I had an earlier question about the ability to learn Splunk at home. I am using a FiOS router that I just want to search the data passing through to see how Splunk access the data from the Internet. I tried to add Input Data Port 80 which did not work. Does anyone have a suggestion on ways to search, index and analyze the traffic coming in from my FiOS router??? I don't know what port to use for InputData on Splunk
First off, welcome!
Second, are you old enough to remember Clippy from Microsoft Office? "So it sounds like you want to collect syslog from your router!"
IF (and that's a big if) that's the case, the below are very, VERY approximate directions because we don't know what router/modem you have, who provides your service or much of anything. Indeed, I'm only guessing at what you are ultimately trying to do with this data... 🙂
1) Log into your router and find the "syslog" option for system monitoring. If you can't find this, reply with the make and model of the router and who provided it and perhaps we can help you look. You can probably find it yourself with a little Googling, since it's likely that's all we'd do anyway.
2) Turn on syslog and send it to the IP address of your Splunk server on port 514. Note in this case, highly preferable to use UDP, not TCP.
3) Create a new index, perhaps call it "router." Note it isn't very important WHAT you call it, just name it something useful. You should be able to leave everything at it's default, it just needs the name.
4) Tell Splunk to listen on port 514, or whatever port you have your router sending on (syslog is 514 by default). Note you'll want to pick "Monitor" (not Forward) and be sure to select the index you created.
That should get your data in. If you have problems with 1 or 2, reply with your make and model of router and who provides it and we may be able to point you to some docs. If you have problems with 3 or 4, I'd actually create a brand new question to help keep things straight and mark this one answered.
But that won't be the end of it, only the beginning. You'll want to look around Splunkbase for an app that may parse your data or do neat things with it, but if you don't find anything don't lose hope, we can help get intelligence out of that data too. (Although you should create a new question for that to keep this clean).
Third, unfortunately this may or may not work. When those devices support syslog, they often will just syslog their own internal logs and NOT the stuff you want. If that's the case, then another solution, though a bit more work to get set up, could be to use the Splunk App for Stream to sniff those packets right off your PC/Macs. If this is the route you have to go it'll be some additional work. There's a great set of documentation for the Splunk App for Stream, and lots of help in various places so be sure to try a few of those. I'd also suggest if you can find our Super-Secret IRC channel or Slack channels, asking in there might get you a few folks walking you through it. (I'll give you a hint - Google can help you with that too, just know those channels are more heavily populated during approximately "U.S. Normal" times, and often more during the workday than anything. Still, we're friendly there!) At a minimum you'll probably want to create a new question on that.
Let us know how that goes! I promise that though it can be a bit of a bumpy ride at first, especially if you are jumping right into the deep end, it WILL start to make sense!
I am back at this home monitor thing again. It is not easy because it looks like fios traffic input can only be splunked when it is a "root" How do I get my Mac PC to be the "root" and then how do I adjust my splunk settings accordingly.
Hi again. Thanks for your consistent help on this. How do I know if my Splunk is a "root" in my deployment? The free Splunk version was downloaded on my PC in my home and I am the administrator from that download version. I found my IP address and used it in the FiOS router remote management setting, but it does not give any indication of 514 port number assignment and the Splunk still says 514 not available
Splunk says "514 not available" how? Does it tell you this when you set up the UDP port? Or do you mean you run a search and it doesn't return data? Specifics matter here and it'll be hard to proceed without knowing exactly what the scenario is.
You can tell how Splunk is installed if you look at your services (start, run, services.msc) and find out what the logon is for Splunk. It's probably Local System which is fine.
Your router not giving you a port option isn't unusual. It'll just use 514 then. We can worry about that later.
With the FiOS router, I went into the Syslog and accessed the remote management of information for syslog pointing it to my PC's IP address (there was no port 514 or UDP option in the router). When I tried configuring the Splunk to index 514, it send not available. Are you sure that the syslog from the FiOS routers can interface with Splunk??? It doesn't seem to recognize and I followed your directions.
I just re-read your post - do you mean when you try to ask Splunk to listen to port 514 it is telling you it can't do that? What's the exact error message?
I reviewed your previous questions and it's possible you can't listen on 514 because that's a port only root can listen on, but your Splunk may not be installed as root.
Here's an answer that may help you on having a non-root Splunk install listen to a privileged port.
If it can syslog Splunk can read that. Please, what is the make and model of the router and who provided it?
How did you confirm "it doesn't seem to recognize it?" What do you mean exactly by that? What did you search for or how did you check that?
Also, my instructions weren't step by step so what steps exactly did you follow for step 4? (Details are important; the difference between typing 514 and typing 515 for the port will mean it just won't work.) You can also go to Settings/Inputs and find the settings you set up and double-check them.
OK, so here's a page I found that describes the settings you'll want on your router. Double-check that you made the right changes.
On the Splunk side, click Settings. Click Data Inputs. Click UDP. In there you should have something listening on UDP Port 514. Make sure it's enabled.
If you then click on the "514" of that input, you'll come to a configuration page. In there click the "More Settings" then check what index it's going in to. There's other settings we'll have to fiddle with in there later, possibly, but for now we're just trying to get data coming in.
Once you have those two things checked and confirmed or changed, give it a few minutes then search with, oh, probably this:
and see what it shows you.