I have done some searching on the forums and am not able to find specifically what I am looking for. So, I am looking at buying a new router in the near future and am interested in setting up Splunk along side my new home router. I am wondering if there is a "support list" Splunk puts out?
I see that there are some Asus rt models that support Splunk as long as you have access to syslogs the router creates. Anyway, thank you for your responses.
Any router than can be configured to emit syslog to the network is a good start, although syslog has its limitations, and even Splunk advise using an alternative to their native baked-in syslog support (syslog-ng generally being the syslog server of choice, with local ingestion of the captured logs directly on the indexer, or as in the infrastructure I set up in my previous post with dedicated syslog capture servers running a forwarder instance) . I imagine that if you installed OpenWRT on a device, you could probably even get away with installing a half-fat Splunkforwarder instance, although heaven only knows how well the device would perform with that extra overhead.
Awesome, I was looking at some Asus routers that could support WRT as that might be my best bet. I am also thinking about possible open source OS's like pfsense, but I don't want to get to crazy as this is just my home network. I love IT, work in IT and it is a passion, but ya like I said don't want to get to crazy :). I will have to look into Syslogs-ng. Is that like a service or protocol? Aww, yes the splunk fowarders, I know what your talking about now, we use to use them at my old company. Never dug into them myself, but I have read about them.
syslog-ng is a superior implementation of a syslog server (replacing things like rsyslog and the like) under Linux, which allows for much more comprehensive formatting and sieving of the data into a structured hierarchical file tree. It is completely compatible with the syslog service protocol, and any device logging to it won't know the difference (although they wouldn't anyway, by default, because syslog is usually UDP not TCP).
I would suggest you simply look up syslog-ng (it's by a company called Balabit), and if you don't know the distinction between TCP and UDP (I make no assumptions either way) you'd do yourself a favour to understand their differences.
Awesome, you have given me a good base to go off of here, I just started looking into this last night a bit more. I have looked into it in the past and just played with Splunk via a export/import of my routers syslog. From what I was reading the syslog protocol used udp via port 514. It is good to know that ng-syslog uses tcp (connectionless vs connection orientated, 🙂 learned that back in high school in 2006). I am 26 working in Cyber Security now and have been "working" in IT since I was 15/16 so about 10 years and there is always something new to learn. I love it!!!! Thanks for all your help, if I have other questions I might have to lean on this forum again.
Thank you again Grijwani really appreciate it.
Well, whether you used UDP or TCP is really a function of what you can configure the source device to do. If you can persuade it to send over TCP, then yes syslog-ng will support TCP. But equally, most other syslog servers can, they just might not be configured for it by default.
Currently the app supports routers that send syslog data, but they do require some fields that will help populate the dashboards. Since I made this app to be CIM compliant, I can do some field aliases to conform and thus help populate the dashboards. Here are some of the vendors that should work with the app:
You will need to make sure that your router can send syslog data, not all routers from the vendors listed above do so. Just make sure before you buy one.
I will admit that I personally started using a pfsense firewall and just use the wireless router as an AP without the firewall enabled. This is why I've been doing more development around the pfsense firewalls data feeds.
Lastly, sending the data from your device to a syslog server is a good idea but if you have a small lab network and you don't want another device I would recommend just sending the data directly into your Splunk indexer. (Not the best practice for a large deployment, but should be OK for a small environment.) You can also setup a raspberrypi and have it run the Splunkforwarder on it : http://blogs.splunk.com/2013/10/11/introducing-the-splunk-universal-forwarder-for-raspberry-pi/ The only catch with this is that the SD card does have a lifespan on writes, so if you do a ton of syslog, it will eventually kill a cheap SD card. (Yes, I found out the hard way.)