Netfilter Iptables for Splunk Documentation

Similar documents
Date: 17-Feb :38

Centrify for Splunk Integration Guide

Splunk & Git. The joys and pitfalls of managing your Splunk deployment with Git. Copyright 2018

Splunk & Git. Managing Splunk deployments with Git and KSCONF. Copyright 2018

Data Onboarding. Where Do I begin? Luke Netto Senior Professional Services Splunk. September 26, 2017 Washington, DC

Linux Systems Security. Firewalls and Filters NETS1028 Fall 2016

Cisco PCP-PNR Port Usage Information

Enable Auditing in Open LDAP on Linux Server

Carbon Black QRadar App User Guide

Centrify Identity Services Platform SIEM Integration Guide

Singularity CRI User Documentation

DomainTools for Splunk

Installing SmartSense on HDP

TA-nmon Documentation

GVP Deployment Guide. Maintaining GVP

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

iptables and ip6tables An introduction to LINUX firewall

VARONIS APP FOR SPLUNK. User Guide

Linux Firewalls. Frank Kuse, AfNOG / 30

python-iptables Documentation

Search Head Clustering Basics To Best Practices

Offloading NDO2DB To Remote Server

NetFlow Optimizer. Overview. Version (Build ) May 2017

Administration Dashboard Installation Guide SQream Technologies

vcenter Server Installation and Setup Modified on 11 MAY 2018 VMware vsphere 6.7 vcenter Server 6.7

Contents. Introduction

Centralized Log Hosting Manual for User

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware vrealize Log Insight Getting Started Guide

Guides SDL Server Documentation Document current as of 04/06/ :35 PM.

Log Analysis with. Presenter: Nathan Hunstad May 2015

Guides SDL Server Documentation Document current as of 05/24/ :13 PM.

KV Store: Hammer Time

There are separate firewall daemons for for IPv4 and IPv6 and hence there are separate commands which are provided below.

Communication protocols and services

PXC loves firewalls (and System Admins loves iptables) Written by Marco Tusa Monday, 18 June :00 - Last Updated Wednesday, 18 July :25

Dell EMC ME4 Series vsphere Client Plug-in

NetFlow Analytics for Splunk

Splunk Review. 1. Introduction

System Specification

McAfee Security Management Center

ESS Linux Sys Admin - Guide to running ESS from the AWS AMI

How-to Guide: Tenable Applications for Splunk. Last Revised: August 21, 2018

IN: US:

Cisco Unified CM Disaster Recovery System

Table of Contents. Table of Contents Pivotal Greenplum Command Center Release Notes. Copyright Pivotal Software Inc,

Release Notes for Snare Server v6 Release Notes for Snare Server v6

This material is based on work supported by the National Science Foundation under Grant No

VIRTUAL GPU LICENSE SERVER VERSION AND 5.1.0

About the Tutorial. Audience. Prerequisites. Copyright & Disclaimer. Gerrit

OPENSTACK CLOUD RUNNING IN A VIRTUAL MACHINE. In Preferences, add 3 Host-only Ethernet Adapters with the following IP Addresses:

Pulp Python Support Documentation

UNIVERSITY OF BOLTON SCHOOL OF CREATIVE TECHNOLOGIES COMPUTER NETWORKS AND SECURITY SEMESTER TWO EXAMINATIONS 2017/2018 NETWORK SECURITY

LENS Server Maintenance Guide JZ 2017/07/28

vsphere Upgrade Update 1 Modified on 4 OCT 2017 VMware vsphere 6.5 VMware ESXi 6.5 vcenter Server 6.5

BIG-IP Secure Web Gateway and Splunk templates Summary

Table of Contents About Ignotus AD Installer software... 2 Requirements for the Server Service... 2 Requirements for the Client Service...

