Thursday, May 21, 2015

New home | monitor > 4.0 Released

I just finished working on home | monitor > 4.0 with new enhancements which includes:

Splunk Stream Support - used to power new D3 dashboards

New D3 visualizations

Sankey

Tag Cloud



Expanded workflow for both pfSense and FiOS routers

Third Party lookup using MXToolbox.com

New home | monitor > logo

Updated searches and dashboards so that they all work and are CIM 4.2 compliant.

Enjoy the updates, I will be posting a video on how to use the app soon.

Thanks,
Kam


13 comments:

  1. Where can I go for support with Home Monitor and pfSense? I have setup Splunk, Home Monitor and incoming logging from pfSense. Everything looks correct, but nothing is showing up in Home Monitor.

    Thanks,
    Brent

    ReplyDelete
    Replies
    1. Hey Brent,

      I can help you troubleshoot your setup. First, go to search and see if you're getting data. Run a simple search "index=homemonitor" see if you get some data. Then if you get data, make sure that the source type pfsense shows up. Run this search to make sure "index=homemonitor source type=pfsense" . If you are seeing data then go to the dashboards and make sure you are selecting pfsense as your source type from the drop down.

      Delete
    2. Thanks for the advice!

      No results found when searching Splunk for index=homemonitor or index="homemonitor".

      Here is more about the actual setup:

      Splunk 6.2.3 and Home Monitor 4.0 are installed on OS X 10.10.3 Yosemite running OS X Server 4.1

      syslog server is running on OS X Server accepting incoming data on UDP port 514
      pfSense 2.2.2 is sending all logging data to the OS X Server

      OS X Server is accepting all the pfSense logging data as verified in Console

      Splunk is set to receive incoming data on UDP port 514

      I have followed these instructions http://blog.basementpctech.com/2012/02/splunk-and-pfsense-what-pair.html for getting Splunk to work with the current pfSense logs.

      I have also posted this in the pfSense forums at https://forum.pfsense.org/index.php?topic=94911.0

      Any other advice you might have would be welcome.

      Thanks,
      Brent

      Delete
    3. Brent,

      You might want to modify the splunk data input to 1514 instead of 514. The reason is that splunk will need to run as root to listen to port 514 on the OS X server. Once you make that change, then run the index=homemonitor search and see if you get results.

      Thanks,
      Kam

      Delete
    4. Kam,

      Making progress. I modified /etc/syslog.conf and added:

      *.* @127.0.0.1:1514

      to redirect to the proper port and added a new data input in Splunk for UDP port 1514.

      When I put the index=homemonitor in the Splunk search I see the logs coming in from pfSense!

      Home Monitor, however, is still not seeing any data.

      Ideas for my next step?

      Thanks,
      Brent

      Delete
    5. Yes, now that you're getting the data in from your firewall, you can make one of two changes. Either go into the data inputs on Splunk and force the source type to be overridden as 'pfsense.'

      The other way requires that you copy and modify the transforms.conf file to reflect the hostname of your pfsense firewall. To do that, go ahead and copy the transforms.conf from the default directory to the local directory ($SPLUNK_HOME/etc/apps/homemonitor/local/transforms.conf) and change the REGEX stanza under [pfsense] from REGEX = pfsense to REGEX = .

      Either way, this will now populate your charts / graphs in the home monitor app.

      Thanks,
      Kam

      Delete
    6. Kam,

      Thank you so very much for all your help! Home Monitor is now working!!!

      I changed the source type in Splunk to pfsense.

      I also had to copy the transforms.conf file from $SPLUNK_HOME/etc/apps/homemonitor/default/transforms.conf to $SPLUNK_HOME/etc/apps/homemonitor/local/transforms.conf as it did not exist in $SPLUNK_HOME/etc/apps/homemonitor/local/. Once I did both of those, everything started working.

      Thanks again,
      Brent

      Delete
    7. Kam,

      After a full day with Home Monitor, everything seems to be working for the most part. When I use the pfSense Home Network Device list, I get a list of devices, but no internal to external connections when selecting a specific device. Just returns no results found.

      Any idea of what might be happening?

      Thanks,
      Brent

      Delete
  2. Hi Kamilo,

    First of all thank you for the great App!
    I have a problem with my instance, It says that they got into my network. But when I view the intrusion page it tells me that no results where found. (timeframe is any time, source=asus)

    I hope you can help me with this matter.

    Thanks,

    Kevin

    ReplyDelete
    Replies
    1. Kevin,

      I've been working on the search and found a bug in my logic. I'll be posting an update shortly with the fix. Sorry for raising your blood pressure unnecessarily.

      Thanks,
      Kam

      Delete
  3. I cannot seem to get mine to work either have tried several suggestions but nothing .. cannot even get the universal dashboards to work :( .. any idea where to start?

    ReplyDelete
    Replies
    1. Kirk,

      Were you able to start seeing data in your dashboards? What modem are you using? Are you able to see anything in the search "index=homemonitor"

      Thanks,
      Kam

      Delete
  4. Kam,

    I have been following all your posts and the setup video. I am still having trouble with the home monitor setup as nothing is populating. In some descriptions you mention sourcetype as "syslog" and in others "fios" or "pfsense". Also, I don't believe Splunk is set as a root although it is on my mac. Is there a better video to show how to start from the beginning and all the Mac commands needed to setup as a root? and should I use "fios" or "syslog"? Thanks for understanding, but I have been trying this for several weeks now and it never works.

    ReplyDelete