It’s a Family Affair…What’s up with the Family?
“Its a Family Affair“ Whenever I sing that Sly and the FamilyStone song around the house the kids just roll their eyes with disgust. I laugh and tell them not to ’dis on an old great tune. While singing it I often wonder how Sly’s lyrics would be different today considering the technical challenges facing parents trying to monitor their teenager’s online activities.
Fortunately, there are many great methods both paid and free that are available to parents these days. The good news is that no matter what your parenting style there is a tool that you can probably use to monitor your children’s online behavior. The bad news is there are just too many tools to choose from and often times they don’t play nice together.
Being a geek at heart as well as a caring parent I decided to try a different approach. Could I monitor the family’s online actitivies and not have to invest in a lot of hardware and software? What if I wanted to include other house IoT monitoring as well? Could I build a system that even my less technical neighbor Bob could easily use as well. Well let’s see how far I got shall we?
Before I go any further I have to shout out to several fellow Splunkers and SE Interns that helped me on this journey. The amazing fellow Splunkers Joe Welsh for his setup advice and passion, Bryan Schaefer for his assistance with SophosUTM (gotta check out his Splunk for Sophos UTM App) and Interns Walter Pospick and John Desaulos for their tenacious hardware hacking.
Here is an overview of the architecture I built. Many different devices are authenticating to my Access Point then all of the traffic is going through my Security Server that is running a web proxy and firewall. The web proxy and firewall data is forwarded via syslog to a Splunk Universal Forwarder (UF) running on a Raspberry Pi 3. The UF forwards the compressed syslog data via a guaranteed and secure TCP connection to the Splunk Light cloud service instance.
Security Server Setup
I have a pretty good ISP connection at home but the logging is not ideal. It does have a built-in firewall but just shows my port connection status (drop/allow). Kind of interesting from a security standpoint but not really what I was looking for in terms of understanding the family’s online activity. So I decided to look into a unified threat monitoring system that goes in between my ISP Modem and Wireless Access Point. There are many options to choose from here but I looked into a couple of all-in-one systems that are fairly inexpensive by Sophos UTM and pfSense.
Both Sophos and pfSense have solutions that can be used by the home user without breaking the bank. Sophos has a United Threat Monitor (UTM) home edition system that includes a firewall, web proxy, etc. and is free up to 50 IP addresses. It is an application that runs on a hardened version of Linux that can run in either a VM or a dedicated system. There are a number of small form-factor systems that you can purchase on Amazon (Intel Celeron J1900 Quad Core) or on New Egg (Zotac ZBOX C Series). Any system will do just make sure it has two network ports. I was looking for something small that can run on a desk without too much noise or heat. pfSense also sells an all-in-one hardware/software system that is quite affordable as well. It fits very nicely on the desk and doesn’t make a peep. There are software packages (firewall, web proxy, etc.) that can be easily enabled on the system depending on your requirements.
Sophos and Pfsense have many fans out there and between the official docs and blogs I would refer to these to optimize your setup. There are also a number of videos on setting up all aspects of the both systems. I enabled both the firewall and web proxy on the Sophos UTM and below is a logging example from the Firewall Live Log:
I want this data in Splunk so I can easily configure searches, alerts, reports and dashboards right? Let’s go over how easy that is to get configured.
Syslog Server Setup
The Sophos UTM has the ability to syslog the logging data to a remote server. Once you are logged in as the admin user then simply select the Logging & Reporting -> Log Settings then select the Remote Syslog Server tab. You will need to supply your syslog server ip address, port. Here is an excellent video that goes through the steps.
Next we need to setup our syslog server. The cheapest solution I could find that was reliable and didn’t take a lot of electricity to run is the Raspberry Pi 3. The new Pi 3 just came out this year and it has built-in wifi and Bluetooth plus four USB ports to connect devices. There is a NOOBs version of the OS that makes the install and configuration dead simple. I did have some issues using the default port of 514 for syslog so I used a different port above 1024 which I will go into further detail later. Another big reason I chose the Raspberry PI was because it is very easy to have it collect data from many other IoT devices that I can plug into the house. There are many different guides and books on how to setup a Raspberry Pi and the community is awesome too.
The NOOBs installer has the Raspbian OS bundled as an option. Once Raspbian is installed and the wifi configured to connect to the access point then the next step is to install a Spunk Universal Forwarder (UF) on the Raspberry Pi.
