Hey guys so I'm new to Splunk and setup Splunk Enterprise on AWS to monitor my AWS environment.
I would like to leverage Splunk to monitor my homelab as well and would like to start with my Sophos UTM 9 firewall and FreeNAS server. I setup syslog-ng server and successfully have Sophos logging to it.
Using CLI I got the forwarder to connect to the Receiver (AWS) but now a bit lost. Now I think I have to get the Splunk forwarder to pick up the syslog-ng logs and I need to use this using inputs.conf ?
As FreeNAS does not have a persistent storage, you cannot install a forwarder on there, so I opted to use shell scripts that run via CRON and output to syslog then to Splunk.
install the WHOLE app into Splunk
Then copy the SH files are in the "BIN" folder of the app, to a persistent dataset (eg /TANK/SCRIPTS) on the FreeNAS and CRON set to run every few minutes (Choice is yours for interval, depends on granularity)
FreeNAS will then run the scripts and output to syslog which is sent to SPlunk, populating the dashboards of the APP
Check the docs tab on the app for wider explanation, i have copied the details below for your convenience. follow the links to the freeNAS docs for how to setup cron and syslog forwarding.
Hope this helps, post back how you go 🙂
For this app to work completely the REST API Modular Input is required, install the REST app first (thanks to the awesome Damien Dallimore)
Check either inputs.conf, or if you are a novice you can just change the details in the “data inputs” section of Splunk.
You will need to configure for your environment;
Your FreeNAS IP address or host name
Your FreeNAS ROOT password (currently the FreeNAS API only allows the root user)
There are several .sh scripts in /TA-SH_files_for_FreeNAS directory that need to be placed on a persistent dataset on the FreeNAS server with a cron job associated with them, set to run every few minutes.
From the CLI, you would navigate to the $SPLUNK_HOME/bin/ directory and then you can an issue a splunk command to monitor a directory and/or file(s) with the forwarder. Here is an example of the splunk command to monitor the /var/log/ directory:
./splunk add monitor /var/log/
This splunk command will add a monitor stanza to the inputs.conf file.