Setting up Verizon FiOS Router for Home Monitor **UDPATED**

Log into your router and select Advanced, click Yes to proceed.

Select "System Settings"
Scroll down and enable System Logging and Security Logging.  Next, Enter the IP Address of your Splunk Server.

Now select the Firewall Settings
Click on the Security Log
Click on the Settings button.

Put the check box on all the items you want logged in Splunk, then click Apply.


Now log into your Splunk instance and go to the Manager.


In Splunk, select Add Data and then select Data Inputs.

Click on UDP

Follow each step and MAKE SURE to click on the check box for More settings. When complete, click Save.

When done, your Data inputs page should look like this.

27 comments:

  1. The homemonitor index was not automatically created when installing the app. I had to manually create it.

    ReplyDelete
    Replies
    1. Just fixed it in the latest version 1.2. Thanks and good catch!

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. I'm getting no results found..

    ReplyDelete
  4. On your Splunk server, can you do a tcpdump and look for traffic on udp port 514?

    ReplyDelete
  5. No I'm on Windows 8. I went in and allowed port 514 UDP through the firewall and still no dice.

    ReplyDelete
  6. I would run wireshark on your Splunk instance and validate that you are seeing traffic from your FiOS router. You can also validate if Splunk is receiving data by taking a look at the homemonitor index. Search index=homemonitor * All Time.

    ReplyDelete
  7. I can see traffic... homemonitor index event count shows only 15 from yesterday all with the following:

    Jan 15 22:58:21 192.168.1.1 Jan 15 23:58:20 2013 Wireless_Broadband_Router Unknown PTR name format
    host=192.168.1.1 Options| sourcetype=syslog Options| source=syslog Options

    ReplyDelete
  8. This could mean a couple of things. First, what version router do you have? (Model number and firmware version). Next, what options did you select on your routers configuration page, Information, Warn, or Error?

    ReplyDelete
  9. Router Info:

    Model Name: MI424WR-GEN3I
    Firmware Version: 40.19.36
    Hardware Version: I

    Both System and Security logging are set to information

    ReplyDelete
  10. In your Splunk instance, go to Manager->Data Inputs->UDP Click on 514 and when it opens, make sure that "Set Sourcetype" is either set to "From a List" and syslog is selected, or you can use "Manual" and type in syslog. Let me know if that works.

    ReplyDelete
  11. Hi, I followed your instructions completely, but I cannot get it to work. It looks like my Fios Router is blocking the syslog traffic because all of the dashboards have the message "No results found" I would greatly appreciate your suggestions.

    ReplyDelete
  12. The first thing I would do is just do a search in Splunk like this: index=homemonitor and go ahead and do it for All Time. If you see results, then the data is properly flowing into the index. If not, we need to revisit your setup. Are you running your Splunk server on Windows or Linux (Mac OS X)?

    ReplyDelete
  13. Hi, after doing more research yesterday, I think the issue was that I did not install Splunk as root so it could not listen on ports <1024. I added redirect rule to iptables and mapped UDP 514 to UDP 10514. I think that I did this correctly, but I was winging - I am using Ubuntu 14.04 and could not use the instructions that found on splunk>answers. I also cloned the data input rule for UDP port 514 and created one for UDP port 10514. Index=homemonitor* has a lot of data and the all time & realtime (30 second window) views are updating, but the dashboards still show “No results found.” Thanks for your help.

    ReplyDelete
    Replies
    1. Did you try running tcpdump on your Splunk box to validate that you're receiving traffic from the FiOS router? (tcpdump -i eth0 UDP) Also, is there a reason you're not running Splunk as root on your Ubuntu box?

      Delete
  14. This comment has been removed by the author.

    ReplyDelete
  15. I was mistaken about installing by root (I'm new to Linux). I followed the install video on the Splunk website, and I think it was referring to not switching to the root user. Regardless, I took the following steps:
    1) Uninstalled Splunk (sudo dpkg -P splunk)
    2) Reset iptables (sudo iptables -F)
    3) I executed (sudo tcpdump -1 wlan0 udp) and got the following output:

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on wlan0, link-type EN10MB (Ethernet), capture size 65535 bytes

    followed by a stream that looks like this:

    ##:##:##.###### IP Router.home.domain > @@@@@@@-wifi.home.38127: 6884* 1/0/0 PTR @@@@@@-wifi.home. (74)
    ##:##:##.###### IP @@@@@@-wifi.home.##### > Router.home.domain: 26323+ PTR? 8.4.b.8.5.c.e.f.f.f.1.c.1.3.a.7.0.0.0.0.0.0.0.0.0.0.0.0.0.8.e.f.ip6.arpa. (90)
    ##:##:##.###### IP FiOS_Router.home.1026 > @@@@@@-wifi.home.syslog: SYSLOG user.info, length: 183
    ##:##:##.###### IP FiOS_Router.home.1025 > @@@@@@-wifi.home.syslog: SYSLOG user.warning, length: 60
    ##:##:##.###### IP Router.home.1026 > @@@@@@-wifi.home.syslog: SYSLOG user.info, length: 181
    ##:##:##.###### IP Router.home.1026 > @@@@@@-wifi.home.syslog: SYSLOG user.info, length: 163
    ##:##:##.###### IP Router.home.domain > @@@@@@-wifi.home.#####: 26323 0/1/0 (149)

