All Apps and Add-ons

Home Monitor: How to configure the app to get syslog to Splunk on my home network?

MonkeyK
Builder

I am not very network savvy. Trying to get my home router to syslog to Splunk to look at connection info in the Home Monitor app.

I can see events in the bandwidth_test sourcetype, so I know that I have the app running .
If I go to settings|Data inputs|UDP, I can see UDP port 514 enabled with source type RT-N66U
And in Windows Firewall, I can see that I have created an inbound rule called Splunk Syslog, which allows local port UDP 514, and remote port: all ports
On my RT-N66U router I have set remote log server to my Splunk install's IP address.

But in app, I see no logs and in the search app, I do not see events from syslog or RT-N66U or asus.
I tried running netstat -p UDP, that returns nothing. netstat -p TCP does return a lot of high ports and 8000, 8191 (I think these are the Splunk app)

Any clues/advise on what I am missing?

0 Karma
1 Solution

amiracle
Splunk Employee
Splunk Employee

It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.

View solution in original post

0 Karma

Jizbo
New Member

Kam, firewall is enabled. This is all asus data being sent.

0 Karma

amiracle
Splunk Employee
Splunk Employee

Can you consider this thread answered?

0 Karma

Jizbo
New Member

Last thing Kam, my Public IP is showing up as 100.90.93.1. However, that's not even close. Any ideas? Thanks

0 Karma

amiracle
Splunk Employee
Splunk Employee

Yes, I have that fixed in the next release of the app. For now, it's just looking at the logs to see the highest occurrence of a public IP. In the next release it uses a simple script to determine your public IP.

0 Karma

Jizbo
New Member

Thanks for all your help. Might want to add that important step (firewall logging dropped and accepted) for asus routers. That way idiots like me won't waste your time.

Many thanks

0 Karma

Jizbo
New Member

Yes, this thread is answered. Thanks

0 Karma

MonkeyK
Builder

I'll hit accept. I had the same problem. My Asus router was only sending DHCP logs to Splunk. I could not figure out how to get it to send traffic logs as well.

0 Karma

amiracle
Splunk Employee
Splunk Employee

It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.

0 Karma

Jizbo
New Member

Hmmmmm, the firewall setting may have done it. I set it to log both dropped and accepted packets and now it appears to be working.

0 Karma

Jizbo
New Member

Yeah, it's now showing data. Idiot move on my part: I had firewall not logging any packets. Doh!
That said, I don't see any of the other entries showing up e.g. VPN data. Is it supposed to show up in Splunk? Thanks for everyone's help.

0 Karma

MonkeyK
Builder

Jizbo, how are you setting your firewall to log packets?

0 Karma

Jizbo
New Member

I use Asus-WRT. On the Firewall - General tab, be sure to check "Both" on the Logged packets type drop-down. Currently using 380.69 Asus-WRT.

0 Karma

amiracle
Splunk Employee
Splunk Employee

No worries, I'm glad it started to work. As for the other data that is being sent, you can eventually build your own dashboards and reports. They will not interfere with the existing dashboards and reports for the app.

0 Karma

Jizbo
New Member

lots of data showing up on udpin_connections*

When I run index=homemonitor I get: asus and count 10 at end of line.

I thought my sourcetype for UDP:514 is asus. Am I reading that wrong?

0 Karma

amiracle
Splunk Employee
Splunk Employee

The data coming from the _internal index shows that the input is up.

The count shows that some data is coming in, now let’s make sure it is breaking and extracting data. Run these searches:
Index=homemonitor sourcetype=asus | stays count by src_ip, src_port, dest_ip, dest_port

0 Karma

Jizbo
New Member

"No results in current time range."

I ran it for 60 min, 30 seconds, and Real Time. All report same results

0 Karma

Jizbo
New Member

Wierd. When I run index=homemonitor sourcetype=asus I get some decent input showing up. But when I run the rest of the commands it's always "no results in current time range"

0 Karma

FrankVl
Ultra Champion

With "rest of the commands" you mean the stats count by src_ip... etc. that amiracle suggested?

When you just do the index and sourcetype search, do the fields used in that stats command actually show up as properly extracted fields? If not, then that explains why your stats command gives no results.

0 Karma

Jizbo
New Member

Yes, I mean src_ip... etc. that amiracle suggested.
Not sure what a properly extracted filed looks like. I'll try and post (although the moderator never lets me post logs).

0 Karma

Jizbo
New Member

Try this link. It's screen capture of Index=homemonitor sourcetype=asus
I had to save as a .jpg

alt text

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...