One Level Deeper with Splunk StreamThe data that you get from your firewall or home network device only tells you half the story and even that story is kind of boring. For the real details of your home network, you'll have to start digging into your network a little more. You can start by adding a managed switch to your environment which will allow you to span your network and collect some interesting data points.
Setting up Port Mirroring
"Port Mirroring is a method used to monitor your network traffic." Basically, your managed switch will replicate the data going through your network onto one port. You will 'tap' this port and listen to all the packets using Splunk Stream. Since most home networks are not terribly large, you can leverage a computer with not a great deal of horse power. I'm using the same hardware I used to build my pfsense firewall to build this Stream forwarder / proxy server.
I'm going to walk you through setting up the Cisco Switch along with the Stream Forwarder to capture this wire data. Let's start by logging into the Switch and setting up Port Mirroring:
First, add the ports you want to mirror.
Step 1 - Enable the Ports
Step 2 - Enable the mirrored ports and the Admin Port. In this example, I've mirrored ports G1-G7 onto port G8. I will plug my Splunk Stream Forwarder to this port (G8).
Setup Splunk Stream Forwarder
Step 1 - Download Splunk Stream
Step 2 - Setup Spunk Stream
I will not go deeply into this setup since it is well documented on the Splunk Stream Docs page. (http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream)
Once you've setup your Splunk Stream Server, you should go to your machine's Stream page. For example, if your stream server's hostname is "stream," simply go to https://stream:8889 and you should see this page:
This will show you that you are collecting packets from your 'SPAN port' and that you should have data in your Splunk indexer. Run this simple search command to see if you are collecting data :
index=main sourcetype=stream* | stats count by sourcetype
This will show you if you are receiving data from your Splunk Stream Forwarder.
Hope that helps and as always happy Splunking!
Suggested Parts List
Here's what I bought to make all of this possible :
If you don't have a dual NIC server, then I would suggest you build one like this which I used to build my pfsense firewall.