“Its a Family Affair“ Whenever I sing that Sly and the FamilyStone song around the house the kids just roll their eyes with disgust. I laugh and tell them not to ’dis on an old great tune. While singing it I often wonder how Sly’s lyrics would be different today considering the technical challenges facing parents trying to monitor their teenager’s online activities.

Splunk provides an easy way to collect MS Sys Internal data from Windows endpoints in real-time at scale. From the SysMon data, we will select events with event code equal 1 that represent process starts.

Fortunately, there are many great methods both paid and free that are available to parents these days. The good news is that no matter what your parenting style there is a tool that you can probably use to monitor your children’s online behavior. The bad news is there are just too many tools to choose from and often times they don’t play nice together.

1. Splunk software captures, indexes, and correlates real-time data in a searchable repository from which it can generate graphs, reports, alerts, dashboards, and visualizations that drives digital transformation. This article describes the steps to integrate Sophos XG Firewall with splunk.
2. The Splunk Managed Service Provider (MSP) Program helps partners embed Splunk products into your solutions to provide value-added services to your clients. We aim to recognize your expertise, reward your commitment to clients, and help your managed services business thrive.
3. Features & Functionality: 4.5 / 5 'All in one solution to collect logs, analysis, diagnose and report. The application has a nice console where it shows all the necessary.
4. The Splunk app for SophosUTM collects syslog stream data from your Sophos appliances and provides dashboards for insights into Firewall, Web Filtering, DHCP, DNS and System health. Release Notes Version 1.5.

Being a geek at heart as well as a caring parent I decided to try a different approach. Could I monitor the family’s online actitivies and not have to invest in a lot of hardware and software? What if I wanted to include other house IoT monitoring as well? Could I build a system that even my less technical neighbor Bob could easily use as well. Well let’s see how far I got shall we?

Before I go any further I have to shout out to several fellow Splunkers and SE Interns that helped me on this journey. The amazing fellow Splunkers Joe Welsh for his setup advice and passion, Bryan Schaefer for his assistance with SophosUTM (gotta check out his Splunk for Sophos UTM App) and Interns Walter Pospick and John Desaulos for their tenacious hardware hacking.

Architecture

Here is an overview of the architecture I built. Many different devices are authenticating to my Access Point then all of the traffic is going through my Security Server that is running a web proxy and firewall. The web proxy and firewall data is forwarded via syslog to a Splunk Universal Forwarder (UF) running on a Raspberry Pi 3. The UF forwards the compressed syslog data via a guaranteed and secure TCP connection to the Splunk Light cloud service instance.

Splunk Sophos

Security Server Setup

I have a pretty good ISP connection at home but the logging is not ideal. It does have a built-in firewall but just shows my port connection status (drop/allow). Kind of interesting from a security standpoint but not really what I was looking for in terms of understanding the family’s online activity. So I decided to look into a unified threat monitoring system that goes in between my ISP Modem and Wireless Access Point. There are many options to choose from here but I looked into a couple of all-in-one systems that are fairly inexpensive by Sophos UTM and pfSense.

Both Sophos and pfSense have solutions that can be used by the home user without breaking the bank. Sophos has a United Threat Monitor (UTM) home edition system that includes a firewall, web proxy, etc. and is free up to 50 IP addresses. It is an application that runs on a hardened version of Linux that can run in either a VM or a dedicated system. There are a number of small form-factor systems that you can purchase on Amazon (Intel Celeron J1900 Quad Core) or on New Egg (Zotac ZBOX C Series). Any system will do just make sure it has two network ports. I was looking for something small that can run on a desk without too much noise or heat.pfSense also sells an all-in-one hardware/software system that is quite affordable as well. It fits very nicely on the desk and doesn’t make a peep. There are software packages (firewall, web proxy, etc.) that can be easily enabled on the system depending on your requirements.

Sophos and Pfsense have many fans out there and between the official docs and blogs I would refer to these to optimize your setup. There are also a number of videos on setting up all aspects of the both systems. I enabled both the firewall and web proxy on the Sophos UTM and below is a logging example from the Firewall Live Log:

I want this data in Splunk so I can easily configure searches, alerts, reports and dashboards right? Let’s go over how easy that is to get configured.

Syslog Server Setup

The Sophos UTM has the ability to syslog the logging data to a remote server. Once you are logged in as the admin user then simply select the Logging & Reporting -> Log Settings then select the Remote Syslog Server tab. You will need to supply your syslog server ip address, port. Here is an excellent video that goes through the steps.

Next we need to setup our syslog server. The cheapest solution I could find that was reliable and didn’t take a lot of electricity to run is the Raspberry Pi 3. The new Pi 3 just came out this year and it has built-in wifi and Bluetooth plus four USB ports to connect devices. There is a NOOBs version of the OS that makes the install and configuration dead simple. I did have some issues using the default port of 514 for syslog so I used a different port above 1024 which I will go into further detail later. Another big reason I chose the Raspberry PI was because it is very easy to have it collect data from many other IoT devices that I can plug into the house. There are many different guides and books on how to setup a Raspberry Pi and the community is awesome too.

The NOOBs installer has the Raspbian OS bundled as an option. Once Raspbian is installed and the wifi configured to connect to the access point then the next step is to install a Spunk Universal Forwarder (UF) on the Raspberry Pi.

