Requests for routers or firewall logs...
I just wanted to update everyone that I am working on a Technology Add on for the home monitor app that will cover most of the other popular routers and firewalls. As of now I have a pfsense Sourcetype, and will be working on various other source types. That's where I need your help. Can you send me a sample of your log file so I can setup the field extractions properly? I'm also going to see about putting a poll up on this site to see what are the most popular routers out there.
Stay tuned for more updates on this app and thanks for the support so far!
Stay tuned for more updates on this app and thanks for the support so far!
I have an Asus RT-AC66U and the logs aren't being parsed correctly, even after updating the props.conf you provided from your other post. I'm new to Splunk and I'm not sure how to get the raw events out of the index to send you, but if you can provide instructions I can send you logs. Thanks!
ReplyDeleteHere's a DROP event:
ReplyDeleteFeb 6 17:16:48 192.168.1.1 Feb 6 17:15:15 kernel: DROP <4>DROPIN=eth0 OUT= MAC=e0:cb:4e:c4:dd:24:00:01:5c:64:4e:46:08:00 <1>SRC=198.20.69.74 DST=96.29.x.x <1>LEN=40 TOS=0x00 PREC=0x00 TTL=117 ID=53857 PROTO=TCP <1>SPT=19139 DPT=80 SEQ=1395526512 ACK=0 WINDOW=31849 RES=0x00 SYN URGP=0
Here's an ACCEPT event:
Feb 6 17:21:44 192.168.1.1 Feb 6 17:20:11 kernel: ACCEPT <4>ACCEPT IN=br0 OUT=eth0 <1>SRC=192.168.1.126 DST=74.125.225.40 <1>LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=16500 DF PROTO=TCP <1>SPT=9678 DPT=443 SEQ=455532274 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Thanks!