amiracle / homemonitor Goto Github PK

So I have been trying to setup and play around with pfsense and homemonitor in Splunk.

Pfsense (10.0.1.254) is up and running and sending it's logs on port port 514 to Splunk (10.0.1.107).
However, having installed homemonitor the data does not seem to be populating. I have looked up various videos and followed step by step but it does not seem to populate the data when the index is set to homemonitor.

When I bypass homemonitor and set the index to default, the logs from my pfsense box come through which proves that the logs are reaching my pfsense box but are falling short when being fed into homemonitor.

Hi Kam,
I'm running a windows 10 box as my home monitor (splunk) server. Running a R7000 forked with Asus-WRT. Batting zero on getting any inputs into the Win 10 box. All dashboards light up "no results found". I know my router is sending logs as they show up in my NAS when I direct them there. However, I cant get home monitor to do anything. Yes, port 514 is set up to accept the connection in Win10. Thoughts?

I added home monitor app to my fresh Splunk Enterprise installation and tried to configure. Every time I have clicked SAVE, I am greeted by the same "The "home | monitor > 4.5.1" app has not been fully configured yet." page and have to CONTINUE WITH APP SETUP PAGE and go into initial configuration again with none of my previous settings saved. I am currently running Splunk on Windows 10 with Norton 360 installed.

Hi,
I've uninstalled Splunk Enterprise, and Homemonitor and reformatted my Mac Mini running El Capitan to ensure a CLEAN Slate to work with. So its Bare bones vanilla machine, with not much on it, just to solely use as a server and start clean with Splunk Enterprise 6.3 and HomeMonitor 4.5. I've also installed the Splunk App for Stream in which ALL dashboards work.

Thanks for upgrading HomeMonitor. I'd love to get it to work one day. I've followed All videos, blogs, resources of yours that I can find, and I'm still having issues getting the Dashboards to populate. I AM getting data from 514 and running as Root. I used the input screen you included in 4.5 HomeMonitor to ensure I have it correctly as well as checked the props and transforms file to make sure they all match to your documentation - they do. and data is showing in home monitor search. (I've snapshot my Data Inputs and a Search below to check for reference)

On Overview Dashboards:
I get a partial dashboard on the Home Network Overview Dashboard where it only shows:
As you see, it is missing any Bandwidth data (the Data Input is selected correctly for Linux/Mac) and missing Intrusion Detection, Inbound, Outbound, and Blocked Events data.

I get a partial dashboard on the Bandwidth Overview Dashboard;

As you can see on the Bandwidth Overview Dashboard--- Average Downloads vs. Average Uploads is NOT populating, and you see the Stream fields which are are populating with no issues.

On Overview Dashboards:
Check for Intrusions in your network - Sourcetype=fios - No results found
Blocked Traffic - - Sourcetype=fios - No results found all Panels
Network Event Overview -- - Sourcetype=fios - No results found all Panels
Network Overview In bound - - Sourcetype=fios - No results found all Panels
Network Overview Out bound -- - Sourcetype=fios - No results found all Panels

Device Specific Panel - fios - This one actually seems OK - i didn't make config changes so its reporting correctly it appears;

Experimental Views Dashboards:
Home Tag cloud- Looks like the panels are fed from Stream - No results found all Panels
Force Directed - Looks like the panels are fed from Stream - No results found all Panels
Sankey Netwok Diagram - Looks like the panels are fed from Stream - No results found all Panels

Map of Connections Dashboard Panels:

Source for these are fios and are not populating.

I did notice that any time from the time picker I chose did not yield any results as well......at one point it was only pulling some partial data when 'all time' was chosen' but that was before the reinstall, now the Dashboards pull the above results.

Just for completeness, here is my what my Data Input looks like;



I assume that the Data inputs are correct based on everything i've seen and tried.....the source type override field still seems clear as mud as what should actually be in there, or not be in there, leave blank? as well as the set host button to choose, in this case i just left the default as thats what the set up guide did for you.

I know that this is a labor of love project for you and you do it on your own time. I greatly appreciate your work and love the potential this has when it works. Any time you have to think on assisting to remedy the issues is certainly appreciated.

Thanks man

I'm using an Asus RT-N66u w/ the Merlin firmware, and have sent my syslog data to my splunk box via udp, which looks like:

`Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29 `

Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:18 router.asus.com Feb 3 13:50:18 dropbear[32037]: Exit (manderso): Disconnect received

Feb 3 13:50:18 router.asus.com Feb 3 13:50:18 dropbear[32037]: Exit (manderso): Disconnect received

Feb 3 13:49:32 router.asus.com Feb 3 13:49:32 dropbear[32037]: Password auth succeeded for 'manderso' from 10.0.1.96:39072

Feb 3 13:49:29 router.asus.com Feb 3 13:49:29 dropbear[32037]: Child connection from 10.0.1.96:39072

Feb 3 13:48:31 router.asus.com Feb 3 13:48:30 dnsmasq-dhcp[11489]: DHCPRELEASE(br0) 10.0.1.180 e0:31:9e:1c:b9:fd

Feb 3 13:48:30 router.asus.com Feb 3 13:48:30 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.180 e0:31:9e:1c:b9:fd steamlink-12FC

Feb 3 13:48:30 router.asus.com Feb 3 13:48:30 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.180 e0:31:9e:1c:b9:fd

Feb 3 13:48:29 router.asus.com Feb 3 13:48:29 dropbear[32032]: Exit before auth: Exited normally`

So I don't get anything w/ a source or destination IP. Are you familiar w/ how I can edit my syslog configuration to send the appropriate logs to splunk?

