Currently viewing the tag: "Splunk"

I’ve been doing some pretty interesting things with Splunk lately, and finally got around to toying with the Google Maps Splunk app. I was able to find a couple of boiler plate Splunk configuration files from another blog post, that needed some tweaks to get going properly. I’ve create a Youtube video demonstrating the abilities for visualizing pfSense firewall attacks in Google Maps, using the MAXMIND GeoIP plugin for translating the IP addresses into coordinates.

This can be viewed historically or in real-time as the video above demonstrates.

Setup Guide

This tutorial will presume that you have a working pfSense router and a Splunk server deployed. There are a couple of ways that you can get the pfSense firewall logs over to the Splunk server; this guide will use the Syslog over UDP component from the pfSense machine, sending to a UDP Syslog listener on the Splunk server.

In this guide, I will be using:

  • Splunk v4.3.1
  • pfSense 2.1-Development

Splunk Configuration: Setup Files

First, we need to create a couple of files on the Splunk server. If you have not done so already, you can set the $SPLUNK_HOME environment variable with the follwing command “export SPLUNK_HOME=/opt/splunk”, changing the path to fit your installation.



Save these two files and chown splunk:splunk $SPLUNK_HOME/etc/system/local/*.conf

Splunk Configuration: Setup UDP Input

The next thing to do is setup the Splunk server to listen on a UDP port to collect the firewall logs from the pfSense router. This is done by navigating in the Splunk web UI to:

  • Manager > Data Inputs > UDP > New

Splunk UDP 514 Input Dialog

For the UDP port, choose port 514. This is the default UDP port pfSense will send to (this can be changed, but goes beyond the scope of this guide).

Set the sourcetype to Manual and enter pfsense-firewall as the type. Optionally choose Host, Index and Restriction settings and save.

Restart the Splunk server with $SPLUNK_BIN/bin/splunk restart, or from your init script if you have one configured.

Splunk Configuration: Install Google Maps and MAXMIND

These two apps can be installed from the Splunk App Manager (and they usually appear in the first page of results when navigating to the Find more apps link. No special configuration changes are needed for getting this going for either of the two Splunk apps.

pfSense Configuration

From the pfSense web UI, browse to: Status > System Logs and click the Settings tab. Check the Send log messages to remote syslog server checkbox, and enter the IP address of your Splunk server.

pfSense Syslog Settings Dialog

Save the settings and return to the Splunk web UI.

Google Maps Test Drive

At this point, your pfSense firewall should be logging firewall events to the Splunk server, and the events should appear under the pfsense-firewall sourcetype in the main Search dashboard. If the pfSense router is internal to the network, and does not have any traffic hitting it from it’s WAN side, you may have to be creative with a tool such as Nmap to “wake it up” and produce firewall events.

Once you have confirmed that events are being logged in Splunk, drill down into the pfsense-firewall sourcetype in the search dialog and ensure that the following fields are being shown:

  • action
  • protocol
  • src_ip
  • src_port
  • dest_ip
  • dest_port

After this is confirmed, go ahead and navigate to the Google Maps Splunk app page, and enter the following Splunk Search:

  • sourcetype=”pfsense-firewall” block | geoip src_ip

Adjust the time window to your tastes, and get a geographic picture of the blocked host traffic being dropped!



Splunk is probably one of the greatest IT tools of all time. It is a robust monitoring and reporting tool that can index just about any type of data from several types of data inputs.

There is a free license version of the Splunk software that has a few limitations in comparison to the enterprise licensed version; one of the limitations is the inability to perform a basic method of user and password authentication (or even the full scope of PAM authentication methods). We can fix this easily with a small and lightweight installation of the freely available Nginx web server software.

For this guide, I will demonstrate the process using methods using Linux for the Splunk deployment. I will not go into the details of how to install Splunk, and will presume a prexisting installation exists.


How it Works

Below is a diagram showing the communication between the client connecting to Splunk, running on the host “splunkbox”:

Nginx Splunk Proxy

Nginx will proxy all requests on port SSL 443 for https://splunkbox/splunk to the Splunk instance (running on the same server), listening only on Any attempts to bypass the authentication mechanism we configure (by making direct requests to splunkbox:8000) will be denied.


Step #1: Getting the Required Software

Your have the options of installing Nginx through your distribution or from source. If choosing a source compile, make sure you grab it from the official Nginx download page.


Step #2: Configuring Splunk

We start this process by editing the Splunk web.conf, to add the settings we need for it to run on locahost and for proxy configuration:

Once the web.conf file looks like the above, restart Splunk with the following command:

Splunk should now bind to localhost only and be set for accepting proxy requests (it’s a good idea to confirm that it is listening only on localhost with the netstat command).


Step #3: Nginx Configuration

This step will presume that you with to use SSL for the configuration and have properly generated the needed SSL certificates (if you do not have certificates already, refer to the Openssl documentation on how to generate a self-signed certificate). In this section we will edit the nginx.conf directly, and not cover how to setup seperate virtual host configuration files for the sake of simplicity:

Next we create our password file for the authentication. From the Nginx documentation:

Passwords must be encoded by function crypt(3). You can create the password file with the htpasswd program from Apache.” If you do not have apache2-utils installed, see man 3 crypt on how to generate this. htpasswd -c /etc/nginx/nginx.passwd username; (prompted to enter password twice)

Now we can start Nginx with the command “nginx” from a terminal (and now would be a good time to read the Nginx man page).


Step #4: Testing the Proxy

Assuming that the nginx binary is running, and listening on the correct port, open up a browser and navigate to https://splunkbox/splunk. You should be prompted for the username and password as set in the above configuration. Once you are authenticated, you should see the Splunk interface.