Endure Secure Knowledge Base
Forward Pi-Hole Logs to Splunk
My Environment
- Raspberry Pi 3 running:
Linux raspberrypi 5.4.83-v7+ #1379 SMP Mon Dec 14 13:08:57 GMT 2020 armv7l GNU/Linux
- Pi-hole v5.2.4
- Web Interface v5.4
- FTL v5.7
- Splunk running in a Docker container on a Synology NAS
Preparation
You will need:
- A free Splunk account to get the latest version of the Splunk Universal Forwarder.
- Pi-Hole up and running.
- Root access to your Pi-Hole server.
Installation
- Sign up for a Splunk account at Splunk.com.
- Navigate to the download page for the Splunk Universal Forwarder and get the wget command line for the ARM package and download. NOTE: The latest ARM package available for me was 8.2.1. This was not working for me because the I was running 32 bit Raspbian so I had to go to the previous package repository and get the 8.2.1 ARM package. See here. You can check if your Splunk UF is 32bit or 64bit by running this command once you have extracted the package (see next step):
file /opt/bin/splunkforwarder/splunk
- Extract the package to /opt
- Create a new user called ‘splunk’ to run Splunk UF.
- Change ownership of the splunk directory to splunk, and set variable:
export SPLUNK_HOME=/opt/splunk chown -RP splunk:splunk /opt/splunkforwarder
- Create a new file: /opt/splunkforwarder/etc/system/local/inputs.conf with the following:
# inputs.conf [monitor:///var/log/pihole.log] disabled = 0 sourcetype = pihole index = pihole [monitor:///var/log/pihole-FTL.log] disabled = 0 sourcetype = pihole:ftl index = pihole
- Create a new file: /opt/splunkforwarder/etc/system/local/outputs.conf with the following:
[tcpout] defaultGroup=indexer [tcpout:indexer] server=192.168.1.50:9997
NOTE: set the server to your Splunk indexer or Splunk Heavy Forwarder IP address.
- Set Splunk Universal Forwarder to start at boot time:
[sudo] $SPLUNK_HOME/bin/splunkforwarder enable boot-start
- Reboot Splunk Universal Forwarder or just reboot the entire Raspberry Pi.
- Switch over to the splunk user.
- Start splunk:
/opt/splunk/bin/splunkforwarder start --accept-license -user splunk
Pi-Hole Configuration
- Create a new file: /etc/dnsmasq.d/02-pihole-splunk.conf with:
log-queries=extra
- Restart Pihole or restart the Raspberry Pi.
Splunk configuration
- Download and install the Pihole TA. This will provide field extraction for the Pihole logs.
- If you want the prebuilt dashboards, download the Pihole App.