I used the Home Monitor app to setup the data source. I have the Splunk server IP address set in the Remote Log Server for the router, I also have the UDP 514 port open on the splunk server. However the only data I am getting is bandwidth tests (sourcetype:bandwidth_test). Has anyone else used the Asus RT-AC88U router with any luck?
sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0f1
sources:
services: dhcpv6-client ssh syslog vnc-server
ports: 514/udp 8000/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
netstat -tulpn
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN -
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8089 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8191 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:8000 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8065 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:14186 :::* LISTEN 1695/java
tcp6 0 0 :::111 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 ::1:631 :::* LISTEN -
tcp6 0 0 ::1:25 :::* LISTEN -
tcp6 0 0 ::1:6010 :::* LISTEN -
udp 0 0 0.0.0.0:64953 0.0.0.0:* -
udp 0 0 192.168.122.1:53 0.0.0.0:* -
udp 0 0 0.0.0.0:67 0.0.0.0:* -
udp 0 0 0.0.0.0:68 0.0.0.0:* -
udp 0 0 127.0.0.1:323 0.0.0.0:* -
udp 0 0 0.0.0.0:5353 0.0.0.0:* -
udp 0 0 0.0.0.0:38233 0.0.0.0:* -
udp6 0 0 ::1:323 :::* -
udp6 0 0 :::4731 :::* -
Splunk data inputs show UDP 514, sourcetype:assus, enabled
looks like you need to open 514 in firewalld
firewall-cmd --permanent --zone=public --add-port=514/udp
firewall-cmd --reload
I am still playing with the logging levels on the asus RT-AC68U. Haven't really found much use for the logging yet...but may be because of the logging levels...
I have the syslog service open already, shouldn't that take care of the port, or do I have to explicitly open UDP 514? as mentioned I am getting bandwidth monitoring data from the router, which would suggest the port is already open does it not?
your firewalld output above only showed 8000 open. I never use the service definitions. Might work..
Does it now show 514 UDP?
try running netstat -tulpn
to confirm you see the listener
Is splunk listening for 514 from all hosts?
Removed the home monitor app and tried to set data input for UDP 514, got an error stating it was not available. Uninstalled Splunk then installed it as root, installed home monitor, everything is now working, must have initially installed Splunk as a non root user.
Thanks for the assist.
Getting data now, but all the Home monitor Dashboards say no data, assuming this has do do with the router logging, any info you could share that you have found for the logging levels would be very helpful.
'm just getting to know the logging levels i like. I ended up using this article to play with the nvram command and so far am running log_level 7.
https://fatmin.com/2015/01/04/configure-syslog-logging-levels-on-the-asus-rt-ac66u-router/
Will run through them and see what I get. Level 7 is basically DHCP and dropbear when i log in so far.
Explicitly allowed 514 as well, no change, any other suggestions?
Hi kmax9981,
What OS are you running Splunk on? Are you able to confirm any firewalld/iptables configs, or run a packet capture to see if you are receiving any messages?
Splunk is installed on CentOS 7.3.1611
sudo firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp5s0f1
sources:
services: dhcpv6-client ssh syslog vnc-server
ports: 8000/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Wireshark show syslog packets from the router to the server, however the only ones I see are "Syslog message: KERN.WARNING:
For the syslog packets, I am seeing mostly DROP, but some ACCEPT