Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Incorrect Mikrotik Logs in Sentinel

Copper Contributor

Hi,

 

I'm having a hard time ingesting Mikrotik logs sent from the server with the installed log forwarder agent into Sentinel. Mikrotik is using RFC3614 log format and while the log is sent to the server in one piece (pls see the screenshot 1 below), the Sentinel displays logs in pieces (pls see the screenshot 2).

 

Screenshot 1:

terminal_logs.png

 

Screenshot 2:

logs_pieces.png

 

In addition to that, fields inside logs are also incorrect and the syslog message is incomplete, so for instance 'ProcessName' is an IP address from the content of the 'SyslogMessage', and not the actual process that generated the log (in my case rsyslogd).

 

Screenshot 3:

wrong_log.png

 

 

Is there a way to get the log in one piece inside Sentinel? I've seen that parsing logs inside Sentinel is possible, but it doesn't help in my case as the syslog message in Sentinel is not complete. Any advice or help is more than appreciated.

 

Ty.

2 Replies
You should open a ticket to get support for this issue.

@GBusheythank you for the advice. I've just submitted a ticket and I am going to share a solution here if this issue gets resolved successfully.