Embedded Files
Installing and configuring Ubiquiti add-on for Splunk
Installing and configuring Ubiquiti add-on for Splunk
To use this TA with Enterprise Security some configuration is required. Datamodel acceleration at scale requires from the deployment that data is assigned to indexes by it's cardinality. As Sourcetype is assigned by input in Splunk there are 2 ways achieving this split. One is using transforms.conf in conjuction with a props.conf, the other is by having an intermediate like a syslog server do the splitting into files. A UF can assign sourcetype input.
Which method you chose (even non documented ones) make sure the input is assigned the ubnt sourcetype!
[udp://8514] connection_host = ip sourcetype = ubnt index=ubnt
All transforms will look for this sourcetype, the TA won't work as expected if you name the source differently.
If you want to use this add-on on a single instance, with full CIM compatability follow these steps:
Download transforms.conf-single and rename to transforms.conf. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/transforms.conf-single.conf
Download props.conf-single and rename to props.conf. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/props.conf-single
This file holds the configuration which rewrites the sourcetype based on a patern match, and routes the traffic to the correct index. Place transforms.conf in the ta-ubiquiti/local directory. Place props.conf in the ta-ubiquiti/local directory.
Download the ubnt_indexes.spl and install this on your indexers. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/org_all_indexes.spl
note: This contains a standard set of indexes, the Splunk best practice for CIM you will note that it separates OS logs from Network logs and Security logs from Application logs. The idea here is to separate them for performance reasons, but also for isolation purposes-you may want to expose the application or system logs to people who shouldn't view security logs. Putting them in separate indexes prevents that.
Restart splunk
In the UI navigate to Settings -> Data Inputs Add a new input for UDP Enter the port which you would like to receive the data on Select any ubnt sourcetype ie ubnt:fw, change settings to your liking with the exception of indexes. Or manually create inputs.conf
[udp://8514] connection_host = ip sourcetype = ubnt index=ubnt
Sourcetypes
Sourcetypes
The current release knows following sourcetypes;
ubnt:dhcp
ubnt:dhcp
This sourcetype is awesome and is produced by the USG. Do enable debug logging in your controller, as this makes logs a lot juicier and actually needs debugging enabled for logging to fill the DHCP Datamodel.
ubnt:edgeswitch
ubnt:edgeswitch
This adds field extractions for the Edgeswitches Ubiquiti produces. Mainly port status.
ubnt:fw
ubnt:fw
One of my favorite sourcetypes. CIM compliant firewall logs
ubnt:hostapd
ubnt:hostapd
I am not quite sure what produced these logs. This is on the list of things to discover.
ubnt:mcad
ubnt:mcad
I am not quite sure what produced these logs. This is on the list of things to discover.
ubnt:link
ubnt:link
This is only being put out to syslog if you have debug logging enabled and puts out the results of the link speed test over syslog including the latency to the test server and the particular test server has been chosen.
ubnt:sudo
ubnt:sudo
I am not quite sure what produced these logs. This is on the list of things to discover.
ubnt:threat
ubnt:threat
The loggings of the IPS functionality lives here. This implementation of Suricata is still in BETA and currently very much useless as it will only say it blocked something. If you have figured out how to hack your way around it on the USG please let me know. I have requested improvement for the feature here; if you want it as well please +1 it.
Usefull searches:
Usefull searches:
If you have ES in your Splunk environment, here's a little something I cooked up to get assets in the ES to complete. Again you need debug logging enabled to make this work!
Using the lookup editor, I created a csv called owner_list.csv. This has the following fields:
category,is_expected,nt_host,owner,requires_av,should_timesync,should_update
This is totally optional, I like all those fields to populate, and add values for by hand from time to time for especially for my domotica stuff.
index=* sourcetype="ubnt:dhcp" src_mac="*" src_ip="*"
| dedup src_ip | rename src_ip as ip
| rename src_mac as mac
| rename src_nt_host AS nt_host
| eval dns = nt_host
| eval priority="normal"
| eval src_is_expected="true"
| eval lat= your-lat
| eval long = your-lon
| lookup owner_list.csv nt_host OUTPUTNEW owner, category, requires_av, should_timesync, should_update, is_expected
| eval city = "your-city"
| eval country = "your-country"
| eval bunit = "none"
| eval pci_domain = "N/A"
| table ip mac nt_host dns owner priority lat long city country bunit category pci_domain is_expected should_timesync should_update requires_av
| outputlookup assets_ubiquiti.csv
Page updated
Report abuse