Building a Splunk Dashboard for OpenVPN

Recently, I have started tinkering with Splunk dashboards and thought about systems or applications I would want to monitor from a “single pane of glass”. OpenVPN is my first thought due to the importance and wide use in the community. My OpenVPN build is on a CentOS 7 VM, so I will be using the Splunk Fowarder to push the data I need to collect in Splunk.

First things first, what do I want to know at a glance from the Splunk dashboard?

  • Connection Success / Failed
  • Current connections (User)
  • Data Sent/Received

Connection Attempts

The logs we need for connection attempts are stored in /var/log/messages

Here are the successful connection logs:

Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=778288 client/11.22.33.44:52358 MULTI: Learn: 10.8.0.6 -> client/11.22.33.44:52358
Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=778313 client/11.22.33.44:52358 MULTI: primary virtual IP for client/11.22.33.44:52358: 10.8.0.6
Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=782022 client/11.22.33.44:52358 PUSH: Received control message: 'PUSH_REQUEST'
Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=782121 client/11.22.33.44:52358 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS DNSIP1,dhcp-option DNS DNSIP2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)

The most important log here is the last line (status=1). This indicates success, while (status=1/failure) is a failure.

Ensure we have the Splunk forwarder to give us the /var/log/messages with this command on the OpenVPN server:

./splunk add monitoring /var/log

The raw data coming into Splunk now need to recognize the status. To do that we will use field extractions. Drop down the event > Event Actions > Extract Fields

Select regular expression > Next:

Select the (status=1) and name the field “status” > Add Extraction:

Regular Expression
^[^\]\n]*\](?P<action>:\s+\w+\s+\w+\s+\w+\s+\w+)

Now lets take a look at what we are getting in Splunk.

Success:

Failure:

After the field extraction has been configured we can use the following search in Splunk to the desired results.

host="vpn" status="Status=1" OR status="1/FAILURE" | stats count(status) by status | replace "status=1" with "Success" | replace "1/FAILURE" with Failure

Now we will create the Visualization for the dashboard. Click the Visualization tab and select Pie Chart. Save to new Dashboard and create a panel for the Visualization.

Current Connections

Now I want currently connected profile information. I found this log in the /etc/openvpn/openvpn-status.log

Add forwarding to this log with the following command:

[root@vpn bin]# ./splunk add monitor /etc/openvpn/openvpn-status.log
Your session is invalid.  Please login.
Splunk username: admin
Password: 
Added monitor of '/etc/openvpn/openvpn-status.log'.

Here is what we get in Splunk.

Begin another field extraction with the relevant sample.

Next > Regular Expression > Next :

Field extractions:

  • 10.8.0.6 = issued_ip
  • client1 = profile
  • SourceIP = src_ip
  • 37462 = src_port
  • Dec 7 … = date
Regular Expression
^(?P<issued_ip>[^,]+),(?P<profile>\w+),(?P<src_ip>[^:]+):(?P<src_port>\d+)[^ \n]* (?P<Date>\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)

The following search will give us the data we need for the visualization.

So we get one profile connection log approx. every minute, so if we save the search with 1 minute real-time the current connections should be accurate.

Splunk search used to create table and clean up field names.

host="10.0.0.10" source="/etc/openvpn/openvpn-status.log" profile=* |table Date,src_ip,src_port,issued_ip | rename src_ip as "Source IP", src_port as "Source Port", issued_ip as "VPN Issued IP"

Dashboard panel visualization:

Sent/Received Data

The data we need is stored in the source=”/etc/openvpn/openvpn-status.log” The numbers after the source port represent received and sent data in KB. Use field extractions to pull the values from the logs.

Regular Expression
^[^:\n]*:\d+,(?P<rcv_kb>\d+),(?P<sent_kb>\d+)

Splunk Search to grab the sent and received totals in an hour.

host="10.0.0.10" source="/etc/openvpn/openvpn-status.log" rcv_kb=* |table _time,rcv_kb,sent_kb | rename rcv_kb as "Received KB", sent_kb as "Sent KB"

The above search visualized as a bar chart:

Conclusion

The goal of having visualizations for the following data for OpenVPN is complete: Connection Success/Failures, currently connected profiles, and data received/sent over time.

Final Dashboard for OpenVPN:

The configuration was simple yet very useful for a quick glance to see the OpenVPN log data visually. Reach out in the forums for any questions or comments here.

Until next time stay safe in the Trenches of IT!

Leave a Reply