I am not very network savvy. Trying to get my home router to syslog to Splunk to look at connection info in the Home Monitor app.
I can see events in the bandwidth_test sourcetype, so I know that I have the app running .
If I go to settings|Data inputs|UDP, I can see UDP port 514 enabled with source type RT-N66U
And in Windows Firewall, I can see that I have created an inbound rule called Splunk Syslog, which allows local port UDP 514, and remote port: all ports
On my RT-N66U router I have set remote log server to my Splunk install's IP address.
But in app, I see no logs and in the search app, I do not see events from syslog or RT-N66U or asus.
I tried running netstat -p UDP, that returns nothing. netstat -p TCP does return a lot of high ports and 8000, 8191 (I think these are the Splunk app)
Any clues/advise on what I am missing?
It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.
Kam, firewall is enabled. This is all asus data being sent.
Can you consider this thread answered?
Last thing Kam, my Public IP is showing up as 100.90.93.1. However, that's not even close. Any ideas? Thanks
Yes, I have that fixed in the next release of the app. For now, it's just looking at the logs to see the highest occurrence of a public IP. In the next release it uses a simple script to determine your public IP.
Thanks for all your help. Might want to add that important step (firewall logging dropped and accepted) for asus routers. That way idiots like me won't waste your time.
Many thanks
Yes, this thread is answered. Thanks
I'll hit accept. I had the same problem. My Asus router was only sending DHCP logs to Splunk. I could not figure out how to get it to send traffic logs as well.
It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.
Hmmmmm, the firewall setting may have done it. I set it to log both dropped and accepted packets and now it appears to be working.
Yeah, it's now showing data. Idiot move on my part: I had firewall not logging any packets. Doh!
That said, I don't see any of the other entries showing up e.g. VPN data. Is it supposed to show up in Splunk? Thanks for everyone's help.
Jizbo, how are you setting your firewall to log packets?
I use Asus-WRT. On the Firewall - General tab, be sure to check "Both" on the Logged packets type drop-down. Currently using 380.69 Asus-WRT.
No worries, I'm glad it started to work. As for the other data that is being sent, you can eventually build your own dashboards and reports. They will not interfere with the existing dashboards and reports for the app.
lots of data showing up on udpin_connections*
When I run index=homemonitor I get: asus and count 10 at end of line.
I thought my sourcetype for UDP:514 is asus. Am I reading that wrong?
The data coming from the _internal index shows that the input is up.
The count shows that some data is coming in, now let’s make sure it is breaking and extracting data. Run these searches:
Index=homemonitor sourcetype=asus | stays count by src_ip, src_port, dest_ip, dest_port
"No results in current time range."
I ran it for 60 min, 30 seconds, and Real Time. All report same results
Wierd. When I run index=homemonitor sourcetype=asus I get some decent input showing up. But when I run the rest of the commands it's always "no results in current time range"
With "rest of the commands" you mean the stats count by src_ip... etc. that amiracle suggested?
When you just do the index and sourcetype search, do the fields used in that stats command actually show up as properly extracted fields? If not, then that explains why your stats command gives no results.
Yes, I mean src_ip... etc. that amiracle suggested.
Not sure what a properly extracted filed looks like. I'll try and post (although the moderator never lets me post logs).
Try this link. It's screen capture of Index=homemonitor sourcetype=asus
I had to save as a .jpg