All Apps and Add-ons

Home Monitor: Is there a list of supported routers?

jrhortian
New Member

Hello Folks,

I have done some searching on the forums and am not able to find specifically what I am looking for. So, I am looking at buying a new router in the near future and am interested in setting up Splunk along side my new home router. I am wondering if there is a "support list" Splunk puts out?

I see that there are some Asus rt models that support Splunk as long as you have access to syslogs the router creates. Anyway, thank you for your responses.

-Jeff

0 Karma
1 Solution

grijhwani
Motivator

Any router than can be configured to emit syslog to the network is a good start, although syslog has its limitations, and even Splunk advise using an alternative to their native baked-in syslog support (syslog-ng generally being the syslog server of choice, with local ingestion of the captured logs directly on the indexer, or as in the infrastructure I set up in my previous post with dedicated syslog capture servers running a forwarder instance) . I imagine that if you installed OpenWRT on a device, you could probably even get away with installing a half-fat Splunkforwarder instance, although heaven only knows how well the device would perform with that extra overhead.

View solution in original post

amiracle
Splunk Employee
Splunk Employee

Currently the app supports routers that send syslog data, but they do require some fields that will help populate the dashboards. Since I made this app to be CIM compliant, I can do some field aliases to conform and thus help populate the dashboards. Here are some of the vendors that should work with the app:

NetGear
Juniper
Asus
Linksys
pfSense
mikro
sophos
fios MI424WR

You will need to make sure that your router can send syslog data, not all routers from the vendors listed above do so. Just make sure before you buy one.

I will admit that I personally started using a pfsense firewall and just use the wireless router as an AP without the firewall enabled. This is why I've been doing more development around the pfsense firewalls data feeds.

Lastly, sending the data from your device to a syslog server is a good idea but if you have a small lab network and you don't want another device I would recommend just sending the data directly into your Splunk indexer. (Not the best practice for a large deployment, but should be OK for a small environment.) You can also setup a raspberrypi and have it run the Splunkforwarder on it : http://blogs.splunk.com/2013/10/11/introducing-the-splunk-universal-forwarder-for-raspberry-pi/ The only catch with this is that the SD card does have a lifespan on writes, so if you do a ton of syslog, it will eventually kill a cheap SD card. (Yes, I found out the hard way.)

grijhwani
Motivator

Any router than can be configured to emit syslog to the network is a good start, although syslog has its limitations, and even Splunk advise using an alternative to their native baked-in syslog support (syslog-ng generally being the syslog server of choice, with local ingestion of the captured logs directly on the indexer, or as in the infrastructure I set up in my previous post with dedicated syslog capture servers running a forwarder instance) . I imagine that if you installed OpenWRT on a device, you could probably even get away with installing a half-fat Splunkforwarder instance, although heaven only knows how well the device would perform with that extra overhead.

jrhortian
New Member

Grijhwani,

Awesome, I was looking at some Asus routers that could support WRT as that might be my best bet. I am also thinking about possible open source OS's like pfsense, but I don't want to get to crazy as this is just my home network. I love IT, work in IT and it is a passion, but ya like I said don't want to get to crazy :). I will have to look into Syslogs-ng. Is that like a service or protocol? Aww, yes the splunk fowarders, I know what your talking about now, we use to use them at my old company. Never dug into them myself, but I have read about them.

Thank you,
Jeff

0 Karma

grijhwani
Motivator

syslog-ng is a superior implementation of a syslog server (replacing things like rsyslog and the like) under Linux, which allows for much more comprehensive formatting and sieving of the data into a structured hierarchical file tree. It is completely compatible with the syslog service protocol, and any device logging to it won't know the difference (although they wouldn't anyway, by default, because syslog is usually UDP not TCP).

I would suggest you simply look up syslog-ng (it's by a company called Balabit), and if you don't know the distinction between TCP and UDP (I make no assumptions either way) you'd do yourself a favour to understand their differences.

0 Karma

jrhortian
New Member

Grijhwani,

Awesome, you have given me a good base to go off of here, I just started looking into this last night a bit more. I have looked into it in the past and just played with Splunk via a export/import of my routers syslog. From what I was reading the syslog protocol used udp via port 514. It is good to know that ng-syslog uses tcp (connectionless vs connection orientated, 🙂 learned that back in high school in 2006). I am 26 working in Cyber Security now and have been "working" in IT since I was 15/16 so about 10 years and there is always something new to learn. I love it!!!! Thanks for all your help, if I have other questions I might have to lean on this forum again.

Thank you again Grijwani really appreciate it.

0 Karma

grijhwani
Motivator

Well, whether you used UDP or TCP is really a function of what you can configure the source device to do. If you can persuade it to send over TCP, then yes syslog-ng will support TCP. But equally, most other syslog servers can, they just might not be configured for it by default.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...