Container System Overview

Bitnami Re:dash for Huawei Enterprise Cloud

NetApp Element Plug-in for vcenter Server User Guide

SUB1X Masternode Setup Guide: LINUX Version

Getting Started. 05-SEPT-2017 vrealize Log Insight 4.5

Backup the System. Backup Overview. Backup Prerequisites

Integrating Splunk with native Windows Event Collection (WEC) and Optional 2-Stage Noise Filtering

perfsonar: A Look Ahead Andrew Lake, ESnet Mark Feit, Internet2 October 16, 2017

F5 DDoS Hybrid Defender : Setup. Version

Disaster Recovery System

Getting Started. Update 1 Modified on 03 SEP 2017 vrealize Log Insight 4.0

gosint Documentation Release Cisco CSIRT

NVIDIA COLLECTIVE COMMUNICATION LIBRARY (NCCL)

Getting Started. April 12, 2018 vrealize Log Insight 4.6

DBNsim. Giorgio Giuffrè. 0 Abstract How to run it on your machine How to contribute... 2

Git & Github Fundamental by Rajesh Kumar.

Table of Contents 1.1. Install, Deploy, Maintain Infrastructure Installation Download. Deploy the Appliance

Verteego VDS Documentation

GIT. A free and open source distributed version control system. User Guide. January, Department of Computer Science and Engineering

vsphere Upgrade Update 2 Modified on 4 OCT 2017 VMware vsphere 6.0 VMware ESXi 6.0 vcenter Server 6.0

Linux Administration

Configuring High-Availability DNS Servers

2016 OPSWAT, Inc. All rights reserved. OPSWAT, MetadefenderTM and the OPSWAT logo are trademarks of OPSWAT, Inc.All other trademarks, trade names,

Avaya_ Number: 3308 Passing Score: 800 Time Limit: 120 min File Version: 4.0

IBM BigFix Version 9.5. WebUI Administrators Guide IBM

Okta Identity Cloud Addon for Splunk

Configure and enable syslog streaming for every Barracuda NextGen Firewall F-Series you want to include in the Splunk App.

open-helpdesk Documentation

Setting up a Chaincoin Masternode

PERTINO SETUP & USER MANUAL

Archan. Release 2.0.1

Getting Started. vrealize Log Insight 4.3 EN

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

User Guide. Kronodoc Kronodoc Oy. Intelligent methods for process improvement and project execution

doconv Documentation Release Jacob Mourelos

Inception Cloud User s Guide

BIG-IP Access Policy Manager : Secure Web Gateway. Version 13.0

An introduction to Docker

Move Exchange 2010 Database To Another Drive Powershell

About HP Quality Center Upgrade... 2 Introduction... 2 Audience... 2

Stonesoft Management Center. Release Notes for Version 5.6.1

Server Monitoring. AppDynamics Pro Documentation. Version 4.1.x. Page 1

Copyright 2012 Trend Micro Incorporated. All rights reserved. Protected by U.S. Patent No. 7,516,130 and U.S. Patent No. 7,747,642.

Transcription:

Netfilter Iptables for Splunk Documentation Release 0 Guilhem Marchand Oct 06, 2017

Contents 1 Overview: 3 1.1 About the Netfilter Iptables application for Splunk........................... 3 1.2 Release notes............................................... 4 1.3 Known Issues............................................... 6 1.4 Support.................................................. 6 1.5 Issues and enhancement requests.................................... 7 1.6 Pre-requisites............................................... 7 1.7 Download................................................. 7 1.8 Deployment Matrix........................................... 8 2 Installation and configuration: 9 2.1 Deployment and configuration...................................... 9 2.2 Upgrade................................................. 13 3 Guidance: 15 3.1 Userguide................................................. 15 i

ii

Contents: Contents 1

2 Contents

CHAPTER 1 Overview: About the Netfilter Iptables application for Splunk Author: Guilhem Marchand First release was published on starting 2014 Purposes: The Netfilter Iptables application for Splunk manage Linux iptables based firewall logs (iptables, ufw...) generated to provide easy and accessible information about the firewall activity of your servers. It is a very simple and lightweight application. Splunk versions The application is compatible with any version of Splunk 6.4 and later Index time operations The Netfilter application relies on the installation of the Linux Netfilter (iptables) technology add-on: https://splunkbase.splunk.com/app/3089/ Index creation The application does not create any index at installation time. Summarization implementation The application does not currently implement any piece of summarization, accelerated reports or data models. 3

