Security

How to ingest Untangle logs (NG Firewall) into Splunk?

bborodach
Engager

Greetings,

For a long time, I have wanted to ingest untangle logs (Firewall, IDS/IPS, OpenVpn, and Web Filtering) into Splunk to write security rules, etc. I am surprised this wasn't done before however I completed this and it was worth struggle.

1 Solution

bborodach
Engager
  1. Getting Splunk and Untangle ready;

Pre-reqs (Ubuntu 16.04 - Splunk box) - JRE version 1.8 [I already had default jre]

sudo apt-get install default-jre [I would if I were you because these are the exact steps i followed]

http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

tar -xvzf jre-8u172-linux-x64.tar.gz [change version to fit your needs]

mv jre1.8.0_172/ /usr/lib/jvm/

  1. Installing the splunk app.

Login to splunk base and download the DB connect app. Once you have installed it on the general tab under settings put the full path to your jave jre (/usr/lib/jvm/jre1.8.0_172)

Then download the driver required by the splunk app; https://jdbc.postgresql.org/download/postgresql-42.2.2.jar

After you have downloaded the correct driver for your database, copy the .JAR driver file to the

$SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers

Once you do this restart splunk

Configuring untangle;

  1. /etc/init.d/untangle-vm stop

  2. /etc/init.d/postgresql stop

Use fav text editor to edit

  1. /etc/postgresql/9.4/main/pg_hba.conf

Find this line;

host    all             all             127.0.0.1/0               trust

CHANGE It to

host    all             all             0.0.0.0/0               trust

This allows all traffic to it.

For this next part, navigate to

/etc/postgresql/9.6/main/postgresql.conf

UNCOMMENT the listen_address line and add * in the ().

Configure postgres;

psql -U postgres -d uvm
CREATE USER $usernamehere WITH ENCRYPTED PASSWORD 'passwordfortheuser';
GRANT CONNECT ON DATABASE uvm TO $usernamehere;
GRANT USAGE ON SCHEMA reports TO $usernamehere;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA reports TO $usernamehere;
GRANT SELECT ON ALL TABLES IN SCHEMA reports to $usernamehere;
ALTER DEFAULT PRIVILEGES IN SCHEMA reports GRANT SELECT ON TABLES TO $usernamehere;

IF YOU HAVE UNTANGLE FIREWALL RULES ENSURE THAT YOU ALLOW YOUR HOST ACCESS TO IT!
Download this tool to test https://www.pgadmin.org/download
Follow instructions to connect.

Tables to pull data from (this is what I did, you can tailor this to your environment);

[LIST]
[]openvpn_stats
[
]sessions
[]http_query events
[
]http_events
[*]intrusion_prevention_events
[/LIST]

For configuring Splunk DB_Connect App and any questions please watch
https://youtu.be/oPB2Lpd9ZAs

Once you have the Splunk DB_Connect App setup:

You can use these pre-made queries to help get you up and running, the are splunk CIM compliant (except for OpenVPN).

OPENVPN;

SELECT stats.start_time AS session_start_time,
stats.end_time AS session_close_time,
stats.remote_address AS src,
stats.pool_address AS internal_ip,
stats.client_name AS user,
stats.rx_bytes AS bytes_in,
stats.tx_bytes AS bytes_out,
event."type" AS action
FROM "uvm"."reports"."openvpn_stats" AS stats
INNER JOIN "uvm"."reports"."openvpn_events" AS event
ON (stats.remote_address = event.remote_address)
AND (stats.client_name = event.client_name)
AND (stats.time_stamp >= event.time_stamp - INTERVAL '1' SECOND)

Firewall and SSL;

SELECT time_stamp AS start_time,
end_time,
bypassed,
session_id,
hostname,
local_addr AS src_ip,
c_client_port AS src_port,
remote_addr AS dest_ip,
c_server_port AS dest_port,
server_country,
server_latitude,
server_longitude,
c2p_bytes AS bytes_out,
s2p_bytes AS bytes_in,
firewall_blocked AS action,
ssl_inspector_ruleid AS ssl_rule,
ssl_inspector_status AS ssl_action,
ssl_inspector_detail AS ssl_url
FROM "uvm"."reports"."sessions"

IDS;

SELECT time_stamp AS start_time,
sig_id,
source_addr AS src,
dest_addr AS dest,
dest_port AS dest_port,
blocked AS action,
category || ':' || classtype AS category,
msg AS signature
FROM "uvm"."reports"."intrusion_prevention_events"

Web_Filtering

SELECT http_events.time_stamp,
http_events.c_client_addr AS src,
http_events.s_server_addr AS dest,
http_events.host AS site,
http_events.host || http_events.uri AS url,
http_events.domain AS dest_domain,
http_events.hostname AS host,
http_events.method AS http_method,
http_events.s2c_content_type AS http_content_type,
http_events.referer AS http_referrer,
http_events.web_filter_category AS category,
http_query_events.uri AS uri_query,
http_query_events.term AS search_terms
FROM "uvm"."reports"."http_events" AS http_events
INNER JOIN "uvm"."reports"."http_query_events" AS http_query_events
ON (http_events.request_id = http_query_events.request_id)
AND (http_events.session_id = http_query_events.session_id)

