Update Mikrotik collection

collections/a1ad/mikrotik.md

@@ -5,7 +5,6 @@ A collection to defend [Mikrotik](https://mikrotik.com/) firewall against portsc
 - Mikrotik portscan scenario
 - Mikrotik brute force scenario
 
-You need to set up a remote syslog server. There is no crowdsec client on the Mikrotik, so log parsing needs to be done on the rsyslog server.
 Do not forget to set "Firewall" flag in the remote log settings and create a drop rule with logging active.
 For brute force detection you need to set the "error" flag.
 
@@ -15,10 +14,25 @@ As bouncer you can use the [cs-mikrotik-bouncer](https://hub.crowdsec.net/author
 
 Example acquisition for this collection :
 
+Option number 1:
+Setup local Syslog server to feed the Syslog to the crowdsec parser
+
 ```yaml
 ---
 filenames:
  - /var/log/rsyslog/10.10.10.1/syslog.log
 labels:
   type: mikrotik
 ```
+
+Option number 2:
+Using built-in [Crowdsec SyslogServer](https://docs.crowdsec.net/docs/data_sources/syslog) to receive events, for style compatibility, enable BSD syslog style in crowdsec log action in your RouterOS.
+
+```yaml
+---
+source: syslog
+listen_addr: #IP_ADDRESS_of_Crowdsec
+listen_port: #Portnumber_you_want_syslog_listen_on_it
+labels:
+ type: mikrotik
+```

parsers/s01-parse/a1ad/mikrotik-logs.md

@@ -1,13 +1,29 @@
 Parser for [Mikrotik](https://mikrotik.com/) Logs.
 
-You need to set up a remote syslog server. There is no crowdsec client on the Mikrotik, so log parsing needs to be done on the rsyslog server.
 Do not forget to set "Firewall" flag in the remote log settings and create a drop rule with logging active.
 For user authentication you need to set the "error" flag.
 
+## Acquisition template
+
+Option number 1:
+Setup local Syslog server to feed the Syslog to the crowdsec parser
+
 ```yaml
 ---
 filenames:
  - /var/log/rsyslog/10.10.10.1/syslog.log
 labels:
   type: mikrotik
 ```
+
+Option number 2:
+Using built-in [Crowdsec SyslogServer](https://docs.crowdsec.net/docs/data_sources/syslog) to receive events, for style compatibility, enable BSD syslog style in crowdsec log action in your RouterOS.
+
+```yaml
+---
+source: syslog
+listen_addr: #IP_ADDRESS_of_Crowdsec
+listen_port: #Portnumber_you_want_syslog_listen_on_it
+labels:
+ type: mikrotik
+```

parsers/s01-parse/a1ad/mikrotik-logs.yaml

@@ -4,8 +4,8 @@ filter: "evt.Parsed.program == 'mikrotik'"
 name: a1ad/mikrotik-logs
 description: "Parse Mikrotik logs"
 pattern_syntax:
-  MIKROTIK_FIREWALL_DROP: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* %{DATA:tag} input: in:%{DATA:if_in} out:%{DATA:if_out}, connection-state:%{DATA:connection_state} src-mac %{MAC:src_mac}, proto %{WORD:proto}.*, %{IP:source_ip}:%{INT:src_port}->%{IP:dst_ip}:%{INT:dst_port}, len %{INT:length}"
-  MIKROTIK_AUTH_FAILED: "%{TIMESTAMP_ISO8601:timestamp} %{HOSTNAME} .* login failure for user %{USERNAME:invalid_user} from %{IP:source_ip}"
+  MIKROTIK_FIREWALL_DROP: "(%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp}) %{DATA:HOSTNAME} %{DATA:chain}: in:%{DATA:if_in} out:%{DATA:if_out}, ?(%{GREEDYDATA})? connection-state:%{DATA:connection_state}(?: src-mac %{MAC:src_mac},)? proto %{WORD:proto}?(%{GREEDYDATA})?, %{IP:source_ip}(?::%{INT:src_port})?->%{IP:dst_ip}(?::%{INT:dst_port})?"
+  MIKROTIK_AUTH_FAILED: "(%{SYSLOGTIMESTAMP:timestamp}|%{TIMESTAMP_ISO8601:timestamp}) %{DATA:HOSTNAME} (AUTH_FAILED: )?login: failure for user %{USERNAME:invalid_user} from (%{MAC:source_mac}|%{IP:source_ip}) via %{DATA:application}"
 nodes:
   - grok:
      name: "MIKROTIK_FIREWALL_DROP"

scenarios/a1ad/mikrotik-bf.yaml

@@ -18,7 +18,7 @@ labels:
   label: "Mikrotik Bruteforce"
   remediation: true
 ---
-# meshcentral user-enum
+# Mikrotik user-enum
 type: leaky
 name: a1ad/mikrotik-bf_user-enum
 description: "Detect mikrotik user enum bruteforce"