/log print

Paste this on router:

Add /flash before "/seclog" if your device have flash, or you lost the logs on reboot.

Code:Select all

/system logging action add disk-file-count=10 name=SaveToDisk target=disk disk-file-name=/seclog /system logging add action=SaveToDisk prefix=SEC topics=system,error,critical

You can't go back because the log is limited to 1000 lines, but with this "addon" your last 10.000 lines are saved on disk, and on future you can see more far.

You can increase the line limit per log file, I use 4096 without any problem.

Ideally these log files are written to disk, even better external disk.
You could also use an external syslog server where all log lines are being sent to (and then you can do what you want).

How do I know if my router has 'flash'?

:put [:len [/file find where name="flash" and type="disk"]]

Do not exceed lines per log, it consume router memory, better have more files.

How do I know if my router has 'flash'?

Check twice what you paste, something is lost on meantime...
after target=disk is present disk-file-name=/seclog

Paste this on terminal, if you obtain 1, is a Flash, if is a 0, is a NAND

Code:Select all

:put [:len [/file find where name="flash" and type="disk"]]

After you connect the external disk, just change from (/flash)/seclog to /disk_name_here/seclog on winbox/webfig and you can increase the file number from 10 to what you want.
Do not exceed lines per log, it consume router memory, better have more files.

paste the result of this command on forum:
/ip service export verbose

remove serial number and public IP, if any, but do not remove any other line

# apr/26/2023 14:26:20 by RouterOS 7.4 # software id = JCY8-AFLA # # model = RB2011iL # serial number = XXXXXXXXXXXXX /ip service set telnet address="" disabled=no port=23 vrf=main set ftp address="" disabled=no port=21 set www address="" disabled=no port=80 vrf=main set ssh address="" disabled=no port=22 vrf=main set www-ssl address="" certificate=none disabled=yes port=443 tls-version=any vrf=main set api address="" disabled=no port=8728 vrf=main set winbox address="" disabled=no port=8291 vrf=main set api-ssl address="" certificate=none disabled=no port=8729 tls-version=any vrf=main

Most likely some bot or service on your network trying to scan or even get in.
Some reported this behavior from a virus scanner doing this scanning on the network.

Your FTP service is enabled so a possible entry point.
If not needed, disable.

Most likely some bot or service on your network trying to scan or even get in.
Some reported this behavior from a virus scanner doing this scanning on the network.

Your FTP service is enabled so a possible entry point.
If not needed, disable.

等等,这行为viour could be an anti virus scanning the network?

You can increase the line limit per log file, I use 4096 without any problem.

等等,这行为viour could be an anti virus scanning the network?

Yes. The same experience from other Mikrotik userviewtopic.php?p=988766&#p988766

You can increase the line limit per log file, I use 4096 without any problem.

This can be large if you wish .....
Sending all important logs to the hEX with DUDE. DUDE has the syslog function built in.
Filtered DUDElog is written to disk via the log system of the hEX

Here external disk, because of volume and many rewrites.
Rolling set of 900 files with 32000 lines each.
32000 limit, as practical limit, because consultation is via files download over 4G connection.

Klembord-2.jpg

Syslog can be network service on whatever ( virtual machine, raspberry pi, Linux computer, ...).

I use USB drive on RB5009 as external disk, also did this on Hex.

No, not all do.