Configure Modular Input¶

The TA-opnsense modular input will interact with the OPNsense API using GET requests. This allows for system information to be returned to enrich the already ingested Splunk data. For more information on what data is collected by this modular input see Reference: Modular Input in this documentation.

Overview¶

1. Perform prerequisites
2. Create Account
3. Create Input

Prerequisites¶

1. Obtain API Credentials.
2. FQDN/IP of the OPNsense instance (multiple instances may be setup through the interface).
3. (optional) CA Certificate for OPNsense instance.
4. Splunk must be able to communicate to the firewall directly through the web port (default 443/tcp) or through a proxy.

Obtain API Credentials¶

1. Log in to the OPNsense web interface.
2. Navigate to System > Access > Users.
3. Create a new user or edit an existing user.
4. Scroll down to the API keys section, click the "+" to create new API credentials. This downloads an "apikey.txt" file containing the credentials for the API. These will be used in later steps.

Obtain CA Certificate¶

The Certificate Authority (CA) certificate can be used to verify authenticity of the device you are connecting to.

1. Log in to the OPNsense web interface.

2. Navigate to System > Trust > Authorities.

   Not Seeing any Certificates?

   If no certificates show up in this view, this could mean that you are using the default self-signed Web certificate from OPNsense. If this is the case, skip these steps and ensue the "Verify Certificate" checkbox is not checked when setting up the modular input. For better security, it is recommended to create a new certificate for the OPNsense web interface (see OPNsense Documentation for more information).

3. Export the CA cert of the Authority being used for the web interface.

4. Place the CA Certificate into $SPLUNK_HOME/etc/auth. It may be easier to create a new directory to keep this certificate separate (i.e. $SPLUNK_HOME/etc/auth/opnsense_certs).

Create Account¶

At least one account is needed for the modular input to work.

1. Verify Prerequisites have been completed before proceeding.
2. Log in to the Splunk web interface.

3. Navigate to the OPNsense Add-on for Splunk > Configuration (Tab).

   Not seeing the OPNsense Add-on?

   The OPNsense Add-on for Splunk must be set to visible in order to configure the modular input.

   1. In Splunk web, navigate to the "Manage Apps" view by clicking the gear icon on the Launcher page or click "Manage Apps" from the "Apps" dropdown next to the Splunk logo on the top left of the screen.
   2. In the app list search for "OPNsense Add-on" and click "Edit properties" on the right side.
   3. Ensure "Visible" is set to Yes and save.

4. Add a new Account.

5. Enter a name for the account.
6. Enter the API credentials previously created.
7. Enter the IP/FQDN of the OPNsense instance.
8. If different from default port of 443, enter the port number being used.

9. (Optional) Enter the certificate path relative to $SPLUNK_HOME/etc/auth or as an absolute path.

   Example

   relative path: opnsense_certs/OPNsense.crt

   absolute path: /opt/splunk/etc/auth/opnsense_certs/OPNsense.crt

10. Uncheck the box if you are not using a certificate to verify.

11. Click add.
12. (optional) Configure proxy.
13. (optional) Set logging level.
14. Proceed to create an input.

Create Input¶

1. An account is needed before proceeding.
2. Navigate to the Input tab.
3. Click "Create New Input."
4. Enter a unique name.
5. Set an interval to run in seconds or a valid cron schedule.
6. Select an index.
7. Select the correct account credentials for the input.
8. Click add.

Verify¶

Once completed the modular input will immediately run. To verify open up a search and run a similar query:

index=<your index> sourcetype=opnsense:system

If data does not appear within a few minutes, see Troubleshooting Modular Inputs.