All Apps and Add-ons

Home Monitor: Has anyone tried to add support for Ubiquiti routers?

wcolgate_splunk
Splunk Employee
Splunk Employee

Has anyone tried to add support for Ubiquiti routers? Before I trudge through the syslog output that I've already captured and try to figure out the right props and transforms, I thought I'd ask to see if someone has already done so.

wbanks_splunk
Splunk Employee
Splunk Employee

The CloudKey controller from Ubiquity runs a mongoDB and stores all the Deep Packet inspection information in it. The app really needs to be written to pull this data out to get the "good stuff". The syslog data from Ubiquity is pretty dry and cryptic.

0 Karma

fwijnholds_splu
Splunk Employee
Splunk Employee

In theory that sounds like THE thing to do. However; opening the instance for network access is not an option as it does not offer any authentication. If you have any ideas in this direction I am all ears. The BETA IPS logs are horrible by design.

0 Karma

bobmckayuk
New Member

Hi all,

Thank for the comments, in the end for my Ubiquiti Unifi USG I just switched to vanilla syslog and it seems to be getting me what I need (I think - still learning the ways of Splunk!).

Thanks

Bob

0 Karma

fwijnholds_splu
Splunk Employee
Splunk Employee

Hi Bob,

Perhaps a little late, I am developing a TA for ubiquiti, have a look if it works for you. Let me know if you have any questions: https://splunkbase.splunk.com/app/4107/

regards,
Filip

0 Karma

ekost
Splunk Employee
Splunk Employee

Looks like someone covered the edge routers on splunkbase here: TA-edgerouter

0 Karma

bobmckayuk
New Member

I too what love to be able to get the source type configured right for Splunk to feed from my Unifi USG!

0 Karma

amiracle
Splunk Employee
Splunk Employee

The sourcetype below will get you the field extracts / aliases that will populate most of the dashboards (events, in-bound out-bound etc.) The dashboards that will not populate by default will be the bandwidth ones since it does not collect that data from the router source type.

Let me know if you run into any issues getting the fields to properly extract / alias.

0 Karma

amiracle
Splunk Employee
Splunk Employee

It looks like this follows the same pattern as the asus sourcetype. You might need to make some minor tweaks, but for now set the source type to asus instead of syslog and see if it populates the dashboards.

[asus]
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EVAL-direction = if(match(OUT,"eth*"), "out", "in")
pulldown_type = 1
LOOKUP-action_lookup = action_lookup action OUTPUT action2
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

There are definitely some tweaks that will be necessary. I ran through some of the overview dashboards, with the following results:

  • Bandwidth overview: all 3 panels show "no results found"
  • Home network overview: my public IP: 0.0.0.0, Total Events and inbound events show data, as does devices on the network (5) .. but that seems wrong. I got many many devices on the network :-). All other panels say "no results found".
  • Check for intrusions: none (that might be right ;-)).
  • Blocked traffic: Only the top ports request panel shows data, all other panels say, "no results found"
  • network event overview: shows a graph of my two subnets, all other panels say, "no results found"
  • Network inbound: has all panels reporting data!
  • Network outbound: all panels say, "no results found".

I didn't try the device specific/experimental/etc...

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

alt text

0 Karma

amiracle
Splunk Employee
Splunk Employee

Can you post some sample outputs from the routers to this question? If they have some kind of documentation which describes the fields, that would be helpful too. Once we have that, then we can easily apply some field extractions and link it to the CIM compliant naming convention.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...