Release notes Requirements Splunk 6.x and later Only What has been fixed by release V3.2.1: Minors improvements in app home page with bootstrap window providing shortcut access links to raw data V3.2.0: Global review of the application for last Splunk version compatibility Read the docs documentation Removal of useless items V3.1.0: Totally rewritten version of the App in the Splunk 6.x fashion! All views are now completely designed in Simple XML and Django / Javascript Both Accepted and Denied Traffic can be analysed with no changes within views Application setup page to allow main settings to be customized within Splunk UI Migrating from Google Maps views to Splunk Map vizualization Migrating to Splunk iplocation command and geoip db The App does not requires anymore any third party Apps to be fully usable, Splunk is the only requirement as for now V2.04: Corrected Event Search interface V2.03: Corrected span definition error for timerange and realtime views for peak load identification Deleted redundant information in Activity Summary sections V2.02: Code cleaning Views improvement Hide info message when subsearches running over realtime 4 Chapter 1. Overview:

V2.01: Added Dashboard view about Index Activity (System view) V2.0: Fully rewritten version of this apps, release notes: Added Networking Services translation with associated Charts and Stats New centralized home page Realtime stats in home page, top offsenser stats... New Realtime and Timerange Charts and stats view New event search interface Various other corrections V2.0: Fully rewritten version of this apps, release notes: Added Networking Services translation with associated Charts and Stats New centralized home page Realtime stats in home page, top offsenser stats... New Realtime and Timerange Charts and stats view New event search interface Various other corrections V2.01: Added Dashboard view about Index Activity (System view) V2.0: Fully rewritten version of this apps, release notes: Added Networking Services translation with associated Charts and Stats New centralized home page Realtime stats in home page, top offsenser stats... New Realtime and Timerange Charts and stats view New event search interface Various other corrections 1.2. Release notes 5

Version 2.01: Fully rewritten version of this apps, release notes: Added Networking Services translation with associated Charts and Stats New centralized home page Realtime stats in home page, top offsenser stats... New Realtime and Timerange Charts and stats view New event search interface Various other corrections Version 1.0 Initial version Known Issues Major or minor bug, enhancement requests will always be linked to an opened issue on the github project issue page: https://github.com/guilhemmarchand/iptables-for-splunk/issues Please note that once issues are considered as solved, by a new release or support exchanges, the issue will be closed. (but closed issues can still be reviewed) There are no issues currently referenced Support Community support This application and all of its components are provided under the Creative Commons BY 3.0 licence, please remember that it comes with no warranty even if i intend to do my best in helping any people interested in using the App. DISCLAIMER: Community support comes in best effort with absolutely no warranties. Github https://github.com/guilhemmarchand/iptables-for-splunk Use Github to open an issue for errors and bugs to be reported, or to ask for enhancements requests. You can even provide your own improvements by submitting a pull request. 6 Chapter 1. Overview:

Splunk Answers Splunk has a strong community of active users and Splunk Answers is an important source of information. Access previous messages of users or open your own discussion: https://splunkbase.splunk.com/app/1353 http://answers.splunk.com/answers/app/1353 Issues and enhancement requests For any bug reporting, or enhancement request about the Netfilter Iptables application, you can: Open a question on Splunk Answers related to the app: http://answers.splunk.com/answers/app/1353.html Open an issue on the Git project home page: https://github.com/guilhemmarchand/iptables-for-splunk/issues Get in touch by mail: guilhem.marchand@gmail.com Pre-requisites Linux Netfilter (iptables) technology add-on Since the release 3.2.0, the application relies on the very good quality add-on: https://splunkbase.splunk.com/app/3089/ As such, please refer to the application documentation to every step related to the indexing configuration for Splunk: https://github.com/doksu/ta_netfilter/wiki Basically, the application globally use the following default query to retrieve the Iptables events:: (index=* eventtype=linux_netfilter) However, this is very easily customizable via the settings page of the application. (available at first startup or in the Help & Settings menu. Download Official Splunk certified release The official and Splunk certified release can be downloaded from Splunk Base: https://splunkbase.splunk.com/app/ 3089 Github releases The application is hosted on a Github project, you can freely download the application from the Github project page: https://github.com/guilhemmarchand/iptables-for-splunk Downloading and installing from Github: You can download and install the application directly from git using the git command: 1.5. Issues and enhancement requests 7