As you update this project, would you consider adding the new G3100 fios router to the list of supported routers?
That is the router I now have and I cannot get it to work with the app.
Thank you.

As a result to:
"index=main sourcetype=bandwidth_test"

Thanks so much for building an awesome app - it's giving me a great chance to play with Splunk.

I've been trying to set it up to monitor a file vs. UDP and was wondering if you had any guidance.

It seems to "sorta" work - but I'm also trying to debug some rsyslog settings and wasn't sure how to continuously allow splunk to monitor the rsyslog file since I run it as a non-root user.

Any advice would be appreciate, and thanks again!

Trying to get this to work for my TRENDnet TEW‑812DRU wireless router, but can't seem to get Splunk to read the syslog. Any hints?

Hi,
I've recently started playing with Splunk and came across your excellent Homemonitor app. I am using pfSense running V2.2.6. I have a dual stack network with native IPv6 along with IPv4.

I've found that Homemonitor doesn't correctly parse IPv6 data from the System Log due to the fact that the IPv4 and IPv6 syslog formats are different.

I found a thread on the splunk forums from mid 2015 where someone tried to raise this issue but it didn't go anywhere:

https://answers.splunk.com/answers/294585/does-the-home-monitor-app-provide-ipv6-support-for.html

The text below details the differences in the log entries.

Can you please address this in a future release? Ideally, it would be nice to be able to separate IPv4 and IPv6 traffic in the dashboards.

_pfSense Log Format for IPv4 and IPv6 traffic_

These fields are common to both IPv4 and IPv6
Rule Number
Sub rule number
Anchor
Tracker - unique ID per rule, tracker ID is stored with the rule in config.xml for user added rules, or check /tmp/rules.debug
Real interface (e.g. em0)
Reason for the log entry (e.g. match)
Action taken that resulted in the log entry (e.g. block, pass)
Direction of the traffic (in/out)
IP version (4 for IPv4, 6 for IPv6)

IPv4 then has:
TOS
ECN
TTL
ID
Offset
Flags
Protocol ID
Protocol text (tcp, udp, etc)

Whereas IPv6 has these fields:
Class
Flow Label
Hop Limit
Protocol
Protocol ID

Both then have the following fields at the end:
Length
Source IP
Destination IP

And then possibly the following:
For TCP and UDP (Proto ID 6 or 17) on IPv4 or IPv6
Source Port
Destination Port
Data Length

TCP Only:
TCP Flags
Sequence Number
ACK
Window
URG
Options

Details can be found here:
https://doc.pfsense.org/index.php/Filter_Log_Format_for_pfSense_2.2

I'm hoping you can help me out. I'm still not able to feed data into your home monitor app. When I open the app the only data I can review is on the bandwidth overview tab which identifies hosts on my network and the average down/up speeds. I am forwarding my psSense logs to the splunk server and I have validated that from the data summary that new logs are flowing in. When I click on sourcetypes under data summary I can see "pfsense:filterlog" as a source type with currently over 100000 records indexed.

When I click on pfsense:filterlog there is a selected field for "vendor_direction" which has the correct values formatted. However when I go to "Overview Dashboards > Home Network Overview" the "Select your sourcetype" option is greyed out and it says "search produced no results." I have been trying to troubleshoot this for the last couple days so any help you could provided would be much appreciated.

Thank you in advanced for any help you could provide.

Hi,

i have homemonitor working with the provieded setup config.
I have alsp the TA-pfsendse app running,because of other app and CIM requirement.
Is it possible to change the index/sourcetype to the index/sourcetype of TA-pfsense, cause both apps ingest the same data and source.
So my license usage is doubled and exceeds the daily limit.
I've tried to change the index only, that breaks the app. So, can you help me to adapt the files please?

I am sure I am missing something here.
I am trying to set up Splunk and HomeMonitor for the first time. Got it all installed but don't see any traffic. I see bandwidth monitor but that's all the data I am getting.
I installed Splunk on OSX. It is running and there is no firewall.
I put the Mac's local address (192.168.1.41) in the N66U's Remote Log Server. I have rebooted the router. Still see no data coming in.
I checked that there is a data input for UDP on 514, and there is.
I set the source type to Manual > asus with no source name override.
What might I be missing?

Hi - just wonder if this splunk app is still under development. I'm on pfsense 2.4.1 and most if not all of the dashboards and data are not functioning.

Hey there!

I've got your homemonitor app setup in Splunk but am having trouble enabling Snort logs.

As you can see from the screenshot below - the "Intrusion Detection" area simply shows "N/A" and I cannot find any instructions on your blog on how to enable this. Advice?

Thanks!

I've been in the process of adjusting the search strings for the various dashboards so that they will work with my pfsense instance.

I've encountered an error on the the intrusion page where it says that it could not find the eventtype. II believe that my query is good, there are just no matches. I've looked at the source but cannot figure out where the wineventlog eventtype is being referenced.

Here are some screenshots that show the error message, my modified search, the results when manually searching for it and then a different search without the criteria.

https://imgur.com/a/5YU8YX4

EDIT: I'm now seeing this warning on all pages as I browse the app more.

From previous issue :

Could you move the Local IP range to the App Settings? This is static data and only needs to be set once rather than modifying it on each dashboard.

Additionally could you allow multiple subnets to be specified in the Local IP Range. Now that IPv6 is working I would like to be able to exclude my local IPv6 Subnet in addition to my local IPv4 ones.
On top of that I actutally have several subnets for my IPv4 network that I would like to exclude. Is it possible to allow multiple subnets to be specified for IPv4?

Initial configuration fails with the following error:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/homemonitor/data/transforms/extractions/yourdevice