All Apps and Add-ons

Home Monitor: Has anyone tried to add support for Ubiquiti routers?

wcolgate_splunk
Splunk Employee
Splunk Employee

Has anyone tried to add support for Ubiquiti routers? Before I trudge through the syslog output that I've already captured and try to figure out the right props and transforms, I thought I'd ask to see if someone has already done so.

wbanks_splunk
Splunk Employee
Splunk Employee

The CloudKey controller from Ubiquity runs a mongoDB and stores all the Deep Packet inspection information in it. The app really needs to be written to pull this data out to get the "good stuff". The syslog data from Ubiquity is pretty dry and cryptic.

0 Karma

fwijnholds_splu
Splunk Employee
Splunk Employee

In theory that sounds like THE thing to do. However; opening the instance for network access is not an option as it does not offer any authentication. If you have any ideas in this direction I am all ears. The BETA IPS logs are horrible by design.

0 Karma

bobmckayuk
New Member

Hi all,

Thank for the comments, in the end for my Ubiquiti Unifi USG I just switched to vanilla syslog and it seems to be getting me what I need (I think - still learning the ways of Splunk!).

Thanks

Bob

0 Karma

fwijnholds_splu
Splunk Employee
Splunk Employee

Hi Bob,

Perhaps a little late, I am developing a TA for ubiquiti, have a look if it works for you. Let me know if you have any questions: https://splunkbase.splunk.com/app/4107/

regards,
Filip

0 Karma

ekost
Splunk Employee
Splunk Employee

Looks like someone covered the edge routers on splunkbase here: TA-edgerouter

0 Karma

bobmckayuk
New Member

I too what love to be able to get the source type configured right for Splunk to feed from my Unifi USG!

0 Karma

amiracle
Splunk Employee
Splunk Employee

The sourcetype below will get you the field extracts / aliases that will populate most of the dashboards (events, in-bound out-bound etc.) The dashboards that will not populate by default will be the bandwidth ones since it does not collect that data from the router source type.

Let me know if you run into any issues getting the fields to properly extract / alias.

0 Karma

amiracle
Splunk Employee
Splunk Employee

It looks like this follows the same pattern as the asus sourcetype. You might need to make some minor tweaks, but for now set the source type to asus instead of syslog and see if it populates the dashboards.

[asus]
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EVAL-direction = if(match(OUT,"eth*"), "out", "in")
pulldown_type = 1
LOOKUP-action_lookup = action_lookup action OUTPUT action2
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

There are definitely some tweaks that will be necessary. I ran through some of the overview dashboards, with the following results:

  • Bandwidth overview: all 3 panels show "no results found"
  • Home network overview: my public IP: 0.0.0.0, Total Events and inbound events show data, as does devices on the network (5) .. but that seems wrong. I got many many devices on the network :-). All other panels say "no results found".
  • Check for intrusions: none (that might be right ;-)).
  • Blocked traffic: Only the top ports request panel shows data, all other panels say, "no results found"
  • network event overview: shows a graph of my two subnets, all other panels say, "no results found"
  • Network inbound: has all panels reporting data!
  • Network outbound: all panels say, "no results found".

I didn't try the device specific/experimental/etc...

0 Karma

wcolgate_splunk
Splunk Employee
Splunk Employee

alt text

0 Karma

amiracle
Splunk Employee
Splunk Employee

Can you post some sample outputs from the routers to this question? If they have some kind of documentation which describes the fields, that would be helpful too. Once we have that, then we can easily apply some field extractions and link it to the CIM compliant naming convention.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...