amiracle / homemonitor

Splunk app for home | monitor >
25 stars 5 forks source link

Uncertain what logs from router I should see #9

Closed manderso7 closed 6 years ago

manderso7 commented 7 years ago

I'm using an Asus RT-N66u w/ the Merlin firmware, and have sent my syslog data to my splunk box via udp, which looks like:

`Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29 `

Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 14:00:35 router.asus.com Feb 3 14:00:35 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:25 router.asus.com Feb 3 13:50:25 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.142 e8:ab:fa:57:26:29

Feb 3 13:50:18 router.asus.com Feb 3 13:50:18 dropbear[32037]: Exit (manderso): Disconnect received

Feb 3 13:50:18 router.asus.com Feb 3 13:50:18 dropbear[32037]: Exit (manderso): Disconnect received

Feb 3 13:49:32 router.asus.com Feb 3 13:49:32 dropbear[32037]: Password auth succeeded for 'manderso' from 10.0.1.96:39072

Feb 3 13:49:29 router.asus.com Feb 3 13:49:29 dropbear[32037]: Child connection from 10.0.1.96:39072

Feb 3 13:48:31 router.asus.com Feb 3 13:48:30 dnsmasq-dhcp[11489]: DHCPRELEASE(br0) 10.0.1.180 e0:31:9e:1c:b9:fd

Feb 3 13:48:30 router.asus.com Feb 3 13:48:30 dnsmasq-dhcp[11489]: DHCPACK(br0) 10.0.1.180 e0:31:9e:1c:b9:fd steamlink-12FC

Feb 3 13:48:30 router.asus.com Feb 3 13:48:30 dnsmasq-dhcp[11489]: DHCPREQUEST(br0) 10.0.1.180 e0:31:9e:1c:b9:fd

Feb 3 13:48:29 router.asus.com Feb 3 13:48:29 dropbear[32032]: Exit before auth: Exited normally`

So I don't get anything w/ a source or destination IP. Are you familiar w/ how I can edit my syslog configuration to send the appropriate logs to splunk?

sfennell commented 7 years ago

I have been using my RT-AC3200 with this over the last few months. You need to enable logging under the Firewall screen for Both. I also had to run: iptables -D FORWARD -i br0 -j ACCEPT iptables -A FORWARD -i br0 -j logaccept

To enable the logging of the ACCEPT packets. You can look at the following link for more information on the iptables update: https://www.snbforums.com/threads/firewall-accepted-packets-not-being-logged.36711/page-2#post-311071

In the end, I have changed over my configs and just have the RT-AC3200 as an AP and have a box setup with pfsense, sending data over to a splunk setup.

amiracle commented 6 years ago

Your router is only sending the dhcp requests, so it’s not sending firewall data. I would recommend adding a firewall (pfsense) to get the data you are looking for.