Monday, October 26, 2015

Adding Splunk Stream to your home network

One Level Deeper with Splunk Stream

The data that you get from your firewall or home network device only tells you half the story and even that story is kind of boring.  For the real details of your home network, you'll have to start digging into your network a little more.  You can start by adding a managed switch to your environment which will allow you to span your network and collect some interesting data points.

Setting up Port Mirroring

"Port Mirroring is a method used to monitor your network traffic." Basically, your managed switch will replicate the data going through your network onto one port. You will 'tap' this port and listen to all the packets using Splunk Stream.  Since most home networks are not terribly large, you can leverage a computer with not a great deal of horse power.  I'm using the same hardware I used to build my pfsense firewall to build this Stream forwarder / proxy server. 

I'm going to walk you through setting up the Cisco Switch along with the Stream Forwarder to capture this wire data.  Let's start by logging into the Switch and setting up Port Mirroring:


First, add the ports you want to mirror.


Step 1 - Enable the Ports


Step 2 - Enable the mirrored ports and the Admin Port.  In this example, I've mirrored ports G1-G7 onto port G8.  I will plug my Splunk Stream Forwarder to this port (G8).


Setup Splunk Stream Forwarder

Step 1 - Download Splunk Stream

Step 2 - Setup Spunk Stream

I will not go deeply into this setup since it is well documented on the Splunk Stream Docs page. (http://docs.splunk.com/Documentation/StreamApp/latest/DeployStreamApp/InstallSplunkAppforStream) 

Once you've setup your Splunk Stream Server, you should go to your machine's Stream page. For example, if your stream server's hostname is "stream," simply go to https://stream:8889 and you should see this page:


This will show you that you are collecting packets from your 'SPAN port' and that you should have data in your Splunk indexer.  Run this simple search command to see if you are collecting data :

index=main sourcetype=stream* | stats count by sourcetype

This will show you if you are receiving data from your Splunk Stream Forwarder.  

Hope that helps and as always happy Splunking! 

Suggested Parts List

Here's what I bought to make all of this possible :


If you don't have a dual NIC server, then I would suggest you build one like this which I used to build my pfsense firewall. 



2 comments:

  1. brillant piece of information, I had come to know about your web-page from my friend hardkik, chennai,i have read atleast 9 posts of yours by now, and let me tell you, your webpage gives the best and the most interesting information. This is just the kind of information that i had been looking for, i'm already your rss reader now and i would regularly watch out for the new posts, once again hats off to you! Thanx a million once again, Regards,splunk training in hyderabad

    ReplyDelete
  2. My first Cisco product... because of this post!

    Good post... dont stop sharing those Splunk tips and tricks :)


    ReplyDelete