Configure Splunk Receiver for Pi Hole Logs - cfloquetprojects/homelab GitHub Wiki

Pre-Flight Check:

Ensure you have a working & running Pi-Hole host, with firewall ports open for forwarding dnsmasq logs. An updated, patched, & properly networked Ubuntu 20.04 LTS Core Server with Spunk running in a docker container, a guide for which can be found here

Configuring Pi-Hole for sending logs to Splunk:

Ensure you install the Splunk Universal Forwarder on Pi-Hole using a guide I recently created

Next SSH into your Pi-Hole and add the following configuration by creating/updating a couple .conf files:

First, let's update the inputs.conf file found at /opt/splunkforwarder/etc/system/local/inputs.conf:

$ vi /opt/splunkforwarder/etc/system/local/inputs.conf
[monitor:///var/log/pihole.log]
disabled = 0
sourcetype = pihole
index=pihole-dns

[monitor:///var/log/pihole-FTL.log]
disabled = 0
sourcetype = pihole:ftl
#name our index
index = pihole-dns 

Next we need to create/modify a .conf file within our dnsmasq.d directory on the pihole host:

$ vi /etc/dnsmasq.d/02-pihole-splunk.conf
log-queries=extra

Now simply restart your Pi-Hole with the following:

pihole restartdns

Creating Splunk Pi-Hole Receiver:

Now login to your Splunk Web Admin Interface, and click the gearbox next to Apps OR use the App Drop down and select Manage Apps:

Now choose 'Browse for more apps' (shown below) to install more specialized packages for Pi-Hole:

Let's start by searching for and installing the Splunk Common Information Model (CIM):

Note: You may need to authenticate using your splunk.com credentials for this, rather than local admin for the Splunk Appliance.

After it has finished installing simply click done, as we have more software to install.

Next let's grab the 'Force Directed App for Splunk'

Install both the “Pi-hole Add-on for Splunk” and “Pi-hole DNS App for Splunk” provided by author Zachary Christensen.

Restart your Splunk Appliance if prompted

Now we need to go and create an index for our Pi-Hole logs, which can be done via Settings/Indexes shown below:

Click on New Index in the upper right-hand corner

Provide an index name of “pihole-dns”. The other default settings should be okay for this setup. Click Save

Now navigate to Settings, and under Data select Forwarding and receiving:

Under Receive Data, select Configure Receiving

Click on New Receiving Port in the upper right-hand corner

Specify which port to listen on. In this instance TCP 9997 will be used.

Configuring Pi-Hole DNS App for Splunk:

In order to ingest/visualize data from our Pi-Hole DNS Server, we need to configure the Pi-Hole DNS Add-On that we installed earlier in this lab.

Keep in mind that we will be using the API from our pi-hole web server to get some key statistics from that server, but we will also be ingesting logs directly from our Universal Forwarder.

Once we have created our pi-hole account within the Configuration tab, we can create a new input using our new account, and define the index as pihole-dns:

After a few minutes, you should start seeing information appear within the dashboards!