Watch the network with Mikrotik Netwatch

Whenever you have a network with more than a few devices or more than a couple users, you will need to know more about the network health. Whether you are just an advanced user, system administrator or technical support engineer, knowing the status of all devices inside the network is necessary.

We can use a full-scale network monitoring solution (NMS), like the Mikrotik Dude. However, we can fulfill our goal in a simpler yet effective manner. Mikrotik RouterOS includes some cool features. We can utilize the Netwatch service to check availability of the hosts inside the network.

We need either the Mikrotik Routerboard (hardware based) or x86 PC (software only solution). Regardless of the platform, the RouterOS software is the same. Therefore, we can use any of them. Hardware appliances have a distinct advantage over software solution; they can tolerate wide range of the working temperatures and without having the moving parts they can last for years.


How all this works

The Netwatch service is very simple in essence. We need to define a list of all the hosts we want to monitor. Then the Mikrotik device will use the Netwatch service to then send ICMP packets (pings) to them. When a host does not respond, it is considered to be down and we can act on that situation.

Later on when I mention the Mikrotik, I will refer to the any Mikrotik device, either hardware or software, that is capable of performing this operation. Furthermore, any device on the TCP network is referred to as “the host”. Therefore, the terms host and device are used here interchangeably.

Our actions on both up and down events can be conducted through Mikrotik scripts. As the Mikrotik scripting language is very powerful, we can perform multiple action on every event. That action can contain writing to the Mikrotik system log, sending an alert e-mail or even an SMS message. For the last option, we need either Routerboard or PC with the USB port and a 3G USB modem.

When you are planning the alarming options, you should consider the importance of specific devices (or hosts) inside the network. In many cases though, you will be fine with just the logging in the Mikrotik system log.

This method can be used even when you need to troubleshoot your Internet link and your technical support is uncooperative. Then you can make a trace of the link hiccups and network interruptions, which will give you the supporting evidence you need.

In case you want to use the e-mail alerts, you must consider the position of the Mikrotik device. It is quite a common error that the Mikrotik device is placed inside the network, without independent Internet access and a separate UPS. Then we could have a complete loss of the network and the alarming device at the same time!

My general advice to you is that you should always position the network-monitoring device in the “last man standing” mode. That means that this device must be capable of “surviving” a disaster situation as long as possible without any dependence on the rest of the network. When everything else goes down your NMS device must still be alive and broadcasting status messages. This is very important if you are dislocated from the network or during out of hours.


What we will demonstrate here

Here is a demonstration inside out virtual lab. The virtual lab is based on an Oracle VirtualBox 5.1.2 virtualization solution. We will use a software based Mikrotik router. The whole infrastructure is virtualized.

This is the diagram of the relevant part of the network. We have the router, the e-mail server, the Web server and one workstation with the e-mail client. The workstation is not drawn on this diagram.

01 - Contoso mreza

Our demonstration will include:

  • monitoring both servers from the router,
  • sending the e-mail notifications to the admin workstation,
  • writing the event to the device log

The e-mail client inside the router is already set up.


Configuring the router

We can access the Netwatch service from the menu Tools > Netwatch or through the command /tool netwatch in the terminal.

02 - Tool Netwatch

When we choose this option, the WinBox will open the Netwatch window; this is the main window and it contains a list of all the servers and the toolbar with all commands.

03 - Netwatch prozor

We will now add the first server to be monitored. We will monitor the Web server on every 30 second intervals. Whenever the router detects the server’s state change, it will send an e-mail message with short a notification.

We should enter the IP address of the host and the time interval. We only need the IP addresses. If you want to monitor the host with the dynamic IP address, then you need to utilize the power of the scripting and the host must be capable of using dynamic DNS registration.

04 - Add new server to monitoring

The default time interval is 1 minute or 00:01:00. We will change this to 30 seconds or 00:00:30. In most cases, we will leave the timeout period on 1000 ms or 1 second. However, if you have a busy network or slow link, you should consider a longer timeout interval.

If we click on the buttons [ OK ] or [ Apply], the Mikrotik will begin to monitor our device. However, we will not be informed if something goes wrong with the servers; as we can only see alerts if we are looking the Netwatch window on the screen.

Therefore, we will switch to the tab Up and we will enter the script with the actions that should occur when the monitoring host is available. Our script is written in the same way, as that used when writing generic scripts on the Mikrotik router. However, this script cannot be run on a schedule and it is not visible for other services, including the Mikrotik Scheduler service.

05 - netwatch up script

As you can see, we will use parameterization. Therefore, we can copy that script to the event handlers of another host in the list.

We will define the server name, the administrator’s e-mail address and the message that we will write in the Mikrotik log and send as the e-mail body.

Then we have the action part of the script. The first action is to write the information message to the log and then to send in the e-mail.

I have included this sample script here for your convenience:

:local servername "Web server"
:local adminaddress ""

:local message "Server $servername is reachable"

:log info "$message"

/tool e-mail send to=$adminaddress subject=$servername body=$message

We will write the script for the down event in the same way. Moreover, I copied the script from the Up page and just modified the message text and the log context. This script will execute only when the host is down. Therefore, we will log this as a warning. If you prefer, you can log this also as a critical error. It really depends on the importance of the host.

06 - netwatch script down

I also included this script here:

:local servername "Web server"
:local adminaddress ""

:local message "Server $servername is unreachable"

:log warning "$message"

/tool e-mail send to=$adminaddress subject=$servername body=$message

We will add our host to the list. The Mikrotik will begin to monitor it. If everything is OK, then you will see that device is up.

07 - Netwatch monitoring device

Now we will copy the settings for the second device. As our FTP server is not so important, we will monitor it on a 5 minute interval.

08 - we monitoring both systems


Testing the scenario

We have setup everything as we want it. Now we will run some tests.

When the Mikrotik begins to monitor the device it will execute either an up or down script. In our case, it executed the up script in both cases. Therefore, we can see in the log that two info events are written.

09 - mikrotik log

We can check our administration workstation. As we can see in the e-mail client; notifications were received that both hosts are up.

10 - admin workstation

We will now turn off the Web server. After some time, the router will discover that that host will not reply to the ping. Its state will change to down and appropriate action will be triggered. The router will write a message in the log and it should send us the e-mail.

12 - Web server is down

When we check the log of the Mikrotik router we should see the warning message inside:

11 - Warning msg in log

Eventually, our administrator must receive an email warning message.

13 - Warning in the e-mail

As we can see from our demonstration, this mechanism can work very well. We can use it to get fast diagnostic and to monitor our network. However, only checking servers using the ping test is not enough. Even when the server itself responds on the ping probes, services may be stopped or malfunctioning. On the other hand, the ping is the probe that will fail last.

Stay tuned.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s