Thursday, August 8, 2013

Update: Support for Netgear, Asus and Skyhub, need beta testers!

Hello everyone, I was able to quickly build some support for the routers from the sample data which was sent to me.  Here are the default (fios) sourcetype, but I've now included the Asus, NetGear and Skyhub routers.  Please feel free to add this props.conf file in your :
$SPLUNK_HOME/etc/apps/homemonitor/local/props.conf

Once you've added the entries, then just restart your Splunk instance.

If you have already added the UDP source, then simply remove it and re-add it and do the following steps.

Set the UDP port: 514
Set sourcetype: From list
Select source type from list *
<select your router>
fios, asus, netgear, or skyhub


**NOTE** Some dashboards will not work like the FiOS router, but a majority of them should still work.

Once I have some validation that these extracts work, then I will include them in the v3.0 Home Monitor release.

------------------- props.conf -----------------

[fios]
# These extracts are intended for use with the MI424WR-GEN2 Verizon FiOS Home Router / Firewall. The firmware version that has been tested is 20.19.8.
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EXTRACT-transport = (?i) .*? \( : (?P<transport>\w+)(?= )
EXTRACT-src_ip = (?i)\(.*? (?P<src_ip>\d+\.\d+\.\d+\.\d+)(?=:)
EXTRACT-src_port = (?i)^(?:[^:]*:){7}(?P<src_port>[^\]]+)
EXTRACT-dest_ip = (?i)^[^>]*>(?P<dest_ip>[^:]+)
EXTRACT-dest_port = (?i)^(?:[^:]*:){8}(?P<dest_port>[^ ]+)
EXTRACT-remote_ip = (?i)^(?:[^:]*:){6}\d+\s+\[(?P<remote_ip>[^:]+)
EXTRACT-remote_port = (?i)^(?:[^\[]*\[){2}\d+\.\d+\.\d+\.\d+:(?P<remote_port>[^\]]+)
EXTRACT-connection_state = (?i)^[^\]]*\]\s+(?P<connection_state>\w+\s+\w+)
EXTRACT-config_change_user = (?i) user (?P<config_change_user>[^ ]+)
EXTRACT-process = (?i) .*? (?P<process>[a-z]+)(?=:)
pulldown_type = 1

[asus]
# Based on Asus RT-N66U router syslog output.
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as transport
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
pulldown_type = 1

[netgear]
# Based on Netgear FV318N router syslog output.
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as transport
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) LOG_PACKET\[(?P<action>[^\]]+)
pulldown_type = 1

[skyhub]
# Based on Skyhub SR101 router syslog output.
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as transport
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) kernel: (?P<action>[^\-]+)
pulldown_type = 1

13 comments:

  1. Kamilo, hello!

    First I want to say thank you for taking the time creating this app for Splunk. I'm very interested in getting it working for my home environment, with my Ubiquti EdgeRouter Lite. If you're not familiar with this device, it's a very powerful SMB and prosumer grade firewall device, and only costs $99. Here is the link if you are interested:
    http://www.ubnt.com/edgemax#edge-router-lite

    I have my EdgeRouter Lite syslogging to the homemonitor index, but it looks as if the data is not pulling into the dashboard. I am seriously interested in working with you to get this working, and am wondering what I can do to help with this. Here is a simple data stream from my syslog data:
    -----
    Dec 8 01:11:17 172.16.1.254 Dec 8 01:11:17 FW01 kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:31:3e:01:08:00 SRC=142.254.147.69 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=21665 PROTO=UDP SPT=67 DPT=68 LEN=308
    -----

    Please let me know what I can do to help get this working with my router.
    tycoonbob@gmail.com
    Thanks!

    ReplyDelete
    Replies
    1. Derek,

      Thanks for downloading the app, I'm glad you are getting some use out of it. Let me see if I can't help you get your logs to populate some of the dashboards. First, go to your $SPLUNK_HOME/etc/apps/homemonitor/local/props.conf file and add this entry:

      [edgerouter]
      # Based on EdgeRouter Lite router syslog output.
      FIELDALIAS-dst = DST as dest_ip
      FIELDALIAS-dpt = DPT as dest_port
      FIELDALIAS-proto = PROTO as transport
      FIELDALIAS-SPT = SPT as src_port
      FIELDALIAS-SRC = SRC as src_ip
      EXTRACT-action = (?i) kernel: (?P[^\-]+)
      pulldown_type = 1

      Once you restart Splunk, you should be able to add this as a sourcetype entry for your syslog data. Lastly, go into the searches that are powering the dashboards and replace the sourcetype from fios to edgerouter.

