I am not very network savvy. Trying to get my home router to syslog to Splunk to look at connection info in the Home Monitor app.
I can see events in the bandwidth_test sourcetype, so I know that I have the app running .
If I go to settings|Data inputs|UDP, I can see UDP port 514 enabled with source type RT-N66U
And in Windows Firewall, I can see that I have created an inbound rule called Splunk Syslog, which allows local port UDP 514, and remote port: all ports
On my RT-N66U router I have set remote log server to my Splunk install's IP address.
But in app, I see no logs and in the search app, I do not see events from syslog or RT-N66U or asus.
I tried running netstat -p UDP, that returns nothing. netstat -p TCP does return a lot of high ports and 8000, 8191 (I think these are the Splunk app)
Any clues/advise on what I am missing?
It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.
Do you see the fields you use in the stats command in the list of interesting fields on the left?
Yes. There's a big list
Interesting Fields
adate_month 1
adate_wday 1
adate_zone 1
adirection 1
aindex 1
apunct 4
asplunk_server 1
1 more field
Frank VI, did you actually get it to work? I see you had problems earlier.
Looks like the relevant fields are not available, so when you do a stats, that indeed does not return any results. amiracle mentions something below about not having the right type of events coming in from your router.
I never tried this myself.
Nope, I cant send links apparently. Trying again
https://www.dropbox.com/s/lehlw5y1mc5hwl1/Splunk.jpg?dl=0
Link above worked. It's a .jpg screen grab
First thing I would do is change the sourcetype from RT-N66U to asus. Check out this wiki entry that walks you through why having the sourcetype asus is necessary for the app:
https://github.com/amiracle/homemonitor/wiki/Configure-home-monitor-app-for-Splunk
Let me know if that helps with your setup.
Thanks,
Kam
Thank you! I did start messing with the stanzas after it did not work initially. When I get home tonight, I'll try a reinstall and make sure that everything is set to asus.
Hi @MonkeyK - Did amiracle's comment help provide a working solution to your question? If yes, please let me know so that I can convert it to an Answer to be accepted. That way others can easily find your question in case they have the same issue. Thanks.
Sorry, I lost track of trying the reinstall. I will do my best to try it when I get home tonight
Your on the right track with netstat -p UDP
if splunk is listening you should defiantly see an entry for it.
If that entry is missing, I wonder if splunk is failing to start the listener process?
I think that you are right. I finally did the reinstall and just used the basic setup.
selected
hostname: RT-N66U (because ping -1 returned that)
sourcetype::asus
and I unchecked disable for udp 514
however I still see no data in the home monitor app and netstat -p UDP still shows nothing.
I will try disabling my Windows firewall temporarily to see if that is holding anything up.
OK. I disabled windows firewall on private Networks, still netstat -p UDP is empty.
So I went to my Splunk data inputs and disabled and re-enabled the UDP port 514. Still nothing on netstat -p UDP
Disabled windows firewall on public networks. Still nothing on netstat -p UDP
Disabled and reenabled port 514 in Splunk. Still nothing on netstat
Restarted Splunk with Windows firewall turned off. Still nothing on netstat.
Seems like there must be a step still missing
Have you been able to get this working on your Windows box? I honestly have not tested this out on Windows since I don't have any Windows workstation to test this on in my lab. Let me know if there is anything I can test out from my end.
Thanks,
Kam
Hey Kam. I kind of gave up. I just couldn't figure it out.
To be honest I dont even know where the problem is. Maybe I simply have not properly configured my router
I gave it another shot. Uninstalled Splunk, reinstalled Splunk and Home Monitor.
Set my router to
Remote Log Server: 192.168.1.19 (my desktop, wifi)
Default message log level: info
Log only messages more urgent than: all
set windows firewall to allow UDP 514 inbound
configured Home Monitor, entered asus
verified my Splunk data inputs, I can see UDP 514 with a source type of asus enabled.
But no data in Splunk. So I fired up Wireshark (which I am not very good with) and put a filter on udp.port==514. This shows traffic from 192.169.1.1 to 192.168.1.19 with a Protocol of Syslog, but the messages are all DAEMON.INFO and then note DHCP. Not sure if home monitor is handling DHCP? But those should still get ingested as syslog, right?
Yes, so the data being sent from your router should still show up in Splunk as Syslog. The question I have is if the Windows server is permitting Splunk to run and collect data on 514. I know it's usually an issue with Linux on root owned ports >1028.
I tried netstat -abn
found
splunkd on a whole lot of ports, but not 514. Instead svchost.exe was listening on 514
[svchost.exe]
UDP 0.0.0.0:514 :
Since Splunk says that UDP:514 is enabled, it could be that svchost is initiated by Splunk, but maybe not.
I'll try another question on this forum asking for help on how to verify that Splunk is able to collect data from 514.
Oh. getting closer. netstat -abno also gives me process ID.
[svchost.exe]
UDP 0.0.0.0:514 : 1820
looking that up in Task manager shows me that Process DI 1820 is splunkd.exe
I think that I still need to ask a separate question of why the logs don't get into Splunk
Also pursuing this on snbforums. I have been informed that asus traffic logs are not exportable. I have seen elsewhere that this is an Asus/Merlin decision, so other firmwares may make traffic logs available.