All Apps and Add-ons

Home Monitor: How to integrate and configure an Asus RT-AC88U router with the app?

kmax9981
Explorer

I used the Home Monitor app to setup the data source. I have the Splunk server IP address set in the Remote Log Server for the router, I also have the UDP 514 port open on the splunk server. However the only data I am getting is bandwidth tests (sourcetype:bandwidth_test). Has anyone else used the Asus RT-AC88U router with any luck?

kmax9981
Explorer

sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0f1
sources:
services: dhcpv6-client ssh syslog vnc-server
ports: 514/udp 8000/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8065 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:14186 :::* LISTEN 1695/java
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 ::1:6010 :::* LISTEN -
udp 0 0 0.0.0.0:64953 0.0.0.0:* -
udp 0 0 192.168.122.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:67 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:38233 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -
udp6 0 0 :::4731 :::* -

Splunk data inputs show UDP 514, sourcetype:assus, enabled

0 Karma

mattymo
Splunk Employee
Splunk Employee

looks like you need to open 514 in firewalld

firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload

I am still playing with the logging levels on the asus RT-AC68U. Haven't really found much use for the logging yet...but may be because of the logging levels...

- MattyMo
0 Karma

kmax9981
Explorer

I have the syslog service open already, shouldn't that take care of the port, or do I have to explicitly open UDP 514? as mentioned I am getting bandwidth monitoring data from the router, which would suggest the port is already open does it not?

0 Karma

mattymo
Splunk Employee
Splunk Employee

your firewalld output above only showed 8000 open. I never use the service definitions. Might work..

Does it now show 514 UDP?

try running netstat -tulpn to confirm you see the listener

Is splunk listening for 514 from all hosts?

- MattyMo
0 Karma

kmax9981
Explorer

Removed the home monitor app and tried to set data input for UDP 514, got an error stating it was not available. Uninstalled Splunk then installed it as root, installed home monitor, everything is now working, must have initially installed Splunk as a non root user.

Thanks for the assist.

0 Karma

kmax9981
Explorer

Getting data now, but all the Home monitor Dashboards say no data, assuming this has do do with the router logging, any info you could share that you have found for the logging levels would be very helpful.

0 Karma

mattymo
Splunk Employee
Splunk Employee
0 Karma

mattymo
Splunk Employee
Splunk Employee

'm just getting to know the logging levels i like. I ended up using this article to play with the nvram command and so far am running log_level 7.

https://fatmin.com/2015/01/04/configure-syslog-logging-levels-on-the-asus-rt-ac66u-router/

Will run through them and see what I get. Level 7 is basically DHCP and dropbear when i log in so far.

- MattyMo
0 Karma

kmax9981
Explorer

Explicitly allowed 514 as well, no change, any other suggestions?

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hi kmax9981,

What OS are you running Splunk on? Are you able to confirm any firewalld/iptables configs, or run a packet capture to see if you are receiving any messages?

- MattyMo
0 Karma

kmax9981
Explorer

Splunk is installed on CentOS 7.3.1611

sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0f1
sources:
services: dhcpv6-client ssh syslog vnc-server
ports: 8000/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

Wireshark show syslog packets from the router to the server, however the only ones I see are "Syslog message: KERN.WARNING:

0 Karma

kmax9981
Explorer

For the syslog packets, I am seeing mostly DROP, but some ACCEPT

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...