More info here:
https://github.com/fwijnholds/ta-ubiquiti-support/wiki/Ubiquiti-Support
To get this TA working in your home environment. Just create a UDP input and make sure the sourcetype is called ubnt. The TA will do the rest oob. If you do want to do some more advanced stuff keep reading:
To use this TA with Enterprise Security some configuration is required. Datamodel acceleration at scale requires from the deployment that data is assigned to indexes by it's cardinality. As Sourcetype is assigned by input in Splunk there are 2 ways achieving this split. One is using transforms.conf in conjuction with a props.conf, the other is by having an intermediate like a syslog server do the splitting into files. A UF can assign sourcetype input.
If you want to use this add-on on a single instance, with full CIM compatability follow these steps:
Download transforms.conf-single and rename to transforms.conf.
https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/transforms.conf-single.conf
This file holds the configuration which rewrites the sourcetype based on a patern match, and routes the traffic to the correct index.
Download props.conf-single and rename to props.conf. https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/props.conf-single
This file holds the configuration which rewrites the sourcetype based on a patern match, and routes the traffic to the correct index. Place transforms.conf in the ta-ubiquiti/local directory. Place props.conf in the ta-ubiquiti/local directory.
Download and install the org_all_indexes.spl
https://github.com/fwijnholds/ta-ubiquiti-support/blob/master/org_all_indexes.spl
note: This contains a standard set of indexes, the Splunk best practice for CIM you will note that it separates OS logs from Network logs and Security logs from Application logs. The idea here is to separate them for performance reasons, but also for isolation purposes-you may want to expose the application or system logs to people who shouldn't view security logs. Putting them in separate indexes prevents that.
Restart splunk
In the UI navigate to Settings -> Data Inputs
Add a new input for UDP
Enter the port which you would like to receive the data on
Select any ubqt sourcetype ie ubqt:fw, change settings to your liking with the exception of indexes. Or manually create inputs.conf
[udp://8514]
connection_host = ip
sourcetype = ubnt
index=ubqt
For deployment with a syslog server the recomendation is to use a Universal forwarder on your rsyslog or syslog-ng server. Have the syslog server write a file per sourcetype and have the UF assign the sourcetype to the specific logs. More information will follow.
Check the latest updates: https://github.com/fwijnholds/ta-ubiquiti-support
Added support for jQuery 3.5 and fixed a couple of Field Extraction issues for more CIM compliance.
This release adds support for the Dream Machine. With special thanks to Michael Nobles!
The firewall and DHCP logs have a different format coming from the Dream machine. This release fixes that.
This release also has support for the new dnsmasq logs that have appeared after the 6.0 firmware release.
Added support for field extractions for connecting and reconnecting clients with the help of Nathan T.
Added support for Edge switches with the help of John W.
Fixed some issues with extractions.
Added sourcetype and extractions for linkspeed checks.
Fixed FW rule extraction.
Sourcetype renamed from everything ubqt to ubnt.
Bug fixes in source type matches..
In the latest firmware releases of cloud controller and USG the MAC= field now contains src and dest mac. You might want to check your deployment before updating.
Update mac field extractions
Renamed fw_rule to rule as this is CIM compliant.
TA is now set to visible
Version 1.1.15
Enabled the transforms for IPS.
VERSION: 1.1.14
Found major issues with the transforms concerning source-types and index during a clean install, These should be fixed in this release.
VERSION: 1.1.13
Sourcetype fixing
Added support for the BETA IPS functionality
Normalized mac address reporting for hostapd
Improved hostapd extractions
Improved hostapd sourcetyping and added field extractions.
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Enabled the transforms for IPS.
VERSION: 10.1.14
Found major issues with the transforms concerning source-types and index during a clean install, These should be fixed in this release.
VERSION: 10.1.13
Sourcetype fixing
Added support for the BETA IPS functionality
Normalized mac address reporting for hostapd
Improved hostapd extractions
Improved hostapd sourcetyping and added field extractions.
VERSION: 1.1.12
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Found major issues with the transforms concerning source-types and index during a clean install, These should be fixed in this release.
VERSION: 10.1.13
Sourcetype fixing
Added support for the BETA IPS functionality
Normalized mac address reporting for hostapd
Improved hostapd extractions
Improved hostapd sourcetyping and added field extractions.
VERSION: 1.1.12
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
Special thanks to Corey Falo at Ubiquiti for his support, and Paul Jeffery at Splunk for his input!
For any questions or contributions please contact me @ goose@splunk.com
This is the first release of the TA for Ubiquiti. It was developed for an environment with CloudKey, USG and Pro AP. This release supports field extractions for the Firewall and DHCP facilities. It requires 3 indexes; UBQT, netdhcp and netfw. The net* indexes are there for CIM compliance
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.