All Apps and Add-ons

Why are Netfilter IPTables not showing results?

rh71rdu
Explorer

Hi Splunk Community,

I’m trying to get syslogs from my router to show up in Splunk "NetFilter IPtables”.
Would be great to get this view showing "results" where it says “no results found"
 
I have configured the router to send syslog to my mac’s IP address, port 514 and set up a data input in Splunk Enterprise on port 514 to listen for Syslog (as opposed to “ linux_messages_syslog”)
That seems to transmit because if I run "sudo tcpdump -lns 0 -w - udp and port 514 | strings from my CLI, I get a result like this every few seconds:
 
x?bu?
B?̫,?
?,??
~??<132> 2022-07-25T12:13:03.696064-04:00 L4 FIREWALL[9488]: nflog_log_fw(), action=DROP reason=POLICY-INPUT-GEN-DISCARD hook=INPUT mark=136314880 IN=br2 OUT= MAC=00:00:00:00:00:00:8484:26:2b:9b:ea:bd:src=167.94.138.139 DST=xx.yy.zzz.www LEN=44 TOS=0x00 PREC=0x00 TTL=40 ID=2539 PROTO=TCP SPT=19169 DPT=8901 SEQ=3022021036 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 OPT (MSS=1460 ) 
 
And  this seems to work to some extent in splunk because I’m also picking up the messages now in “Splunk Search and Reporting” and in CIM.
 
This app seems to depend on: 
  • TA_Netfilter (I unpacked and copied the TA_Netfilter into: “/Applications/Splunk/etc/apps/TA_netfilter/“. Seems to be installed...
  • Splunk Enterprise 6.2+ (I’m running 9.0.0.1)
  • Splunk Common Information Model 4.3+ (I have installed 5.0.1 on Splunk Enterprise, I did not change configuration in http://localhost:8000/en-US/app/search/cim_setup)
I suspect I’m missing something simple. Could you pls suggest some reasons that this Netfilter IP Tables might not be working properly to help me troubleshoot?
 
Thanks,
Rob
Labels (2)
Tags (1)

richgalloway
SplunkTrust
SplunkTrust

When a dashboard panel reports "No results found" it means either the data doesn't exist or it exists someplace where the dashboard can't find it.  You seem to have ruled out the former so we'll focus on the latter.

The best way to help ensure a dashboard can find its data is by installing the corresponding TA.  It's looks like you did that.  Did you also restart Splunk after copying the TA directory?

One of the most common reasons a dashboard can't find its data is because it's in a different index.  Click on the magnifying glass icon in the lower-right corner of the panel to open it in a search window.  There you will see the query the panel is using to find the data.  Make sure the index it's looking matches the index where you put the data.

While you're in the search window, check the other parts of the query to make sure the expected sourcetype. etc. match the data coming in.

---
If this reply helps you, Karma would be appreciated.

rh71rdu
Explorer

Hi Rich, thank you for the thoughtful suggestion.

I think the magnifying glass is on the right track. my query was:

`iptables_datasource` (`traffic_denied`) `filter_badclients` | timechart `iptables_span` count as Denied_Connections by iptables_host. That resulted in no results. 

currently Datasource is set to "index=* eventtype="linux_netfilter""

When I changed  "( clientip!="0.0.0.0" OR clientip!="255.255.255.255")"  to "()" it opened the floodgate on my dashboard. Now I'm getting a lot of events in "volumes of connections", "network services" and "destination ports", but still translation of IP to Client location or stats on Trend by Country.

I then changed the index=* to each of the 13 splunk indexes and only "main" returns anything. So it feels like maybe I still need to either create a new bespoke index or configure CIM correctly and 'fix' that cim_modactions index. I'm still a little confused but grateful for your help and happy I'm moving forward 🙂

in any case thank you for getting me in the right direction.

Rob

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...