icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading TA-Tomato (DD-WRT compatible)
SHA256 checksum (ta-tomato-dd-wrt-compatible_100.tgz) 210843454f9f9184dbc50a19948fb7af80fef9c6f37fb71f288b65e61a055d28 SHA256 checksum (ta-tomato-dd-wrt-compatible_0993.tgz) b5c79960650b18dddd2a8e1c2268a67888017f46b34780be924b4388e6122d0f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


TA-Tomato (DD-WRT compatible)

This app is NOT supported by Splunk. Please read about what that means for you here.
This app allows insight into open consumer routers such as Tomato, DD-WRT, OpenWRT, and other systems running iptables, dnsmasq, openvpn, and other common *nix network services.
** Initial onboarding sourcetype has been updated in this release. Please ensure you update your inputs accordingly to ensure you are using the latest extractions and ensure the best compatibility

This app separates basic syslog data into new sourcetypes based on the Process name, you can leverage many of the settings in my app for many common *nix services: adblock, cupsd, dropbear, dnscrypt, dnsmasq, dnsmasq-dhcp, hotplug, httpd, netfilter, ntpc, openvpn, preinit, Tor, udhcpc, vsftp

*Confirmed working with Tomato, DD-WRT, and Advanced Tomato*


v 1.0.0


Dan Potter

@dpotter on slack

This app was built for analyzing data from open firmware and open firmware compatible routers, such as Tomato, dd-wrt, Open-WRT, Merlin, Asus, Advanced Tomato, Tomato USB, etc.
The DNS component is also 100% compatible with piHole and other dnsmasq based logs for DHCP/dns.

No support is assumed or provided beyond this README. Please be sure to set the correct onboard sourcetype (tomato) and see other instructions below and consult documentation on your device and firmware if you experience trouble getting the logs.

Due to the vast number of devices, firmware builds, firmware maintainers, and other variables, this app may need tweaking to support your device. I've tried to develop this to be as moduler as possible, with my current skillset in developing apps. I have tested this on 3 modern firmwares, Tomato, Advanced Tomato, and 3 different builds of DD-wrt and to my knowledge have those mostly supported for everything currently available in the Dashboard. However there are plenty of features you may be using which are not currentlyl developed any further than basic extractions. You have new sourcetype work completed or dashboards to contribute please reach out on Slack. Suggestions or improvements are also welcome.

***Please onboard your data as sourcetype=tomato. This will sub-sourcetype to various components with their own logic for extractions, event types, dashboards, etc.

**Previous versions of this app required you to onboard data as sourcetype=syslog1 and references to this have been removed. If you do not update your input sourcetype other components may break

This app also assumes your data will exist in index=tomato. If it does not, you will need to update 2 variables.
Settings > macros > tomato_index (index=tomato)
Settings > eventtypes > tomato (index=tomato)

Finally, some of the dashboards were built against datamodels. You must have SA-CIM installed to leverage those dashboards, which use the Network Traffic, Data Model for your netfilter firewall data.

Enable Syslog

The exact process will differ from device to device.

Advanced Tomato > Administration > Logging > Host or IP/Port

DD-wrt > Services > System Log > Syslogd > Remote Server > IPAddress:Port

Enable firewall traffic logs (Network Traffic)

Warning high log levels can cause memory issues with older or less capable devices. Settings below are for highest visibility.

Apply accordingly.

Some dd-wrt builds also require you to enable

Logging > Connection Logging > Inbound (Both), Outbound (Both)

Security > Firewall > Log Management > Enable > Log Level (High) / Dropped (Enabled), Rejected (Enabled), Accepted (Enabled)

Network Resolution (DNS) / Network Sessions (DHCP) Logging - Requires the use of dnsmasq

Add the following to your advanced dnsmasq config. This will allow us to build CIM compliant DNS information


To ensure all dns queries pass through your router, you should also enable the following settings:

Use Internal DNS, Use received DNS with user-entered DNS, Intercept DNS port

You may need to enable additional logging options for other system components

Release Notes

Version 1.0.0
Aug. 13, 2018

Major rewrite and expansion of multiple areas. Please update your inputs to onboard the data as sourcetype=tomato to ensure the best compatibility and see README.txt for more details.

Version 0.99.3
May 22, 2017

General improvements with parsing, efficiency, dashboard panels. Additional extractions and aliases.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.