Hey guys so I'm new to Splunk and setup Splunk Enterprise on AWS to monitor my AWS environment.
I would like to leverage Splunk to monitor my homelab as well and would like to start with my Sophos UTM 9 firewall and FreeNAS server. I setup syslog-ng server and successfully have Sophos logging to it.
Using CLI I got the forwarder to connect to the Receiver (AWS) but now a bit lost. Now I think I have to get the Splunk forwarder to pick up the syslog-ng logs and I need to use this using inputs.conf ?
I also found this FreeNAS app for Splunk. Where does this get installed? On the forwarder or the receiver?
Thanks for the help. I'm having a hard time wrapping my head around all of this.
From the CLI, you would navigate to the $SPLUNK_HOME/bin/ directory and then you can an issue a splunk command to monitor a directory and/or file(s) with the forwarder. Here is an example of the splunk command to monitor the /var/log/ directory:
./splunk add monitor /var/log/
This splunk command will add a monitor stanza to the inputs.conf file.
Here are additional details on how to leverage the CLI to add more input monitors.
I'm not familiar with the FreeNAS app, but in general you can install apps/add-ons through the web interface for Splunk Enterprise. Here is the documentation on how to install apps/add-ons to a single Splunk Enterprise instance.
As FreeNAS does not have a persistent storage, you cannot install a forwarder on there, so I opted to use shell scripts that run via CRON and output to syslog then to Splunk.
Check the docs tab on the app for wider explanation, i have copied the details below for your convenience. follow the links to the freeNAS docs for how to setup cron and syslog forwarding.
Hope this helps, post back how you go 🙂
For this app to work completely the REST API Modular Input is required, install the REST app first (thanks to the awesome Damien Dallimore)
This app utilises the FreeNAS api for some data.
Check either inputs.conf, or if you are a novice you can just change the details in the “data inputs” section of Splunk.
You will need to configure for your environment;
There are several .sh scripts in /TA-SH_files_for_FreeNAS directory that need to be placed on a persistent dataset on the FreeNAS server with a cron job associated with them, set to run every few minutes.
these scripts output to “logger” - which is the syslog output
Also once copied over this command may be your friend 🙂
chmod 777 foo.sh
You need to configure FreeNAS to log to a central server (Splunk®) for the data to be ingested, point to port 1514 e.g.