git clone https://github.com/guilhemmarchand/iptables-for-splunk.git mv iptables-for-splunk iptables Deployment Matrix What goes where? Very simple, the application lives only on search head: Splunk Instance (role) Install? Standalone server X Search head (single instance or clustered) X Indexer (single instance or clustered) Master node Deployment servers Heavy Forwarder Universal Forwarder 8 Chapter 1. Overview:

CHAPTER 2 Installation and configuration: Deployment and configuration The deployment of the application has to respect Splunk good practices depending on the topology of your deployment: Deployment The deployment of the application is very simple and relies on your Splunk installation: Standalone server Download the application as a tgz archive from Splunk base: https://splunkbase.splunk.com/app/1353 Use the application manager to install the application, or uncompress using CLI: example:: cd /opt/splunk/etc/apps/ tar -xvf <path to archive> Distributed deployment If you are not using Search Head Clustering (SHC), deploy the application in every search head needed (same procedure than for standalone servers) If you are using an SHC, uncompress the content of the tgz archive in your SHC deployer node, and apply the SHC cluster bundle, refer to: http://docs.splunk.com/documentation/splunk/latest/distsearch/propagateshcconfigurationchanges 9

Configuration Application configuration After the installation and when you open the application, the setup screen of the application will automatically be displayed: This screen allows you to: Configure the main macro that is used to retrieve your firewall events Configure the patterns that must be used to identify the accepted connections Configure the patterns that must be used to identity refused and dropped connections Blacklist specific IP addresses or host to avoid pollution Recommendations: Once you have planned the name of the index(es) for your deployment, it is recommended for best performance to configure them in the screen above Getting data in pre-requisites: You need to install the TA for iptables: https://splunkbase.splunk.com/app/3089 Please review the documentation of the THA: https://github.com/doksu/ta_netfilter/wiki 10 Chapter 2. Installation and configuration:

Once you have deployed the TA: The TA documentation provides sample configuration for iptables, in addition of this documentation, you will find above some configuration examples. Ubuntu based servers Run: 1. Install ufw sudo apt-get install ufw 2. Configure ufw according to your needs, and activate logging https://help.ubuntu.com/community/ufw Activating the logging will enable logging dropped or refused packets: sudo ufw logging on The activity of ufw is logged on the server in: /var/log/ufw.log 3. Make sure the Splunk instance can access this file with read permissions (you can use extended acl) and create a very basic and simple file monitor Example: (customize the name of the index according to your deloyment): inputs.conf: [monitor:/var/log/ufw.log] index = security_firewall_os sourcetype = syslog This inputs.conf can be configured in the TA local directory, or wherever you like. Centos like servers 1. Configure iptables and activate logging CentOS doc: https://wiki.centos.org/howtos/network/iptables example configuration: /etc/sysconfig/iptables: *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :LOGGING - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A INPUT -j LOGGING -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "iptables: DROP: " --log-level 7 2.1. Deployment and configuration 11

-A LOGGING -j DROP COMMIT 2. Configure rsyslog to log iptables events in a separated log file example configuration: /etc/rsyslog.d/iptables.conf : :msg, contains, "iptables:" -/var/log/iptables.log & ~ Restart rsyslog: service rsyslog restart 3. Configure logrotate.d example configuration: /etc/logrotate.d/iptables: /var/log/iptables.log { rotate 7 daily missingok notifempty delaycompress compress create 0664 root root postrotate invoke-rc.d rsyslog rotate > /dev/null endscript } 4. Make sure the Splunk instance can access this file with read permissions (you can use extended acl) and create a very basic and simple file monitor Example: (customize the name of the index according to your deloyment): inputs.conf: [monitor:/var/log/iptables.log] index = security_firewall_os sourcetype = syslog Ensure Splunk is restarted after the deployment of this inputs.conf, et voila! 12 Chapter 2. Installation and configuration:

