Monday, February 9, 2015

Adding the Linksys sourcetype

How to add the Linksys router into your Home Monitor App.

First think you'll need to do is modify the props.conf in your $SPLUNK_HOME/etc/apps/homemonitor/local/ directory.  Here is the entry you should use:
[linksys]DATETIME_CONFIG = CURRENT
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
pulldown_type = true
EXTRACT-src_ip,dest_ip,linksys_src_port,action = ^(?P<src_ip>[^ ]+) to (?P<dest_ip>[^:]+):(?P<linksys_src_port>[a-z]+) is (?P<action>.+)
LOOKUP-linksys_src_port_lookup = linksys_src_port_lookup linksys_src_port OUTPUTNEW src_port

Once you've modified that file, then you'll need to make another change to your transforms.conf in the same location $SPLUNK_HOME/etc/apps/homemonitor/local/ . Here is the entry you'll need to make:


[linksys]
# Make sure that this matches the hostname of your router, linksys is just an example.
REGEX = linksys
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::linksys
DEST_KEY = MetaData:Sourcetype
This will require that either you change the line REGEX = linksys to REGEX = your router's hostname.

Lastly, you'll need to make some lookup files that will help get the dashboards populated with data from linksys routers.

First, modify the existing lookup file "action_lookup.csv" and add the following to the end of that file:

blocked, BLOCK
accepted, ACCEPT
Here's the last lookup file you'll need to populate the dashboards. This basically changes the protocol (https, http, etc.) to src_port (443, 80..).  Here's the lookup file (linksys_src_port.csv) :

linksys_src_port, src_port
https,443
http,80
ssh,22
smtp,25
pop,110

Once you've added it, you can put that into your app and make it into an automatic lookup.

Enjoy,
Kam

No comments:

Post a Comment