All Apps and Add-ons

Home Monitor: How to configure the app to get syslog to Splunk on my home network?

MonkeyK
Builder

I am not very network savvy. Trying to get my home router to syslog to Splunk to look at connection info in the Home Monitor app.

I can see events in the bandwidth_test sourcetype, so I know that I have the app running .
If I go to settings|Data inputs|UDP, I can see UDP port 514 enabled with source type RT-N66U
And in Windows Firewall, I can see that I have created an inbound rule called Splunk Syslog, which allows local port UDP 514, and remote port: all ports
On my RT-N66U router I have set remote log server to my Splunk install's IP address.

But in app, I see no logs and in the search app, I do not see events from syslog or RT-N66U or asus.
I tried running netstat -p UDP, that returns nothing. netstat -p TCP does return a lot of high ports and 8000, 8191 (I think these are the Splunk app)

Any clues/advise on what I am missing?

0 Karma
1 Solution

amiracle
Splunk Employee
Splunk Employee

It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.

View solution in original post

0 Karma

FrankVl
Ultra Champion

Do you see the fields you use in the stats command in the list of interesting fields on the left?

0 Karma

Jizbo
New Member

Yes. There's a big list

0 Karma

Jizbo
New Member

Interesting Fields

date_hour 2

date_mday 1

date_minute 4

adate_month 1

date_second 4

adate_wday 1
adate_zone 1
adirection 1
aindex 1

linecount 1

apunct 4
asplunk_server 1

timeendpos 1

timestartpos 1

1 more field

0 Karma

Jizbo
New Member

Frank VI, did you actually get it to work? I see you had problems earlier.

0 Karma

FrankVl
Ultra Champion

Looks like the relevant fields are not available, so when you do a stats, that indeed does not return any results. amiracle mentions something below about not having the right type of events coming in from your router.

I never tried this myself.

0 Karma

Jizbo
New Member

Nope, I cant send links apparently. Trying again
https://www.dropbox.com/s/lehlw5y1mc5hwl1/Splunk.jpg?dl=0

0 Karma

Jizbo
New Member

Link above worked. It's a .jpg screen grab

0 Karma

amiracle
Splunk Employee
Splunk Employee

First thing I would do is change the sourcetype from RT-N66U to asus. Check out this wiki entry that walks you through why having the sourcetype asus is necessary for the app:
https://github.com/amiracle/homemonitor/wiki/Configure-home-monitor-app-for-Splunk

Let me know if that helps with your setup.

Thanks,
Kam

0 Karma

MonkeyK
Builder

Thank you! I did start messing with the stanzas after it did not work initially. When I get home tonight, I'll try a reinstall and make sure that everything is set to asus.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @MonkeyK - Did amiracle's comment help provide a working solution to your question? If yes, please let me know so that I can convert it to an Answer to be accepted. That way others can easily find your question in case they have the same issue. Thanks.

0 Karma

MonkeyK
Builder

Sorry, I lost track of trying the reinstall. I will do my best to try it when I get home tonight

0 Karma

nickhills
Ultra Champion

Your on the right track with netstat -p UDP if splunk is listening you should defiantly see an entry for it.

If that entry is missing, I wonder if splunk is failing to start the listener process?

If my comment helps, please give it a thumbs up!
0 Karma

MonkeyK
Builder

I think that you are right. I finally did the reinstall and just used the basic setup.
selected
hostname: RT-N66U (because ping -1 returned that)
sourcetype::asus

and I unchecked disable for udp 514

however I still see no data in the home monitor app and netstat -p UDP still shows nothing.

I will try disabling my Windows firewall temporarily to see if that is holding anything up.

0 Karma

MonkeyK
Builder

OK. I disabled windows firewall on private Networks, still netstat -p UDP is empty.

So I went to my Splunk data inputs and disabled and re-enabled the UDP port 514. Still nothing on netstat -p UDP

Disabled windows firewall on public networks. Still nothing on netstat -p UDP
Disabled and reenabled port 514 in Splunk. Still nothing on netstat

Restarted Splunk with Windows firewall turned off. Still nothing on netstat.

Seems like there must be a step still missing

0 Karma

amiracle
Splunk Employee
Splunk Employee

Have you been able to get this working on your Windows box? I honestly have not tested this out on Windows since I don't have any Windows workstation to test this on in my lab. Let me know if there is anything I can test out from my end.

Thanks,
Kam

0 Karma

MonkeyK
Builder

Hey Kam. I kind of gave up. I just couldn't figure it out.

To be honest I dont even know where the problem is. Maybe I simply have not properly configured my router

0 Karma

MonkeyK
Builder

I gave it another shot. Uninstalled Splunk, reinstalled Splunk and Home Monitor.

Set my router to
Remote Log Server: 192.168.1.19 (my desktop, wifi)
Default message log level: info
Log only messages more urgent than: all

set windows firewall to allow UDP 514 inbound
configured Home Monitor, entered asus

verified my Splunk data inputs, I can see UDP 514 with a source type of asus enabled.

But no data in Splunk. So I fired up Wireshark (which I am not very good with) and put a filter on udp.port==514. This shows traffic from 192.169.1.1 to 192.168.1.19 with a Protocol of Syslog, but the messages are all DAEMON.INFO and then note DHCP. Not sure if home monitor is handling DHCP? But those should still get ingested as syslog, right?

0 Karma

amiracle
Splunk Employee
Splunk Employee

Yes, so the data being sent from your router should still show up in Splunk as Syslog. The question I have is if the Windows server is permitting Splunk to run and collect data on 514. I know it's usually an issue with Linux on root owned ports >1028.

0 Karma

MonkeyK
Builder

I tried netstat -abn
found
splunkd on a whole lot of ports, but not 514. Instead svchost.exe was listening on 514
[svchost.exe]
UDP 0.0.0.0:514 :

Since Splunk says that UDP:514 is enabled, it could be that svchost is initiated by Splunk, but maybe not.
I'll try another question on this forum asking for help on how to verify that Splunk is able to collect data from 514.

0 Karma

MonkeyK
Builder

Oh. getting closer. netstat -abno also gives me process ID.

[svchost.exe]
UDP 0.0.0.0:514 : 1820

looking that up in Task manager shows me that Process DI 1820 is splunkd.exe

I think that I still need to ask a separate question of why the logs don't get into Splunk

0 Karma

MonkeyK
Builder

Also pursuing this on snbforums. I have been informed that asus traffic logs are not exportable. I have seen elsewhere that this is an Asus/Merlin decision, so other firmwares may make traffic logs available.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...