
All the parsed lines are only lines with UDP packets.
The text was updated successfully, but these errors were encountered: