I've also updated my GitHub Repo : https://github.com/amiracle/homemonitor.git where you can feel free to look at the components and make any changes to the app.
So, what's new?
Source type by hostname or manual
This version of the app can either rely on your router's hostname to configure the sourcetype, or you can select it manually on the Data Inputs page. For example, if you have a fios router, and the hostname is fios, then the props.conf and transforms.conf will work together to change the sourcetype to fios. (The reason I did this was that it helepd during my testing having Splunk automatically pickup and change the sourcetype on the fly for me.)
Once the data input is in (more on that below), you will be able to see all of the dashboards populate with your data. I even normalized the fields and the output of some of the fields using a lookup. This allows my Asus router and my pfSense firewall to have the same output as my FiOS router. You'll see that there are two fields, 'action' and 'action2' in the interesting fields. The lookup, named action_lookup.csv, will convert the action to a normalized BLOCK or ACCEPT instead of DROP or pass. This allows all the dashboards to populate regardless of your router. There are some dashboards that WILL NOT populate since they have FiOS specific fields in the search.
How it works:
The props.conf has the following entry:
TRANSFORMS-changesourcetype=fios, pfsense, asus, netgear, skyhub
Then the transforms.conf file takes the source type and changes it depending on the hostname of your router:
# Make sure that this matches the hostname of your router, fios is just an example.
REGEX = fiosSOURCE_KEY = MetaData:Host
FORMAT = sourcetype::fios
DEST_KEY = MetaData:Sourcetype
The key here is that your router's hostname either starts with or contains 'fios' in order for the change to occur automatically. Otherwise, you'll see your data come in as syslog and it will NOT have any of the proper field extractions.
You can also manually change the sourcetype to fios, asus, pfsense, netgear or skyhub.
Normalized Data :
In order to get the dashboards to populate regardless of router, I had to normalize the fields from all the routers. Specifically, the 'action' field which told me if the traffic was 'BLOCKED' or 'ACCEPTED.' Since the Asus router used 'DROP' instead of BLOCKED and the pfSense firewall used 'block' instead of BLOCKED', I had to use a lookup and create a new field, 'action2.'
With this in place, I was able to populate all of my dashboards with blocks and accepts regardless of the router I used.
Updated Dashboards :
New updated dashboards - I've gone through and vetted all the dashboards to make sure they make some logical sense. I stopped using the 'process' field since it did not exist in all the routers syslog data. Instead, I determined that outbound connections were iniated by src_ip = 192.168.* and inbound connections were iniated by NOT src_ip=192.168.* .
I was thinking about creating a setup page, so more advanced users can configure the app to suite their customized networks. When I get more motivation, I'll work on setting up tags for local networks and a setup page that allows you to change some of the inputs or specify your local network IP address space.