All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuring EdgeRouter Syslog for HomeMonitor - unable to parse data cleanly

LargeCanineUnit
Engager
‎12-24-2020 08:25 AM

My goal - my ISP has warned me I've got a security issue. I'm trying to monitor my outgoing data to see which device is possibly speaking to the enemy.

HomeMonitor looks pretty well suited to this task.  I've got it all installed, but am struggling to get the sourcetype configured for the Edge Router syslog format.

My router is a Ubiquiti EdgeRouter X. My Splunk Server is a Win 10 PC, hardwired into EdgeRouter.

I configured the edgerouter to turn on syslogging, & enabled logging for the NAT masquarade. This gives me logs of all outgoing traffic only. I am able to pull the UDS traffic using Kiwi Syslog, it spits it out in this format:

2020-12-23 18:21:54 Kernel.Warning 192.168.2.1 Dec 23 18:21:55 ubnt kernel: [NAT-5010-MASQ] IN= OUT=eth0 src=XX.XX.XXX.XXX DST=XX.XX.XXX.X LEN=73 TOS=0x00 PREC=0x00 TTL=64 ID=14664 DF PROTO=UDP SPT=21167 DPT=53 LEN=53

Per Ubiquiti's website, 

NOTE:EdgeOS uses the BSD Syslog format, the rsyslogd service and UDP port 514 (not customizable) for Syslog by default.

I tried installing this TA, but it appears to me misconfigured for my purposes. 

https://splunkbase.splunk.com/app/3483/

I read elsewhere that using asus sourcetype gets it close. I cloned asus sourcetype & made a few changes to it, dst & dpt weren't capatilized (I'm assuming it's case sensitive), I updated time format.

This gets me SOME data, in Network Overview Outbound Traffic, but it only shows Source IPs. I really want to look at destination IPs & see if they're on a blacklist etc...

I think the blocked traffic & map of connections panels are more suited to this task, but I'm not getting any data populating in there.

Does anyone have any guidance? I assume I'm missing some critical data alias' or something.

 

All help is appreciated, here's a pic of the sourcetype config.

 

EdgeRouter Config.png

 

Labels (2)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎12-24-2020 09:17 PM

Hi @LargeCanineUnit

I don't know your dashboard search but I would try to add dest field as an alias.

FIELDALIAS-dest = DST as dest

 

İf this reply helps you an upvote is appreciated.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

LargeCanineUnit
Engager
‎12-31-2020 01:55 PM

My main issue ended up being a mess of typos, I had several underscores instead of hyphens, and FILEDALIAS instead of FIELDALIAS. Fixing those typos has, for the most part, corrected the issue.

I was able to build up a dashboard of what I needed with this search term:

index=homemonitor sourcetype=$sourcetype$ direction=out | iplocation dest_ip | stats sparkline count by dest_ip, src_ip, Country, City | sort -count

This lets me see which internal IP on my network is talking to suspicious locations.

Certainly not efficient, but it should give me something to go on.

 

Thanks for the reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top