Upgrade Upgrading the application is entirely similar to the initial installation. Please refer to the installation procedure: Deployment Good practices for upgrade resiliency: do not modify any file out of the local directory (create it yourself if you need any modification) Upgrade from version 3.1.x and previous Since the release 3.2.0, the application relies on the Linux Netfilter (iptables). As such, if you have previously indexes data, the following steps have to be done: Deploy and configure the TA for iptables Replace and/or update the existing file monitor Deploy the Netfilter application new release Use the setup page of the application to search for both the old index/sourcetype and the standard index/eventtype 2.2. Upgrade 13

14 Chapter 2. Installation and configuration:

CHAPTER 3 Guidance: Userguide Key concepts The Iptables application for Splunk is a simple frontend application for Netfilter Iptables based firewall. Indexing data in Splunk relies on the TA for iptables available in Splunk base: https://splunkbase.splunk.com/app/3089 This is a pretty simple application that comes with a few reports and dashboards, as documented below. Data Types (sourcetype) The application uses the data sourcetype created by the TA for iptables: sourcetype=linux:netfilter Those events can be retrieved using eventtypes, which is what is done by the application: eventtype=linux_netfilter By default, the application will search for data using the following Splunk search: index=* eventtype="linux_netfilter" Notes: This is configurable in the application setting page, it is recommended to customize the name of the index(es) where you will decide to ingest your data. To do this, all the searches implemented in the application will use a root macro (potentially followed by other search criterias): `iptables_datasource` 15

The iptables events are basically syslog type events, where the TA for iptables will rewrite the sourcetype to its definitive value. Lookups and KV Store The application does not currently implement any KVstore based lookup. It does however contains a file based lookup table: network_services Which is based on the lookup csv file: lookups/network_services.csv This lookup table is being used to provide an auto lookup mapping with the network destination port and protocol to generate a more human friendly service name. This mapping operates in the props.conf configuration file: # Translation of port number to service name # Lookups lookup_network_services = network_services DPT, PROTO OUTPUTNEW Service As Service The lookup file content is based on standard network services. (/etc/services in any Linux OS) Main configuration files props.conf The props.conf file implements search time extractions over the following source field: [source::.../(iptables ufw).log] This a simple stanza using regular expression, and this will match any location for the following files: example for standard log file locations: /var/log/iptables.log /var/log/ufw.log If for some reasons the source value in your deployment differs from this standard, you will need to customized your configuration: create a copy of default/props.conf to local/props.conf customize the stanza definition to match your source deploy and apply your new configuration transforms.conf The transforms.conf provided by default configures the file based lookup: 16 Chapter 3. Guidance:

# Translation of port number to service name (IANA source) [network_services] filename = network_services.csv savedsearches.conf The savedsearches.conf file contains a few pre-built reports used in the application s dashboards: Iptables Activity Summary Iptables Top Offenser Iptables Top 10 denied client by count Iptables Top 10 denied client by Country Iptables Top 10 denied Networking Services Iptables Top 10 denied Destination Ports Iptables Top 10 Reporting Hosts None of these reports implement by default any acceleration or scheduling. macros.conf The macros.conf configuration contains several macros globally used in the dashboards of the application. The main macro defines the root search for retrieving iptables events: # Datasource of Iptables Events [iptables_datasource] definition = (index=* eventtype=linux_netfilter) iseval = 0 Notes: This macro can (and should) be customized using the application setup page to match your index(es) The next interest macros will define the recognition of accepted and denied / dropped packets: # Accepted Traffic - Patterns used to filter allowed traffic [traffic_accepted] definition = ( *ACCEPT* OR *ALLOW* ) iseval = 0 [traffic_denied] definition = ( *DROP* OR *BLOCK* OR *REJECT* ) iseval = 0 Notes: These macros can be customized as well with the setup page The following macro is used to filter some unwanted pollution: # Some filter for traffic pollution [filter_badclients] 3.1. Userguide 17

definition = ( clientip!="0.0.0.0" OR clientip!="255.255.255.255" ) iseval = 0 Finally, the following macro iptables_span is used to improve Splunk charts 18 Chapter 3. Guidance:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback