Home Monitor: Has anyone tried to add support for ...

wcolgate_splunk · ‎01-19-2017

Has anyone tried to add support for Ubiquiti routers? Before I trudge through the syslog output that I've already captured and try to figure out the right props and transforms, I thought I'd ask to see if someone has already done so.

wbanks_splunk · ‎10-11-2018

The CloudKey controller from Ubiquity runs a mongoDB and stores all the Deep Packet inspection information in it. The app really needs to be written to pull this data out to get the "good stuff". The syslog data from Ubiquity is pretty dry and cryptic.

fwijnholds_splu · ‎10-15-2018

In theory that sounds like THE thing to do. However; opening the instance for network access is not an option as it does not offer any authentication. If you have any ideas in this direction I am all ears. The BETA IPS logs are horrible by design.

bobmckayuk · ‎05-03-2018

Hi all,

Thank for the comments, in the end for my Ubiquiti Unifi USG I just switched to vanilla syslog and it seems to be getting me what I need (I think - still learning the ways of Splunk!).

Thanks

Bob

fwijnholds_splu · ‎08-19-2018

Hi Bob,

Perhaps a little late, I am developing a TA for ubiquiti, have a look if it works for you. Let me know if you have any questions: https://splunkbase.splunk.com/app/4107/

regards,
Filip

ekost · ‎05-03-2018

Looks like someone covered the edge routers on splunkbase here: TA-edgerouter

bobmckayuk · ‎05-02-2018

I too what love to be able to get the source type configured right for Splunk to feed from my Unifi USG!

amiracle · ‎05-03-2018

The sourcetype below will get you the field extracts / aliases that will populate most of the dashboards (events, in-bound out-bound etc.) The dashboards that will not populate by default will be the bandwidth ones since it does not collect that data from the router source type.

Let me know if you run into any issues getting the fields to properly extract / alias.

amiracle · ‎01-19-2017

It looks like this follows the same pattern as the asus sourcetype. You might need to make some minor tweaks, but for now set the source type to asus instead of syslog and see if it populates the dashboards.

[asus]
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EVAL-direction = if(match(OUT,"eth*"), "out", "in")
pulldown_type = 1
LOOKUP-action_lookup = action_lookup action OUTPUT action2
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host

wcolgate_splunk · ‎02-15-2017

There are definitely some tweaks that will be necessary. I ran through some of the overview dashboards, with the following results:

Bandwidth overview: all 3 panels show "no results found"
Home network overview: my public IP: 0.0.0.0, Total Events and inbound events show data, as does devices on the network (5) .. but that seems wrong. I got many many devices on the network :-). All other panels say "no results found".
Check for intrusions: none (that might be right ;-)).
Blocked traffic: Only the top ports request panel shows data, all other panels say, "no results found"
network event overview: shows a graph of my two subnets, all other panels say, "no results found"
Network inbound: has all panels reporting data!
Network outbound: all panels say, "no results found".

I didn't try the device specific/experimental/etc...

wcolgate_splunk · ‎01-19-2017

alt text

amiracle · ‎01-19-2017

Can you post some sample outputs from the routers to this question? If they have some kind of documentation which describes the fields, that would be helpful too. Once we have that, then we can easily apply some field extractions and link it to the CIM compliant naming convention.

Home Monitor: Has anyone tried to add support for Ubiquiti routers?

Index This | How many sides does a circle have?

New This Month - Splunk Observability updates and improvements for faster ...

What's New in Splunk Cloud Platform 9.3.2411?