Building a Splunk Dashboard for OpenVPN

Recently, I have started tinkering with Splunk dashboards and thought about systems or applications I would want to monitor from a “single pane of glass”. OpenVPN is my first thought due to the importance and wide use in the community. My OpenVPN build is on a CentOS 7 VM, so I will be using the Splunk Fowarder to push the data I need to collect in Splunk.

First things first, what do I want to know at a glance from the Splunk dashboard?

  • Connection Success / Failed
  • Current connections (User)
  • Data Sent/Received

Connection Attempts

The logs we need for connection attempts are stored in /var/log/messages

Here are the successful connection logs:

Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=778288 client/11.22.33.44:52358 MULTI: Learn: 10.8.0.6 -> client/11.22.33.44:52358
Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=778313 client/11.22.33.44:52358 MULTI: primary virtual IP for client/11.22.33.44:52358: 10.8.0.6
Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=782022 client/11.22.33.44:52358 PUSH: Received control message: 'PUSH_REQUEST'
Dec  1 16:45:06 vpn openvpn: Sun Dec  1 16:45:06 2019 us=782121 client/11.22.33.44:52358 SENT CONTROL [client]: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS DNSIP1,dhcp-option DNS DNSIP2,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM' (status=1)

The most important log here is the last line (status=1). This indicates success, while (status=1/failure) is a failure.

Ensure we have the Splunk forwarder to give us the /var/log/messages with this command on the OpenVPN server:

./splunk add monitoring /var/log

The raw data coming into Splunk now need to recognize the status. To do that we will use field extractions. Drop down the event > Event Actions > Extract Fields

Select regular expression > Next:

Select the (status=1) and name the field “status” > Add Extraction:

Regular Expression
^[^\]\n]*\](?P<action>:\s+\w+\s+\w+\s+\w+\s+\w+)

Now lets take a look at what we are getting in Splunk.

Success:

Failure:

After the field extraction has been configured we can use the following search in Splunk to the desired results.

host="vpn" status="Status=1" OR status="1/FAILURE" | stats count(status) by status | replace "status=1" with "Success" | replace "1/FAILURE" with Failure

Now we will create the Visualization for the dashboard. Click the Visualization tab and select Pie Chart. Save to new Dashboard and create a panel for the Visualization.

Current Connections

Now I want currently connected profile information. I found this log in the /etc/openvpn/openvpn-status.log

Add forwarding to this log with the following command:

[root@vpn bin]# ./splunk add monitor /etc/openvpn/openvpn-status.log
Your session is invalid.  Please login.
Splunk username: admin
Password: 
Added monitor of '/etc/openvpn/openvpn-status.log'.

Here is what we get in Splunk.

Begin another field extraction with the relevant sample.

Next > Regular Expression > Next :

Field extractions:

  • 10.8.0.6 = issued_ip
  • client1 = profile
  • SourceIP = src_ip
  • 37462 = src_port
  • Dec 7 … = date
Regular Expression
^(?P<issued_ip>[^,]+),(?P<profile>\w+),(?P<src_ip>[^:]+):(?P<src_port>\d+)[^ \n]* (?P<Date>\w+\s+\d+\s+\d+:\d+:\d+\s+\d+)

The following search will give us the data we need for the visualization.

So we get one profile connection log approx. every minute, so if we save the search with 1 minute real-time the current connections should be accurate.

Splunk search used to create table and clean up field names.

host="10.0.0.10" source="/etc/openvpn/openvpn-status.log" profile=* |table Date,src_ip,src_port,issued_ip | rename src_ip as "Source IP", src_port as "Source Port", issued_ip as "VPN Issued IP"

Dashboard panel visualization:

Sent/Received Data

The data we need is stored in the source=”/etc/openvpn/openvpn-status.log” The numbers after the source port represent received and sent data in KB. Use field extractions to pull the values from the logs.

Regular Expression
^[^:\n]*:\d+,(?P<rcv_kb>\d+),(?P<sent_kb>\d+)

Splunk Search to grab the sent and received totals in an hour.

host="10.0.0.10" source="/etc/openvpn/openvpn-status.log" rcv_kb=* |table _time,rcv_kb,sent_kb | rename rcv_kb as "Received KB", sent_kb as "Sent KB"

The above search visualized as a bar chart:

Conclusion

The goal of having visualizations for the following data for OpenVPN is complete: Connection Success/Failures, currently connected profiles, and data received/sent over time.

Final Dashboard for OpenVPN:

The configuration was simple yet very useful for a quick glance to see the OpenVPN log data visually. Reach out here for any questions or comments.

Until next time stay safe in the Trenches of IT!

Leave a Reply