Analyzing OpenWrt firewall logs with Splunk

This article explains how to analyze dropped and rejected traffic from OpenWrt (or any other Iptables based) firewall logs using Splunk and the Netfilter Iptables App.

What you will need is:

  • a remote syslog server (I use syslog-ng)
  • a machine that runs Splunk and can access the logfiles

Preparing OpenWrt

On OpenWrt we need to enable remote logging, as well as firewall logging

/etc/config/system

config system
        [...]
        option log_ip '192.168.1.2'

/etc/config/firewall

config zone
        option name 'wan'
        [...]
        option log '1'
        option log_limit '200/second'

Preparing the Log server

The log should be written to a separate file. And we need to filter out MSSFIX log messages as those confuse the Netfilter Iptables Splunk app.

/etc/syslog-ng/syslog-ng.conf

# default OpenWrt syslog only understands udp
source src_net {
  udp();
};

# define the destination
destination d_openwrt_fw { file("/var/log/openwrt/iptables.log"); };
destination d_openwrt_fw_filtered { file("/var/log/openwrt/iptables_filtered.log"); };

# define the filter(s)
# NOTE: the hostname here is "openwrt". You may need to use the IP or your OpenWrt's hostname here
filter f_openwrt_fw { host( "openwrt" ) and match("IN=" value("MESSAGE")) and match("OUT=" value("MESSAGE")); };
filter f_openwrt_fw_filtered { filter(f_openwrt_fw) and not match("MSSFIX" value("MESSAGE")); };

# now the log
log { source(src_net); filter(f_openwrt_fw); destination(d_openwrt_fw); };
log { source(src_net); filter(f_openwrt_fw_filtered); destination(d_openwrt_fw_filtered); };

Prepare Splunk

Download and install Splunk. I used latest version 6.

Additionally, download and unpack following apps to $SPLUNK_HOME/etc/apps/

Some of those apps are not jet marked as compatible for Splunk 6, but they do work fine here.

Start analyzing

Now you're ready to go. Reboot OpenWrt, restart Syslog-NG and start Splunk.

In Splunk, manually create a data input with source /var/log/openwrt/iptables_filtered.log, sourcetype iptables_source and target index iptables_index.

Now wait a bit, or use a scanner tool like grc.com's ShieldsUp!! to generate some DROP logging - it should show up in the Netfilter Iptables app's live dashboard immediately.