All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Home Monitor: Has anyone tried to add support for Ubiquiti routers?

wcolgate_splunk
Splunk Employee
Splunk Employee
‎01-19-2017 10:11 AM

Has anyone tried to add support for Ubiquiti routers? Before I trudge through the syslog output that I've already captured and try to figure out the right props and transforms, I thought I'd ask to see if someone has already done so.

Reply

wbanks_splunk
Splunk Employee
Splunk Employee
‎10-11-2018 10:07 AM

The CloudKey controller from Ubiquity runs a mongoDB and stores all the Deep Packet inspection information in it. The app really needs to be written to pull this data out to get the "good stuff". The syslog data from Ubiquity is pretty dry and cryptic.

0 Karma
Reply

fwijnholds_splu
Splunk Employee
Splunk Employee
‎10-15-2018 06:55 AM

In theory that sounds like THE thing to do. However; opening the instance for network access is not an option as it does not offer any authentication. If you have any ideas in this direction I am all ears. The BETA IPS logs are horrible by design.

0 Karma
Reply

bobmckayuk
New Member
‎05-03-2018 09:15 AM

Hi all,

Thank for the comments, in the end for my Ubiquiti Unifi USG I just switched to vanilla syslog and it seems to be getting me what I need (I think - still learning the ways of Splunk!).

Thanks

Bob

0 Karma
Reply

fwijnholds_splu
Splunk Employee
Splunk Employee
‎08-19-2018 01:02 AM

Hi Bob,

Perhaps a little late, I am developing a TA for ubiquiti, have a look if it works for you. Let me know if you have any questions: https://splunkbase.splunk.com/app/4107/

regards,
Filip

0 Karma
Reply

ekost
Splunk Employee
Splunk Employee
‎05-03-2018 07:55 AM

Looks like someone covered the edge routers on splunkbase here: TA-edgerouter

0 Karma
Reply

bobmckayuk
New Member
‎05-02-2018 12:23 AM

I too what love to be able to get the source type configured right for Splunk to feed from my Unifi USG!

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎05-03-2018 07:49 AM

The sourcetype below will get you the field extracts / aliases that will populate most of the dashboards (events, in-bound out-bound etc.) The dashboards that will not populate by default will be the bandwidth ones since it does not collect that data from the router source type.

Let me know if you run into any issues getting the fields to properly extract / alias.

0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎01-19-2017 10:42 AM

It looks like this follows the same pattern as the asus sourcetype. You might need to make some minor tweaks, but for now set the source type to asus instead of syslog and see if it populates the dashboards.

[asus]
FIELDALIAS-dst = DST as dest_ip
FIELDALIAS-dpt = DPT as dest_port
FIELDALIAS-proto = PROTO as protocol
FIELDALIAS-SPT = SPT as src_port
FIELDALIAS-SRC = SRC as src_ip
EXTRACT-action = (?i) .*?: (?P<action>\w+)(?= )
EVAL-direction = if(match(OUT,"eth*"), "out", "in")
pulldown_type = 1
LOOKUP-action_lookup = action_lookup action OUTPUT action2
LOOKUP-rdns = dnsLookup ip AS dest_ip OUTPUTNEW host as rdns_host
0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎02-15-2017 03:58 PM

There are definitely some tweaks that will be necessary. I ran through some of the overview dashboards, with the following results:

  • Bandwidth overview: all 3 panels show "no results found"
  • Home network overview: my public IP: 0.0.0.0, Total Events and inbound events show data, as does devices on the network (5) .. but that seems wrong. I got many many devices on the network :-). All other panels say "no results found".
  • Check for intrusions: none (that might be right ;-)).
  • Blocked traffic: Only the top ports request panel shows data, all other panels say, "no results found"
  • network event overview: shows a graph of my two subnets, all other panels say, "no results found"
  • Network inbound: has all panels reporting data!
  • Network outbound: all panels say, "no results found".

I didn't try the device specific/experimental/etc...

0 Karma
Reply

wcolgate_splunk
Splunk Employee
Splunk Employee
‎01-19-2017 10:37 AM

alt text

Preview file
1 KB
0 Karma
Reply

amiracle
Splunk Employee
Splunk Employee
‎01-19-2017 10:16 AM

Can you post some sample outputs from the routers to this question? If they have some kind of documentation which describes the fields, that would be helpful too. Once we have that, then we can easily apply some field extractions and link it to the CIM compliant naming convention.

0 Karma
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...