Splunk Universal Forwarder Install

The UF can be downloaded from the Splunk web-site by going here. Make sure that you select the 64-bit ARM version of the Linux UF. The UF can be installed with the following steps:

Splunk Sophos Download

$ tar xvzf splunkforwarder-<...>-Linux-x86_64.tgz

or if you want to install it in the /opt directory then run the following command on the Raspberry Pi:

$ tar xvzf splunkforwarder-<...>-Linux-x86_64.tgz -C /opt

Verify that the UF is running with the following command:

Splunk Sophos Software

$ /opt/splunkforwarder/bin/splunk status

We will come back to this configuration in a later.

Splunk Light in the Cloud

There are many options for the Splunk depending on your expertise and needs. You can run it on a server in your environment or there are very cost effective cloud solutions. I chose the Splunk Light cloud service because it is both easy to get data in and access it. Once again you want to select the green Free Splunk link on the Splunk Home Page and select the appropriate prompts to sign up for a 15 day trial of Splunk Light cloud service.

Once the instance is up and running you will need to login using your splunk.com credentials and select the My Account -> Instances menu option. To access your instance then simply select the “ACCESS INSTANCE” menu and you will be logged into Splunk Light.

Now you need to download the Splunk Universal Forwarder Credentials which has to be installed on your Universal Forwarder. The Universal Forwarder Credentials get installed on the Raspberry Pi. The Universal Forwarder Credentials makes sure that your data is encrypted and compressed before it is sent to the Splunk Light cloud service.

Select the graphic next to the splunk>light then select the Universal Forwarder link.

Next select the “Download Universal Forwarder Credentials” link and a file will be downloaded with an spl file extension. You will need to get this file over to the Raspberry Pi via sftp or sneaker net.

Universal Forwarder Credentials Install Steps

The Splunk UF is typically installed in the /opt/splunkforwarder directory and the splunk command is located in the bin directory. The credentials file is called splunkclouduf.spl. The steps to install are the following:

$ /opt/splunkforwarder/bin/splunk install app <full path to the splunkclouduf.spl> -auth <username>:<password> (defaults are admin:change).

$ /opt/splunkforwarder/bin/splunk restart

Link to the online Splunk Docs for this topic.

Sophos UTM Monitoring Data into SplunkLight Cloud Service

Steps Recap

• Installed and configured a Sophos UTM Home edition with web proxy and firewall
• Configured Sophos UTM to syslog data to a syslog server (in our case a Raspberry Pi)
• Setup a Raspberry Pi as a Syslog Server
• Downloaded and installed a Splunk UF on the Raspberry Pi
• Signed up for the Splunk Light cloud service
• Downloaded and installed the Splunk Light cloud service credentials App on our Raspberry Pi

Now we just need to configure the UF on the Raspberry Pi to listen for the syslog traffic from our Sophos UTM server. You will need to remember what port and which protocol (UDP or TCP) you selected in the Remote Syslog Server tab on your Sophos UTM server. I would suggest that you use UDP and a port above 1024. For our example we can use 20514/udp.

Log into your Raspberry Pi and run follow these steps:

$ cd /opt/splunkforwarder/etc/apps/search
$ mkdir local
$ cd local
$ vi inputs.conf
(use whatever file editor you are comfortable to create and edit a new file)

Sophos Splunk Integration

Put the following in the inputs.conf file:
[udp://20514]
sourcetype=syslog
connection_host=ip
queueSize=1MB
persistentQueueSize=5MB
Now restart the Splunk UF:
$ /opt/splunkforwarder/bin/splunk restart

Splunk Sophos

Now we are not completely done yet. The last step is to enable in your Sophos UTM firewall to allow traffic from your Raspberry Pi running the Splunk UF to the Splunk Light cloud service. You will need to know the ip address of the Splunk Cloud server. The hostname is in the browser when you connect to the service or run the following command on your Raspberry Pi:
$ grep server /opt/splunkforwarder/etc/apps/splunkclouduf/default/outputs.conf
There are several methods for getting the ip address such as ping, nslookup and dig, i.e.:
$ ping <splunk cloud server name>
The next step is to create a firewall rule that will allow the UF on the Raspberry Pi to communicate with the Splunk Light cloud service server. Log into the Sophos UTM and navigate to Network Protection -> Firewall. There are two TCP ports that the UF uses. One is for sending data (9997) and the other is for management (8089). The last step is to log into your Splunk Light cloud service and data should be showing up. Once you are logged in then there should be the ip address or hostname of your Raspberry Pi with data coming in.

Getting Insight Using Splunk

Easy Searching All the data is organized by time. Interesting fields are on the left-side of the individual events

Top URLs Using the top command after the first pipe allows the visualization of the Top URLs per device.

When is Bed Time? The timechart command allows to gain insight to sleeping patterns of the kids

Let’s get Pro-Active Alerts can be created directly from search results. Think of an alert as a saved search run as a batch job.

Getting alerted Alert Actions such as emails can be sent to your phone when bad web-sites are being accessed

Home Dashboards Dashboards are built using the UI and are just searches under the covers. There is some very cool geolocation going on with the firewall data but it is not hard to set up.

Splunk Sophos 7

Good luck and Happy Splunking!

----------------------------------------------------
Thanks!
Todd Gow