doksu edited this page Feb 15, 2017 · 6 revisions


netfilter (iptables) technology add-on (TA) for Splunk

This app provides field extractions and normalisation to the Common Information Model.



  • Release notes
  • Support and resources


  • Requirements
  • Installation
  • Configuration


Release notes

About this release

Version 0.1.0 of TA_netfilter is compatible with:

Splunk Enterprise versions 6.2+
CIM 4.3+
Platforms Platform independent
Vendor Products Linux Kernel
Lookup file changes None
Fixed issues

Version 0.1.0 of TA_netfilter fixes the following issues:

  • None
Known issues
  • None

Support and resources

Please post questions at, however this app is provided as is with no warranty, implied or otherwise; please see the LICENSE document for more information. Feedback about possible improvements and good news stories of how this app has helped your organisation are most welcome.



Hardware requirements

  • None

Software requirements

To function properly, TA_netfilter requires the following software:

  • Splunk Enterprise 6.2+
  • Splunk Common Information Model 4.3+


This app should be installed on all heavy forwarders, indexers and search heads in your environment as it has both index-time and search-time configurations.

This app will automatically change the sourcetype of netfilter events with the sourcetype of "syslog" into the "linux:netfilter" sourcetype. The principal reason for changing the sourcetype of netfilter events is because the syslog sourcetype is "overloaded" in the sense it is a catch-all for various log entry types with various formats. This is a problem when trying to normalise netfilter events' action (and other fields) to the CIM because it can cause conflict with other TAs and be erroneous.

The second reason a new sourcetype was used is because CIM acceleration is much more efficient when tagging events using indexed field values (i.e. the sourcetype) than a search string or eval expression. In large distributed environments with substantial syslog sourcetyped events, the impact of this can be significant.

The approach of using a linux:netfilter sourcetype is also advantageous because it prevents duplication of props to apply the same netfilter extractions to multiple sourcetypes and requires less search-time field extraction overhead when searching syslog sourcetyped events.


Please configure iptables when logging network traffic to append the ACTION field using 'log-prefix'. For example:

-A OUTPUT -p tcp --tcp-flags ALL SYN,ACK -j LOG --log-prefix "ACTION=ACCEPT "

See the 'netfilter_action' lookup for ACTION values normalised to the CIM (we recommend iptables target values: ACCEPT, DROP, REJECT).

It's recommended to log the uid and gid of the process that produces egress traffic using 'log-uid'. For example:

-A OUTPUT -j LOG --log-prefix "ACTION=DROP " --log-uid

If you choose to do this, then the uid can be automatically normalised to the CIM 'user' field by creating a local props.conf and uncommenting this line:

LOOKUP-netfilter_user = posix_identities uid AS UID OUTPUT user

However, the 'posix_identities' lookup used is provided by the Linux Auditd app ( and so it must be installed and configured prior.

Enterprise Security

When Enterprise Security is installed in the same search environment as other apps, it automatically modifies their metadata (specifically, it adds 'import' - please see here for more information). This can cause apps to not "see" the search-time artefacts (such as lookups) of other apps.

If using the app in the same search environment as ES, the app import regex needs to be changed to support TAs that use the underscore naming convention. Please modify SplunkEnterpriseSecuritySuite/local/inputs.conf to include:

disabled = 0
app_regex = (appsbrowser)|(search)|([ST]A[-_].*)|(Splunk_[ST]A_.*)|(DA-ESS-.*)|(Splunk_DA-ESS_.*)
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.