Wednesday, February 25, 2015

Mikro Tik firewall source type


Here's the changes that need to make for you to add a Mikro Tik firewall to the Home Monitor App.

First, edit the props.conf in your $SPLUNK_HOME/etc/apps/homemonitor/local directory:
[syslog]
TRANSFORMS-changesourcetype=fios, pfsense, asus, netgear, skyhub, linksys, mikro
[mikro]
EXTRACT-hostname = ^(?:[^ \n]* ){7}(?P<hostname>\w+)
EXTRACT-transport = ^(?:[^,\n]*,){2}\s+\w+\s+(?P<transport>\w+)
EXTRACT-src_ip,src_port = ^(?:[^,\n]*,){4}\s+(?P<src_ip>[^:]+)[^:\n]*:(?P<src_port>\d+)
EXTRACT-dest_ip,dest_port = ^[^>\n]*>(?P<dest_ip>[^:]+)[^:\n]*:(?P<dest_port>\d+)
EXTRACT-process = ^(?:[^ \n]* ){9}(?P<process>\w+)

EXTRACT-nat_ip,nat_port = ^(?:[^>\n]*>){2}(?P<nat_ip>[^:]+)[^:\n]*:(?P<nat_port>[^\)]+)
Next, edit the transforms.conf to include the mikro source type:

[mikro]
# Make sure that this matches the hostname of your router, mikro is just an example.
# Replace the field below with your router / firewall / modem's hostname.
REGEX = mikro
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::mikro
DEST_KEY = MetaData:Sourcetype
Please note that this does not have blocks or accepts in the logs, so I cannot populate the blocked or accepted dashboards.

Thanks and enjoy!

-Kam

No comments:

Post a Comment