      Let me know if you have any questions or if there is another field that you need to alias.

      Thanks,
      Kam

      Delete
    2. Thanks Kam.

      I created the new sourcetype and verified my syslog data was being generated there. I changed a few of the searches in the dashboard to the edgerouter sourcetype, however I am still see no data in any search other than "Last 60 Minutes in Bound Ports by number of IP's".

      When I do a raw search with "index=homemonitor", I am only seeing one value for the field "process" and that value is "kernel". It looks as if those searches in the dashboard look for the values "IN" and "OUT", which do not exist in my homemonitor index. Do you know what I am missing?

      Delete
    3. Derek,

      The process field is pointing to the same spot where the FIOS router has IN or OUT specified, but your router has the term 'kernel' in that spot. Since I don't know how your router treats in coming vs. out going connections I can't do a field extraction for the process field. For now, try just looking at the dashboards which deal with the fields that are being properly translated from your router.

      In the mean time, I would suggest that you find out how traffic is being logged either in bound or out bound and then we can do some creative field extractions and event type creation to get it to work with the reports / dashboards that are in the app.

      Let me know if that helps.

      Thanks,
      Kam

      Delete
    4. Thanks again. I believe I now understand why the charts aren't working, but I am unable to see how to solve the problem. Here is a dump of several traffic logs, if you have a chance to take a look. Maybe you can see something I'm not.
      http://textdump.net/read/3624/

      Thanks.

      Delete
    5. I would love to get the UBNT EdgeRouter Lite working with this. Anything I can do to help, let me know.

      Delete
    6. Any luck getting Edgerouter to work? I have mine logging everything to the home monitor index.

      Delete
    7. Hey guys, from what I can see the EdgeRouter does not log blocks and allows, but you should be able to see the source / destination ports and IP's in the app. First, make sure to add the entry for your EdgeRouter to the $SPLUNK_HOME/etc/apps/homemonitor/local/props.conf directory.

      [edgerouter]
      # Based on EdgeRouter Lite router syslog output.
      FIELDALIAS-dst = DST as dest_ip
      FIELDALIAS-dpt = DPT as dest_port
      FIELDALIAS-proto = PROTO as protocol
      FIELDALIAS-SPT = SPT as src_port
      FIELDALIAS-SRC = SRC as src_ip
      # EXTRACT-action = (?i) kernel: (?P[^\-]+)
      pulldown_type = 1


      Next, manually edit the inputs.conf in the local directory and change
      sourcetype = syslog
      to
      sourcetype=edgerouter

      Give this search a try :

      index=homemonitor sourcetype=edgerouter | iplocation src_ip | geostats latfield=lat longfield=lon count by protocol

      Let me know if you run into any issues.

      Thanks,
      Kam



      Delete
  2. Kam, I just came across all your stuff, very cool. I have an ASUS RT-AC68R and I'm new at Splunk, but running the latest version (6.0.1). I've followed your directions as best as I can and I notice that since configuring my ASUS to send its logs to the splunk server, its just storing everything in the _internal DB. Is there anything I need to do to get your app seeing that data? I'm a total noob at splunk at the moment. I've modified the props file with the asus stuff, followed your directions and the dashboards have no data.

    ReplyDelete
  3. Nevermind, apparently the ASUS RT-AC68R (latest router by ASUS) doesnt have an option to syslog traffic, only system events, which is making into your index....bummer.

    ReplyDelete
  4. I enjoyed the tips you are providing on your website. Remote IT Support can make one’s help technical service. Thanks for the information……..
    Netgear Router Tehnical Support please visit the link.

    Thankyou
    Lacy Brown

    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. I have an Asus RT-AC87U and i cannot get the info from my router into my splunk server. I even disabled the firewall on my linux splunk server and have added my splunks server internal ip to the log location on my router. My source type is sourcetype::asus and my Hostname is set to the name of my router. is there a step that im missing? Has anyone successfully got this to work on an Asus AC87u?

    ReplyDelete