Activity Feed
- Posted Why is docker latest not on the most recent version (March 2024 edition) on Deployment Architecture. 03-29-2024 06:22 AM
- Posted Re: A method to extend the Ubiquiti add-on to support ingestion of DNSMASQ logs on All Apps and Add-ons. 09-01-2020 05:08 AM
- Posted Re: A method to extend the Ubiquiti add-on to support ingestion of DNSMASQ logs on All Apps and Add-ons. 02-04-2019 04:28 AM
- Posted A method to extend the Ubiquiti add-on to support ingestion of DNSMASQ logs on All Apps and Add-ons. 02-03-2019 10:19 AM
- Tagged A method to extend the Ubiquiti add-on to support ingestion of DNSMASQ logs on All Apps and Add-ons. 02-03-2019 10:19 AM
- Posted Re: Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 09-19-2017 10:51 AM
- Posted Re: Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 03-21-2017 09:17 AM
- Posted Re: Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-30-2017 01:54 PM
- Posted Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-23-2017 09:05 AM
- Tagged Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-23-2017 09:05 AM
- Tagged Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-23-2017 09:05 AM
- Tagged Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-23-2017 09:05 AM
- Tagged Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-23-2017 09:05 AM
- Tagged Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? on All Apps and Add-ons. 01-23-2017 09:05 AM
- Posted Re: Why is the Cisco Networks Overview dashboard not displaying inventory or event detail after the AP Product radio button is selected? on All Apps and Add-ons. 11-01-2016 07:12 AM
- Posted Why is the Cisco Networks Overview dashboard not displaying inventory or event detail after the AP Product radio button is selected? on All Apps and Add-ons. 10-28-2016 01:00 PM
- Tagged Why is the Cisco Networks Overview dashboard not displaying inventory or event detail after the AP Product radio button is selected? on All Apps and Add-ons. 10-28-2016 01:00 PM
- Tagged Why is the Cisco Networks Overview dashboard not displaying inventory or event detail after the AP Product radio button is selected? on All Apps and Add-ons. 10-28-2016 01:00 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
03-29-2024
06:22 AM
After attending a Splunk 9.2 webinar yesterday (3/28/24), I pulled a fresh docker container down using the "latest" tag and found that I had v.9.0.9 rather than v.9.2.1. Is it possible that this is a reoccurrence of a build issue mentioned in this old post https://community.splunk.com/t5/Deployment-Architecture/Why-is-Docker-latest-not-on-most-recent-version/td-p/600958 ?
... View more
09-01-2020
05:08 AM
I noticed after posting this customization to the TA-ubiquiti add-on that my references to the inputs.conf, props.conf, and transforms.conf files were missing the "local" sub-directory. 🙄 I have not uncovered a way to update my original post, so here is what those file references should actually look like: In ~/etc/apps/TA-ubiquiti/local/inputs.conf: In ~/etc/apps/TA-ubiquiti/local/props.conf: In ~/etc/apps/TA-ubiquiti/local/transforms.conf, I added the following two stanzas: This documentation error should not have caused an issue for anyone that has used Splunk for any length of time. But hopefully did not cause trouble for anyone new to Splunk that attempted to follow my procedure. 😟 Cheers. Ed
... View more
02-04-2019
04:28 AM
Here is a link to the associated write-up on how to configure the Ubiquiti Networks UniFi Security Gateway 3P to forward the DNSMASQ log messages to a remote syslog server.
https://community.ubnt.com/t5/UniFi-Routing-Switching/Configuring-a-UniFi-Security-Gateway-3P-to-include-DNSMASQ-logs/td-p/2660367
Cheers.
Ed
... View more
02-03-2019
10:19 AM
I have customized my local installation of the TA-ubiqiti add-on to support the ingestion of DNSMASQ log messages (produced via the "log-queries=extra" configuration option) and thought that others might be interested in doing the same. I plan to post the specific configuration steps that I followed to get my Unifi Security Gateway 3P to generate and forward the desired DNSMASQ log messages to the Ubiquiti Networks Community Forums, so I will not cover those steps here.
