All Apps and Add-ons

Home Monitor: How to integrate and configure an Asus RT-AC88U router with the app?

Explorer

I used the Home Monitor app to setup the data source. I have the Splunk server IP address set in the Remote Log Server for the router, I also have the UDP 514 port open on the splunk server. However the only data I am getting is bandwidth tests (sourcetype:bandwidth_test). Has anyone else used the Asus RT-AC88U router with any luck?

Explorer

sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0f1
sources:
services: dhcpv6-client ssh syslog vnc-server
ports: 514/udp 8000/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8065 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:14186 :::* LISTEN 1695/java
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 ::1:6010 :::* LISTEN -
udp 0 0 0.0.0.0:64953 0.0.0.0:* -
udp 0 0 192.168.122.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:67 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:38233 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -
udp6 0 0 :::4731 :::* -

Splunk data inputs show UDP 514, sourcetype:assus, enabled

0 Karma

Splunk Employee
Splunk Employee

looks like you need to open 514 in firewalld

firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload

I am still playing with the logging levels on the asus RT-AC68U. Haven't really found much use for the logging yet...but may be because of the logging levels...

0 Karma

Explorer

I have the syslog service open already, shouldn't that take care of the port, or do I have to explicitly open UDP 514? as mentioned I am getting bandwidth monitoring data from the router, which would suggest the port is already open does it not?

0 Karma

Splunk Employee
Splunk Employee

your firewalld output above only showed 8000 open. I never use the service definitions. Might work..

Does it now show 514 UDP?

try running netstat -tulpn to confirm you see the listener

Is splunk listening for 514 from all hosts?

0 Karma

Explorer

Removed the home monitor app and tried to set data input for UDP 514, got an error stating it was not available. Uninstalled Splunk then installed it as root, installed home monitor, everything is now working, must have initially installed Splunk as a non root user.

Thanks for the assist.

0 Karma

Explorer

Getting data now, but all the Home monitor Dashboards say no data, assuming this has do do with the router logging, any info you could share that you have found for the logging levels would be very helpful.

0 Karma

Splunk Employee
Splunk Employee
0 Karma

Splunk Employee
Splunk Employee

'm just getting to know the logging levels i like. I ended up using this article to play with the nvram command and so far am running log_level 7.

https://fatmin.com/2015/01/04/configure-syslog-logging-levels-on-the-asus-rt-ac66u-router/

Will run through them and see what I get. Level 7 is basically DHCP and dropbear when i log in so far.

0 Karma

Explorer

Explicitly allowed 514 as well, no change, any other suggestions?

0 Karma

Splunk Employee
Splunk Employee

Hi kmax9981,

What OS are you running Splunk on? Are you able to confirm any firewalld/iptables configs, or run a packet capture to see if you are receiving any messages?

0 Karma

Explorer

Splunk is installed on CentOS 7.3.1611

sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0f1
sources:
services: dhcpv6-client ssh syslog vnc-server
ports: 8000/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

Wireshark show syslog packets from the router to the server, however the only ones I see are "Syslog message: KERN.WARNING:

0 Karma

Explorer

For the syslog packets, I am seeing mostly DROP, but some ACCEPT

0 Karma