Mikrotik: Add parser for multiline DHCP events

[ehlo550]

What is the sc4s version?
3.32.0

Is there a pcap available? If so, would you prefer to attach it to this issue or send it to Splunk support?
Splunk support

What the vendor name?
Mikrotik

What's the product name?
routeros

Do you have syslog documentation or a manual for that device??
https://help.mikrotik.com/docs/spaces/ROS/pages/328094/Log

Feature Request description:
This routers are able to emit dhcp logs.
Unfortunately these logs are Multiline logs with indentation

<24>Oct 24 10:24:01 ab-cde2fgh01 AA-BB-PROD received request id 1234567891 from 10.10.10.10 '1:0:11:22:33:44:aa'
<24>Oct 24 10:24:01 ab-cde2fgh01     secs = 1
<24>Oct 24 10:24:01 ab-cde2fgh01     ciaddr = 10.10.10.10
<24>Oct 24 10:24:01 ab-cde2fgh01     chaddr = 00:11:22:33:44:AA
<24>Oct 24 10:24:01 ab-cde2fgh01     Host-Name = "serverling01"
<24>Oct 24 10:24:01 ab-cde2fgh01     Msg-Type = request
<24>Oct 24 10:24:01 ab-cde2fgh01     Parameter-List = Subnet-Mask,Unknown(2),Domain-Server,Host-Name,Domain-Name,Interface-MTU,Broadcast-Address,Classless-Route,Router,Static-Route,Unknown(40),Unknown(41),NTP-Server,Domain-Search,MS-Classless-Route,Auto-Proxy-Config,Unknown(17)
<24>Oct 24 10:24:01 ab-cde2fgh01     Max-DHCP-Message-Size = 65535
<24>Oct 24 10:24:01 ab-cde2fgh01     Client-Id = 01-00-11-22-33-44-AA
<24>Oct 24 10:24:01 ab-cde2fgh01 lease bound, extending
<24>Oct 24 10:24:01 ab-cde2fgh01 AA-BB-PROD on vlan123-ABC-AA-BB-PROD sending ack with id 1234567891 to 10.10.10.10
<24>Oct 24 10:24:01 ab-cde2fgh01     ciaddr = 10.10.10.10
<24>Oct 24 10:24:01 ab-cde2fgh01     yiaddr = 10.10.10.10
<24>Oct 24 10:24:01 ab-cde2fgh01     siaddr = 10.10.10.254
<24>Oct 24 10:24:01 ab-cde2fgh01     chaddr = 00:11:22:33:44:AA
<24>Oct 24 10:24:01 ab-cde2fgh01     Subnet-Mask = 255.255.255.0
<24>Oct 24 10:24:01 ab-cde2fgh01     NTP-Server = 10.10.10.253,10.10.11.10,10.10.12.11
<24>Oct 24 10:24:01 ab-cde2fgh01     Address-Time = 3600
<24>Oct 24 10:24:01 ab-cde2fgh01     Msg-Type = ack
<24>Oct 24 10:24:01 ab-cde2fgh01     Server-Id = 10.10.10.254

Do you want to have it for local usage or prepare a github PR?
I would take either

[cwadhwani-splunk]

Hello @ehlo550 ,
Upon reviewing this multiline issue, we've noted that grouping-by() is typically used to handle multiline events by detecting a specific identifier in the last line to signal the end of an event, allowing all preceding messages to be grouped as a single log. However, for MikroTik RouterOS logs, it appears that identifying a unique identifier in the last line may not be straightforward.

To develop a more generalized parser, could you provide additional log samples for further analysis? This would allow us to look for the patterns across various event types. You can create a support ticket and attach the PCAP file there.

[ehlo550]

Hi,
Sure I already have a support ticket open.
Can i provide the support ticket number via Slack ?

Regards
Stefan

[cwadhwani-splunk]

Yes that will work. You can also post the support ticket number here, this will help in better tracking.

[ehlo550]

Ok.
Case # 3603201

I will add the pcap to the case but I fear this mikrotik device only emits dhcp logs.