In preparation for setting this up, I followed the installation and configuration steps for the TA-Ubiquiti add-on as outlined in "Method 1" up until the UDP Input is added to Splunk. For my installation, I have all Unifi devices configured to forward syslog output to a Debian Linux based syslog server with a Universal Forwarder installed. Here is an example of the rsyslog configuration I am using:
In /etc/rsyslog.d/ubqt.conf:
if $fromhost-ip == '1.1.1.1' then /var/log/splunk/ubqt/controller.log
if $fromhost-ip == '1.1.1.2' then /var/log/splunk/ubqt/gateway.log
if $fromhost-ip == '1.1.1.3' then /var/log/splunk/ubqt/switch_1.log
if $fromhost-ip == '1.1.1.4' then /var/log/splunk/ubqt/switch_2.log
if $fromhost-ip == '1.1.1.5' then /var/log/splunk/ubqt/ap_1.log
if $fromhost-ip == '1.1.1.6' then /var/log/splunk/ubqt/ap_2.log
@ ~
To ingest the files created above via rsyslog, I am using the following local .conf file configurations:
In ~/etc/apps/TA-ubiquiti/inputs.conf:
[monitor:///var/log/splunk/ubqt]
host_regex = /var/log/splunk/ubqt/(\w+)
sourcetype = ubqt
index=ubqt
disabled = 0
In ~/etc/apps/TA-ubiquiti/props.conf:
[default]
TRANSFORMS-changeindex = index-mcad, index-mcad, index-dhcp, index-fw, index-threat, index-dns
[ubqt]
TRANSFORMS-dns = sourcetype-dns
[ubqt:dns]
EXTRACT-dnsmaq_dns_request = dnsmasq[(?P\d+)]:\s+(?P\d+)\s+(?P[^/]+)/(?P\d+)\s+(?P\w+)[(?P\w+)]\s+(?P[^ ]+)
EXTRACT-dnsmasq_dns_response = dnsmasq[(?P\d+)]:\s+(?P\d+)\s+(?P[^/]+)/(?P\d+)\s+(?P[a-z/]+)\s+(?P[^ ]+) is (?P.+)
EXTRACT-dnsmasq_dest_ip = dnsmasq[(?P\d+)]:\s+(?P\d+)\s+(?P[^/]+)/(?P\d+)\s+(?P\w+)[^ \n]* (?P[^ ]+) to (?P.+)
MAX_TIMESTAMP_LOOKAHEAD = 15
SHOULD_LINEMERGE = 0
TIME_FORMAT = %b %d %H:%M:%S
In ~/etc/apps/TA-ubiquiti/transforms.conf, I added the following two stanzas:
[index-dns]
REGEX = dnsmasq[
FORMAT = netdns
DEST_KEY = _MetaData:Index
[sourcetype-dns]
REGEX = dnsmasq[
DEST_KEY = MetaData:Sourcetype
FORMAT = sourcetype::ubqt:dns
Once all of the above configuration work is in place, the DNSMASQ events will be added to the netdns index that should have been created when the ubqt_indexes.tar archive was installed as mentioned within the "Method 1" installation instructions.
One last note: It may be noticed that I am not attempting to differentiate the received ubiquiti syslog messages within rsyslog (as mentioned within the "Method 2" installation summary. So the approach I outline here is something of a hybrid between the two installation methods.
I hope that somebody finds this of some value.
Cheers.
Ed
... View more
09-19-2017
10:51 AM
For those who were waiting for more.... 😉
We did move beyond the lab prototyping phase with this solution and now have routers within approximately 90 offices forwarding HSL events into Splunk without issue.
... View more
03-21-2017
09:17 AM
Just a quick update: We are currently working to prototype this solution in our lab. More to come.
... View more
01-30-2017
01:54 PM
When I reviewed the latest documentation for Stream, I did take notice that IPFix extensions could be accommodated, but did not see the same statement made about extensions to NetFlow. If this is on fact a supported product capability of Stream v.7.x, it will certainly be one of the options we will want to consider.
... View more
01-23-2017
09:05 AM
Does Splunk Stream support Cisco's High Speed Logging (HSL) data input via a NetFlow v9 stream? How will Splunk Stream handle Cisco's High Speed Logging (HSL) "extension" to NetFlow v9?
Cisco ISR 4331 routers can not forward standard firewall logging data as syslog output and instead export this type of data as NetFlow template and data records. IS Splunk Stream capable of receiving and interpreting these types of NetFlow records? Is version 7.0.1 of Splunk Stream capable of receiving and correctly interpreting Netflow v.9 High Speed Logging (HSL) flow data generated by Cisco ISR 4331 routers? This use case for NetFlow can also be referred to as template-based or "flexible Netflow".
Thanks.
... View more
11-01-2016
07:12 AM
Mikael,
Thanks for the quick response. Based upon a brief review of your App and and some past experience with the Cisco wireless products, I suspected this might be the case, but thought it was worth posting a question to get an authoritative answer.
Given that our Network Operations team have already expressed an interest having some "direct visibility" into the lightweight AP device inventory, I might investigate the possibility of assembling a solution for that request.
Regards,
Ed
... View more
10-28-2016
01:00 PM
It was brought to my attention that our Cisco Networks App for Splunk Enterprise implementation is not currently presenting any inventory or event detail on the "Cisco Networks Overview" dashboard after the AP Product radio button has been selected. Should we expect this dashboard to include detail for lightweight APs or just autonomous APs?
Additional Background:
All of our deployed APs are configured as "lightweight" and managed by WLCs. Our Splunk instance is currently receiving syslog data from the WLCs, but no Cisco Smart Call Home input at this time. Given this data input configuration, WLC specific inventory and events are being presented, but when the WLC Product is chosen, but no AP specific inventory and event details are not being presented anywhere.
... View more
