Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
netfilter (iptables) technology add-on (TA) for Splunk
This app provides field extractions and normalisation to the Common Information Model.
- Release notes
- Support and resources
INSTALLATION AND CONFIGURATION
About this release
Version 0.1.0 of TA_netfilter is compatible with:
|Splunk Enterprise versions||6.2+|
|Vendor Products||Linux Kernel|
|Lookup file changes||None|
Version 0.1.0 of TA_netfilter fixes the following issues:
Support and resources
Please post questions at https://answers.splunk.com, however this app is provided as is with no warranty, implied or otherwise; please see the LICENSE document for more information. Feedback about possible improvements and good news stories of how this app has helped your organisation are most welcome.
INSTALLATION AND CONFIGURATION
To function properly, TA_netfilter requires the following software:
- Splunk Enterprise 6.2+
- Splunk Common Information Model 4.3+
This app should be installed on all heavy forwarders, indexers and search heads in your environment as it has both index-time and search-time configurations.
This app will automatically change the sourcetype of netfilter events with the sourcetype of "syslog" into the "linux:netfilter" sourcetype. The principal reason for changing the sourcetype of netfilter events is because the syslog sourcetype is "overloaded" in the sense it is a catch-all for various log entry types with various formats. This is a problem when trying to normalise netfilter events' action (and other fields) to the CIM because it can cause conflict with other TAs and be erroneous.
The second reason a new sourcetype was used is because CIM acceleration is much more efficient when tagging events using indexed field values (i.e. the sourcetype) than a search string or eval expression. In large distributed environments with substantial syslog sourcetyped events, the impact of this can be significant.
The approach of using a linux:netfilter sourcetype is also advantageous because it prevents duplication of props to apply the same netfilter extractions to multiple sourcetypes and requires less search-time field extraction overhead when searching syslog sourcetyped events.
Please configure iptables when logging network traffic to append the ACTION field using 'log-prefix'. For example:
-A OUTPUT -p tcp --tcp-flags ALL SYN,ACK -j LOG --log-prefix "ACTION=ACCEPT "
See the 'netfilter_action' lookup for ACTION values normalised to the CIM (we recommend iptables target values: ACCEPT, DROP, REJECT).
It's recommended to log the uid and gid of the process that produces egress traffic using 'log-uid'. For example:
-A OUTPUT -j LOG --log-prefix "ACTION=DROP " --log-uid
If you choose to do this, then the uid can be automatically normalised to the CIM 'user' field by creating a local props.conf and uncommenting this line:
LOOKUP-netfilter_user = posix_identities uid AS UID OUTPUT user
However, the 'posix_identities' lookup used is provided by the Linux Auditd app (https://splunkbase.splunk.com/app/2642/) and so it must be installed and configured prior.
When Enterprise Security is installed in the same search environment as other apps, it automatically modifies their metadata (specifically, it adds 'import' - please see here for more information). This can cause apps to not "see" the search-time artefacts (such as lookups) of other apps.
If using the app in the same search environment as ES, the app import regex needs to be changed to support TAs that use the underscore naming convention. Please modify SplunkEnterpriseSecuritySuite/local/inputs.conf to include:
[app_imports_update://update_es] disabled = 0 app_regex = (appsbrowser)|(search)|([ST]A[-_].*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)