View solution in original post

bborodach
Engager
  1. Getting Splunk and Untangle ready;

Pre-reqs (Ubuntu 16.04 - Splunk box) - JRE version 1.8 [I already had default jre]

sudo apt-get install default-jre [I would if I were you because these are the exact steps i followed]

http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html

tar -xvzf jre-8u172-linux-x64.tar.gz [change version to fit your needs]

mv jre1.8.0_172/ /usr/lib/jvm/

  1. Installing the splunk app.

Login to splunk base and download the DB connect app. Once you have installed it on the general tab under settings put the full path to your jave jre (/usr/lib/jvm/jre1.8.0_172)

Then download the driver required by the splunk app; https://jdbc.postgresql.org/download/postgresql-42.2.2.jar

After you have downloaded the correct driver for your database, copy the .JAR driver file to the

$SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers

Once you do this restart splunk

Configuring untangle;

  1. /etc/init.d/untangle-vm stop

  2. /etc/init.d/postgresql stop

Use fav text editor to edit

  1. /etc/postgresql/9.4/main/pg_hba.conf

Find this line;

host    all             all             127.0.0.1/0               trust

CHANGE It to

host    all             all             0.0.0.0/0               trust

This allows all traffic to it.

For this next part, navigate to

/etc/postgresql/9.6/main/postgresql.conf

UNCOMMENT the listen_address line and add * in the ().

Configure postgres;

psql -U postgres -d uvm
CREATE USER $usernamehere WITH ENCRYPTED PASSWORD 'passwordfortheuser';
GRANT CONNECT ON DATABASE uvm TO $usernamehere;
GRANT USAGE ON SCHEMA reports TO $usernamehere;
GRANT SELECT ON ALL SEQUENCES IN SCHEMA reports TO $usernamehere;
GRANT SELECT ON ALL TABLES IN SCHEMA reports to $usernamehere;
ALTER DEFAULT PRIVILEGES IN SCHEMA reports GRANT SELECT ON TABLES TO $usernamehere;

IF YOU HAVE UNTANGLE FIREWALL RULES ENSURE THAT YOU ALLOW YOUR HOST ACCESS TO IT!
Download this tool to test https://www.pgadmin.org/download
Follow instructions to connect.

Tables to pull data from (this is what I did, you can tailor this to your environment);

[LIST]
[]openvpn_stats
[
]sessions
[]http_query events
[
]http_events
[*]intrusion_prevention_events
[/LIST]

For configuring Splunk DB_Connect App and any questions please watch
https://youtu.be/oPB2Lpd9ZAs

Once you have the Splunk DB_Connect App setup:

You can use these pre-made queries to help get you up and running, the are splunk CIM compliant (except for OpenVPN).

OPENVPN;

SELECT stats.start_time AS session_start_time,
stats.end_time AS session_close_time,
stats.remote_address AS src,
stats.pool_address AS internal_ip,
stats.client_name AS user,
stats.rx_bytes AS bytes_in,
stats.tx_bytes AS bytes_out,
event."type" AS action
FROM "uvm"."reports"."openvpn_stats" AS stats
INNER JOIN "uvm"."reports"."openvpn_events" AS event
ON (stats.remote_address = event.remote_address)
AND (stats.client_name = event.client_name)
AND (stats.time_stamp >= event.time_stamp - INTERVAL '1' SECOND)

Firewall and SSL;

SELECT time_stamp AS start_time,
end_time,
bypassed,
session_id,
hostname,
local_addr AS src_ip,
c_client_port AS src_port,
remote_addr AS dest_ip,
c_server_port AS dest_port,
server_country,
server_latitude,
server_longitude,
c2p_bytes AS bytes_out,
s2p_bytes AS bytes_in,
firewall_blocked AS action,
ssl_inspector_ruleid AS ssl_rule,
ssl_inspector_status AS ssl_action,
ssl_inspector_detail AS ssl_url
FROM "uvm"."reports"."sessions"

IDS;

SELECT time_stamp AS start_time,
sig_id,
source_addr AS src,
dest_addr AS dest,
dest_port AS dest_port,
blocked AS action,
category || ':' || classtype AS category,
msg AS signature
FROM "uvm"."reports"."intrusion_prevention_events"

Web_Filtering

SELECT http_events.time_stamp,
http_events.c_client_addr AS src,
http_events.s_server_addr AS dest,
http_events.host AS site,
http_events.host || http_events.uri AS url,
http_events.domain AS dest_domain,
http_events.hostname AS host,
http_events.method AS http_method,
http_events.s2c_content_type AS http_content_type,
http_events.referer AS http_referrer,
http_events.web_filter_category AS category,
http_query_events.uri AS uri_query,
http_query_events.term AS search_terms
FROM "uvm"."reports"."http_events" AS http_events
INNER JOIN "uvm"."reports"."http_query_events" AS http_query_events
ON (http_events.request_id = http_query_events.request_id)
AND (http_events.session_id = http_query_events.session_id)

morganalton
New Member

Im really new to splunk but I am trying to follow what you listed here for bringing in untangle. Would you be able to assist me a little more with getting my firewall integrated properly?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...