Skip to content

Latest commit

 

History

History
105 lines (76 loc) · 5.59 KB

README.md

File metadata and controls

105 lines (76 loc) · 5.59 KB

Installing and configuring Ubiquiti add-on for Splunk

To use this TA with Enterprise Security some configuration is required. Datamodel acceleration at scale requires from the deployment that data is assigned to indexes by it's cardinality. As Sourcetype is assigned by input in Splunk there are 2 ways achieving this split. One is using transforms.conf in conjuction with a props.conf, the other is by having an intermediate like a syslog server do the splitting into files. A UF can assign sourcetype input.

Which method you chose (even non documented ones) make sure the input is assigned the ubnt sourcetype!

[udp://8514] connection_host = ip sourcetype = ubnt index=ubnt

All transforms will look for this sourcetype, the TA won't work as expected if you name the source differently.

Method 1:

If you want to use this add-on on a single instance, with full CIM compatability follow these steps:

Download transforms.conf-single and rename to transforms.conf. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/transforms.conf-single.conf

Download props.conf-single and rename to props.conf. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/props.conf-single

This file holds the configuration which rewrites the sourcetype based on a patern match, and routes the traffic to the correct index. Place transforms.conf in the ta-ubiquiti/local directory. Place props.conf in the ta-ubiquiti/local directory.

Download the ubnt_indexes.spl and install this on your indexers. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/org_all_indexes.spl

note: This contains a standard set of indexes, the Splunk best practice for CIM you will note that it separates OS logs from Network logs and Security logs from Application logs. The idea here is to separate them for performance reasons, but also for isolation purposes-you may want to expose the application or system logs to people who shouldn't view security logs. Putting them in separate indexes prevents that.

Restart splunk

In the UI navigate to Settings -> Data Inputs Add a new input for UDP Enter the port which you would like to receive the data on Select any ubnt sourcetype ie ubnt:fw, change settings to your liking with the exception of indexes. Or manually create inputs.conf

[udp://8514] connection_host = ip sourcetype = ubnt index=ubnt

Method 2:

For deployment with a syslog server the recomendation is to use a Universal forwarder on your rsyslog or syslog-ng server. Have the syslog server write a file per sourcetype and have the UF assign the sourcetype to the specific logs. More information will follow.

Certainly! Method 2 describes the process of using a syslog server in conjunction with a Splunk Universal Forwarder to handle the log collection and sourcetype assignment. Here are the steps for Method 2:

  1. Syslog Server Configuration:

    • Set up your rsyslog or syslog-ng server if you haven't already.
    • Configure your syslog server to split incoming logs by source, type, or another relevant criterion. This can usually be accomplished using templates in rsyslog or filters in syslog-ng.
    • Write each log type to a specific file. For instance:
      • /var/log/ubnt/fw.log for firewall logs
      • /var/log/ubnt/app.log for application logs
      • ... and so on.
  2. Install Splunk Universal Forwarder (UF):

    • If not already installed, download and install the Splunk Universal Forwarder on your syslog server.
    • Ensure UF is running with the appropriate permissions to read the log files generated by the syslog server.
  3. Configure Splunk Universal Forwarder:

    • Navigate to the $SPLUNK_HOME/etc/system/local/ directory on the machine where UF is installed.
    • Create or modify the inputs.conf file with configurations to monitor the specific files and assign sourcetypes:
      [monitor:///var/log/ubnt/fw.log]
      disabled = false
      sourcetype = ubnt:fw
      index = ubnt
      
      [monitor:///var/log/ubnt/app.log]
      disabled = false
      sourcetype = ubnt:app
      index = ubnt
      
      ... (add more stanzas for additional log types)
  4. Distribute the TA-Ubiquiti to the Forwarder:

    • Make sure you've downloaded the required configurations (transforms.conf, props.conf, etc.) from the ta-ubiquiti-support GitHub repository.
    • Place the TA-Ubiquiti configurations in $SPLUNK_HOME/etc/apps/ta-ubiquiti/local/ on the Universal Forwarder.
  5. Forward Logs to Splunk:

    • If you haven't already, configure the outputs.conf file on the Universal Forwarder to forward data to your Splunk indexer or indexers cluster:
      [tcpout]
      defaultGroup = my_indexers
      
      [tcpout:my_indexers]
      server = indexer1:9997,indexer2:9997,... 
      Replace indexer1, indexer2, etc., with the hostname or IP address of your Splunk indexers.
  6. Restart Splunk Universal Forwarder: After making all the necessary configurations, restart the Splunk Universal Forwarder for the changes to take effect:

    $SPLUNK_HOME/bin/splunk restart
  7. Verification:

    • Check the Splunk UI to verify that the logs are being ingested with the appropriate sourcetypes.
    • Monitor the Splunk UF logs for any errors or warnings. Address any issues as needed.

Remember, this setup allows you to handle large amounts of syslog data effectively, segregating the data at the syslog level, and assigning the correct Splunk sourcetypes using the Universal Forwarder.