All Apps and Add-ons
Highlighted

Splunk forwarder for Sophos and FreeNAS help

New Member

Hey guys so I'm new to Splunk and setup Splunk Enterprise on AWS to monitor my AWS environment.

I would like to leverage Splunk to monitor my homelab as well and would like to start with my Sophos UTM 9 firewall and FreeNAS server. I setup syslog-ng server and successfully have Sophos logging to it.

Using CLI I got the forwarder to connect to the Receiver (AWS) but now a bit lost. Now I think I have to get the Splunk forwarder to pick up the syslog-ng logs and I need to use this using inputs.conf ?

I also found this FreeNAS app for Splunk. Where does this get installed? On the forwarder or the receiver?

Thanks for the help. I'm having a hard time wrapping my head around all of this.

0 Karma
Highlighted

Re: Splunk forwarder for Sophos and FreeNAS help

Splunk Employee
Splunk Employee

From the CLI, you would navigate to the $SPLUNK_HOME/bin/ directory and then you can an issue a splunk command to monitor a directory and/or file(s) with the forwarder. Here is an example of the splunk command to monitor the /var/log/ directory:

./splunk add monitor /var/log/

This splunk command will add a monitor stanza to the inputs.conf file.

Here are additional details on how to leverage the CLI to add more input monitors.
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureyourinputs#Use_the_CLI

I'm not familiar with the FreeNAS app, but in general you can install apps/add-ons through the web interface for Splunk Enterprise. Here is the documentation on how to install apps/add-ons to a single Splunk Enterprise instance.
http://docs.splunk.com/Documentation/AddOns/latest/Overview/Singleserverinstall

0 Karma
Highlighted

Re: Splunk forwarder for Sophos and FreeNAS help

Path Finder

Hi,

As FreeNAS does not have a persistent storage, you cannot install a forwarder on there, so I opted to use shell scripts that run via CRON and output to syslog then to Splunk.

So you

  • install the WHOLE app into Splunk
  • Then copy the SH files are in the "BIN" folder of the app, to a persistent dataset (eg /TANK/SCRIPTS) on the FreeNAS and CRON set to run every few minutes (Choice is yours for interval, depends on granularity)
  • FreeNAS will then run the scripts and output to syslog which is sent to SPlunk, populating the dashboards of the APP

Check the docs tab on the app for wider explanation, i have copied the details below for your convenience. follow the links to the freeNAS docs for how to setup cron and syslog forwarding.

Hope this helps, post back how you go 🙂

Inputs

For this app to work completely the REST API Modular Input is required, install the REST app first (thanks to the awesome Damien Dallimore)

FreeNAS API

http://api.freenas.org/index.html

This app utilises the FreeNAS api for some data.

Check either inputs.conf, or if you are a novice you can just change the details in the “data inputs” section of Splunk.

You will need to configure for your environment;

  • Your FreeNAS IP address or host name
  • Your FreeNAS ROOT password (currently the FreeNAS API only allows the root user)

.SH files

There are several .sh scripts in /TA-SH_files_for_FreeNAS directory that need to be placed on a persistent dataset on the FreeNAS server with a cron job associated with them, set to run every few minutes.

https://doc.freenas.org/9.3/freenas_tasks.html

these scripts output to “logger” - which is the syslog output

Also once copied over this command may be your friend 🙂

sh
chmod 777 foo.sh

Syslog

You need to configure FreeNAS to log to a central server (Splunk®) for the data to be ingested, point to port 1514 e.g.

192.168.1.2:1514

https://doc.freenas.org/9.3/freenas_system.html#general

0 Karma