    4) Reinstalled Splunk (sudo dpkg -1 splunk-6.2.1-245427-linux-2.6-amd64.deb)
    5) Started Splunk and installed Home Monitor
    6) Configured the data input as follows:
    a) UDP port 514
    b) Source - Source name override (blank)
    c) Set sourcetype * (Manual)
    d) Source type * (syslog)
    e) Set host (custom radio button selected)
    f) Set the host with this value. (blank)
    g) Set the destination index for this source. (homemonitor)
    h) Only accept requests from this host. (blank)

    At this point, I can see a stream of data when I search: index="homemonitor", but the dashboards are still empty.

    Thanks for your help!

    ReplyDelete
    Replies
    1. What does the output look like when you run index=homemonitor in Splunk?

      Delete
    2. 1/19/15
      11:32:23.000 AM
      Jan 19 11:32:23 192.168.2.1 Jan 19 11:32:22 2015 FiOS_Router OUT: ACCEPT LAN-OUTBOUND [15] Default policy (TCP 192.168.2.60:55904->###.###.####.###:443 on eth1)

      host = 192.168.2.1
      source = udp:514
      sourcetype = syslog

      1/19/15
      11:32:23.000 AM
      Jan 19 11:32:23 192.168.2.1 Jan 19 11:32:22 2015 FiOS_Router OUT: ACCEPT [54] Connection opened ( : TCP 192.168.2.60:55904 <-->###.###.####.###:55904 [###.###.####.###:443] CLOSED/CLOSED eth1 NAPT Outgoing UNSECURED )

      host = 192.168.2.1
      source = udp:514
      sourcetype = syslog

      1/19/15
      11:32:23.000 AM
      Jan 19 11:32:23 192.168.2.1 Jan 19 11:32:22 2015 FiOS_Router OUT: ACCEPT LAN-OUTBOUND [38] Wireless Broadband Router initiated traffic (UDP ###.###.####.###:1024->###.###.####.###:53 on eth1)

      host = 192.168.2.1
      source = udp:514
      sourcetype = syslog

      1/19/15
      11:32:23.000 AM
      Jan 19 11:32:23 192.168.2.1 Jan 19 11:32:22 2015 FiOS_Router OUT: ACCEPT [54] Connection opened ( : UDP ###.###.####.###:1024 <-->###.###.####.###:1024 [###.###.####.###:53] eth1 Route Outgoing UNSECURED )

      host = 192.168.2.1
      source = udp:514
      sourcetype = syslog

      1/19/15
      11:32:23.000 AM
      Jan 19 11:32:23 192.168.2.1 Jan 19 11:32:22 2015 FiOS_Router OUT: ACCEPT [54] Connection opened ( : UDP 192.168.2.60:60507 <-->###.###.####.###:60507 [192.168.2.1:53] local_dev Route Outgoing UNSECURED )

      host = 192.168.2.1
      source = udp:514
      sourcetype = syslog










      Delete
    3. Hi, can you tell what I am doing wrong from this excerpt from index=homemonitor or do you need more info? Thanks

      Delete
    4. I figured out what the problem was with the app. It's a simple fix, you just have to go into your Data Inputs (Settings -> Data Inputs -> UDP -> click on the 514). Change the sourcetype from syslog to fios. That will make all your dashboards populate. I've been working on something that will fix that in a later release. Good catch!

      Delete
    5. I updated the app but the dashboards are still empty and now when I search index="homemonitor", there is no new data being added to the index. The output from sudo tcpdump -1 wlan0 udp looks the same.

      Delete
    6. Let's try and edit the panels and see if we can get them to populate with your data. First, let's make sure you're getting the data with the correct sourcetype. Go into search and type: index=homemonitor | stats count by sourcetype

      You can do it for the last 15 minutes.

      You should see the sourcetype fios and no syslog.

      Send me an email, kamilo@gmail.com and we can do a quick webex or Google Hangout.

      Delete
    7. Hi, I started from scratch and reset my router back to its default settings and it fixed the problem. Thanks for your help - the dashboards looks great!

      Delete
  16. This comment has been removed by the author.

    ReplyDelete
  17. I just updated the app to version 3.0.4 that has all the fixes listed above. Please feel free to download it and test it out with your system. Thanks for pointing out the issues that were in the app.

    ReplyDelete
  18. Home monitor and pfsense 2.2.1. The search arguments in home monitor are not compatible with the input from pfsense. I have lots of input from pfsense but the surch arguments in the panels. Give zero hits.

    ReplyDelete