doc/log-forward: add some more details

doc/log-forward.md

@@ -9,16 +9,24 @@ Forward log messages via notification
 Description
 -----------
 
-RouterOS supports sending log messages via e-mail or to a syslog server.
-This has some limitation, however:
+RouterOS itself supports sending log messages via e-mail or to a syslog
+server (see `/system/logging`). This has some limitation, however:
 
 * does not work early after boot if network connectivity is not
-  yet established
+  yet established, or breaks intermittently
 * lots of messages generate a flood of mails
 * Matrix and Telegram are not supported
 
-The script is intended to be run periodically. It collects log messages
-and forwards them via notification.
+The script works around the limitations, for example it does:
+
+* read from `/log`, including messages from early boot
+* skip multi-repeated messages
+* rate-limit itself to mitigate flooding
+* forward via notification (which includes *e-mail*, *Matrix* and *Telegram*
+  when installed and configured, see below)
+
+It is intended to be run periodically from scheduler, then collects new
+log messages and forwards them via notification.
 
 ### Sample notification
 
@@ -46,6 +54,13 @@ The configuration goes to `global-config-overlay`, these are the parameters:
 * `LogForwardIncludeMessage`: define message text to be forwarded (even if
   filter matches)
 
+These patterns are matched as
+[regular expressions](https://wiki.mikrotik.com/wiki/Manual:Regular_Expressions).
+To forward **all** (ignoring severity) log messages with topics `account`
+(which includes user logins) and `dhcp` you need something like:
+
+    :global LogForwardInclude "(account|dhcp)";
+
 Also notification settings are required for
 [e-mail](mod/notification-email.md),
 [matrix](mod/notification-matrix.md) and/or