Configure Splunk Input¶

Objective: Set the sourcetype to opnsense in the inputs.conf file on the forwarder.

Create new indexes¶

Splunk stores data in indexes. This add-on may be configured to send to a custom event index instead of the default index, main. For more information and steps to create a new index, see Splunk Docs: Create events indexes.

Purpose for creating new indexes¶

The out of the box Splunk configuration stores all data in the default index, main. It is encouraged to create a new index to ensure optimal performance, for setting retention policies, and for providing stricter access controls. For more information about how Splunk indexes work with add-ons, see Splunk Docs: Add-ons and indexes.

OPNsense has a variety of data sources that can be broken up in to separate indexes. For more information and some examples on creating and utilizing indexes see the Guide: Index Utilization in this documentation.

Splunk Universal Forwarder Configuration¶

Download the latest Splunk Universal Forwarder (UF) appropriate for your server.

Install the UF according to Splunk Docs: Install the Universal Forwarder on the server designated as your syslog server.

Once installed the configurations can be made. The following is a sample inputs.conf that can be pushed using a deployment server or configured on the UF itself.

[monitor:///var/log/remote/opnsense]
disabled = 0
host_segment = 5
sourcetype = opnsense
# optionally specify an index, if configured.
index = netfw

Push the configuration to the forwarder, if using a deployment server, or restart the UF if configuring on the UF itself.

Verify¶

Verify the setup has completed successfully by navigating to Splunk web and running a search similar to the following:

index=<chosen index> sourcetype=opnsense*

If you see data then you are all set! Proceed to Configuring Modular Inputs or start visualizing your data by downloading and installing the OPNsense App for Splunk.

If you are not seeing your data, see Troubleshooting Monitoring Inputs.