Splunk Universal Forwarder Install
The UF can be downloaded from the Splunk web-site by going here. Make sure that you select the 64-bit ARM version of the Linux UF. The UF can be installed with the following steps:
$ tar xvzf splunkforwarder-<...>-Linux-x86_64.tgz
or if you want to install it in the /opt directory then run the following command on the Raspberry Pi:
$ tar xvzf splunkforwarder-<...>-Linux-x86_64.tgz -C /opt
Verify that the UF is running with the following command:
$ /opt/splunkforwarder/bin/splunk status
We will come back to this configuration in a later.
Splunk Light in the Cloud
There are many options for the Splunk depending on your expertise and needs. You can run it on a server in your environment or there are very cost effective cloud solutions. I chose the Splunk Light cloud service because it is both easy to get data in and access it. Once again you want to select the green Free Splunk link on the Splunk Home Page and select the appropriate prompts to sign up for a 15 day trial of Splunk Light cloud service.
Once the instance is up and running you will need to login using your splunk.com credentials and select the My Account -> Instances menu option. To access your instance then simply select the “ACCESS INSTANCE” menu and you will be logged into Splunk Light.
Now you need to download the Splunk Universal Forwarder Credentials which has to be installed on your Universal Forwarder. The Universal Forwarder Credentials get installed on the Raspberry Pi. The Universal Forwarder Credentials makes sure that your data is encrypted and compressed before it is sent to the Splunk Light cloud service.
Select the graphic next to the splunk>light then select the Universal Forwarder link.
Next select the “Download Universal Forwarder Credentials” link and a file will be downloaded with an spl file extension. You will need to get this file over to the Raspberry Pi via sftp or sneaker net.
Universal Forwarder Credentials Install Steps
The Splunk UF is typically installed in the /opt/splunkforwarder directory and the splunk command is located in the bin directory. The credentials file is called splunkclouduf.spl. The steps to install are the following:
$ /opt/splunkforwarder/bin/splunk install app <full path to the splunkclouduf.spl> -auth <username>:<password> (defaults are admin:change).
$ /opt/splunkforwarder/bin/splunk restart
Link to the online Splunk Docs for this topic.
Sophos UTM Monitoring Data into SplunkLight Cloud Service
- Installed and configured a Sophos UTM Home edition with web proxy and firewall
- Configured Sophos UTM to syslog data to a syslog server (in our case a Raspberry Pi)
- Setup a Raspberry Pi as a Syslog Server
- Downloaded and installed a Splunk UF on the Raspberry Pi
- Signed up for the Splunk Light cloud service
- Downloaded and installed the Splunk Light cloud service credentials App on our Raspberry Pi
Now we just need to configure the UF on the Raspberry Pi to listen for the syslog traffic from our Sophos UTM server. You will need to remember what port and which protocol (UDP or TCP) you selected in the Remote Syslog Server tab on your Sophos UTM server. I would suggest that you use UDP and a port above 1024. For our example we can use 20514/udp.
Log into your Raspberry Pi and run follow these steps:
$ cd /opt/splunkforwarder/etc/apps/search
$ mkdir local
$ cd local
$ vi inputs.conf
(use whatever file editor you are comfortable to create and edit a new file)
Put the following in the inputs.conf file:
Now restart the Splunk UF:
$ /opt/splunkforwarder/bin/splunk restart
Now we are not completely done yet. The last step is to enable in your Sophos UTM firewall to allow traffic from your Raspberry Pi running the Splunk UF to the Splunk Light cloud service. You will need to know the ip address of the Splunk Cloud server. The hostname is in the browser when you connect to the service or run the following command on your Raspberry Pi:
$ grep server /opt/splunkforwarder/etc/apps/splunkclouduf/default/outputs.conf
There are several methods for getting the ip address such as ping, nslookup and dig, i.e.:
$ ping <splunk cloud server name>
The next step is to create a firewall rule that will allow the UF on the Raspberry Pi to communicate with the Splunk Light cloud service server. Log into the Sophos UTM and navigate to Network Protection -> Firewall. There are two TCP ports that the UF uses. One is for sending data (9997) and the other is for management (8089). The last step is to log into your Splunk Light cloud service and data should be showing up. Once you are logged in then there should be the ip address or hostname of your Raspberry Pi with data coming in.
Getting Insight Using Splunk
All the data is organized by time. Interesting fields are on the left-side of the individual events
Using the top command after the first pipe allows the visualization of the Top URLs per device.
|When is Bed Time?
The timechart command allows to gain insight to sleeping patterns of the kids
|Let’s get Pro-Active
Alerts can be created directly from search results. Think of an alert as a saved search run as a batch job.
Alert Actions such as emails can be sent to your phone when bad web-sites are being accessed
Dashboards are built using the UI and are just searches under the covers. There is some very cool geolocation going on with the firewall data but it is not hard to set up.
Good luck and Happy Splunking!