From bfe2cbf575e4682db86c04044e90f7f997f7de04 Mon Sep 17 00:00:00 2001 From: Christian Hesse Date: Fri, 23 Sep 2022 19:50:16 +0200 Subject: drop 'netwatch-syslog' To filter in firewall you should use something like this: /ip/firewall/filter/add action=reject chain=output out-interface-list=WAN port=514 protocol=udp reject-with=icmp-admin-prohibited; /ip/firewall/filter/add action=reject chain=forward out-interface-list=WAN port=514 protocol=udp reject-with=icmp-admin-prohibited; --- README.md | 1 - doc/netwatch-syslog.md | 37 ++++--------------------------------- global-config.changes | 1 + global-functions | 2 +- netwatch-syslog | 17 ----------------- 5 files changed, 6 insertions(+), 52 deletions(-) delete mode 100644 netwatch-syslog diff --git a/README.md b/README.md index be52699..c670fd0 100644 --- a/README.md +++ b/README.md @@ -195,7 +195,6 @@ Available scripts * [Mode button with multiple presses](doc/mode-button.md) * [Manage DNS and DoH servers from netwatch](doc/netwatch-dns.md) * [Notify on host up and down](doc/netwatch-notify.md) -* [Manage remote logging](doc/netwatch-syslog.md) * [Visualize OSPF state via LEDs](doc/ospf-to-leds.md) * [Manage system update](doc/packages-update.md) * [Run scripts on ppp connection](doc/ppp-on-up.md) diff --git a/doc/netwatch-syslog.md b/doc/netwatch-syslog.md index 760d98f..6a337d4 100644 --- a/doc/netwatch-syslog.md +++ b/doc/netwatch-syslog.md @@ -1,34 +1,5 @@ -Manage remote logging -===================== +This script has been dropped. Filtering in firewall is advised, which should +look something like this: -[◀ Go back to main README](../README.md) - -Description ------------ - -RouterOS supports sending log messages via network to a remote syslog server. -If the server is not available no log messages (with potentially sensitive -information) should be sent. This script disables remote logging by -availability. - -Requirements and installation ------------------------------ - -Let's assume there is a remote log action and associated logging rule: - - /system/logging/action/set remote=10.0.0.1 [ find where name="remote" ]; - /system/logging/add action=remote topics=info; - -Just install the script: - - $ScriptInstallUpdate netwatch-syslog; - -... and create a netwatch matching the IP address from logging action above: - - /tool/netwatch/add down-script=netwatch-syslog host=10.0.0.1 up-script=netwatch-syslog; - -All logging rules are disabled when host is down. - ---- -[◀ Go back to main README](../README.md) -[▲ Go back to top](#top) + /ip/firewall/filter/add action=reject chain=output out-interface-list=WAN port=514 protocol=udp reject-with=icmp-admin-prohibited; + /ip/firewall/filter/add action=reject chain=forward out-interface-list=WAN port=514 protocol=udp reject-with=icmp-admin-prohibited; diff --git a/global-config.changes b/global-config.changes index 6dc8df6..4bd302f 100644 --- a/global-config.changes +++ b/global-config.changes @@ -93,6 +93,7 @@ 82="Renamed the comment parameter 'hostname' to just 'name' for 'netwatch-notify'."; 83="Introduced new setting to disable news and change notifications, dropped version from configuration."; 84="Support for e-mail notifications moved to a module. It is installed automatically if required."; + 85="Dropped 'netwatch-syslog', filtering in firewall is advised."; }; # Migration steps to be applied on script updates diff --git a/global-functions b/global-functions index 8fc3386..e24cf3c 100644 --- a/global-functions +++ b/global-functions @@ -10,7 +10,7 @@ :local 0 "global-functions"; # expected configuration version -:global ExpectedConfigVersion 84; +:global ExpectedConfigVersion 85; # global variables not to be changed by user :global GlobalFunctionsReady false; diff --git a/netwatch-syslog b/netwatch-syslog deleted file mode 100644 index 1d9f37b..0000000 --- a/netwatch-syslog +++ /dev/null @@ -1,17 +0,0 @@ -#!rsc by RouterOS -# RouterOS script: netwatch-syslog -# Copyright (c) 2013-2022 Christian Hesse -# https://git.eworm.de/cgit/routeros-scripts/about/COPYING.md -# -# requires: dont-require-permissions=yes -# -# manage remote logging facilities -# https://git.eworm.de/cgit/routeros-scripts/about/doc/netwatch-syslog.md - -:local Remote [ /system/logging/action/get ([ find where target=remote ]->0) remote ]; - -if ([ /tool/netwatch/get [ find where host=$Remote up-script="netwatch-syslog" down-script="netwatch-syslog" ] status ] = "up") do={ - /system/logging/set disabled=no [ find where action=remote disabled=yes ]; -} else={ - /system/logging/set disabled=yes [ find where action=remote disabled=no ]; -} -- cgit v1.2.3-70-g09d2