Skip to main content
 
 
Splunk Lantern

Monitoring and logging MQTT topic messages using Eclipse Mosquitto

 

For communications companies, visibility into distributed systems (such as network hubs, towers, and field equipment) is crucial for monitoring environmental conditions, security, and operational status.

This article shows how to use Splunk Enterprise and MQTT to track sensor messages from devices like Cisco Meraki MV cameras, allowing communications providers to:

  • Monitor infrastructure. By analyzing sensor data from cameras, environmental sensors, and other Internet of Things (IoT) devices, companies can quickly assess network health and respond to potential issues remotely.
  • Analyze real-time data. MQTT topics can provide real-time data on various parameters (like light or sound levels), helping communications providers react to immediate situations, such as unusual activity or environmental changes.
  • Enhance predictive maintenance. Aggregating and visualizing sensor data over time enables predictive maintenance, helping companies preempt equipment failures and reduce downtime.
  • Improve customer experience. Monitoring service areas through sensor data allows companies to improve service reliability and address issues proactively, which is essential for customer satisfaction in a highly competitive market.

By leveraging MQTT data and visualizing it within Splunk Enterprise, communications companies can ensure they are staying proactive and responsive across their distributed networks, directly impacting their operational efficiency and customer experience.

While this article uses Cisco Meraki MV cameras in its examples, this article is applicable to more than just these devices. The guidance here can be adapted to any IoT or Industrial Internet of Things (IIoT) devices that publish messages over MQTT.

Data required

Cisco Meraki camera data, or any other camera device

Key terminology

  • MQTT: This lightweight messaging protocol is commonly used in IoT environments to allow devices to communicate. MQTT messages are structured as "topics" that devices subscribe to or publish on.
  • Eclipse Mosquitto: An open-source message broker that implements MQTT. This article uses the mosquitto_sub command to subscribe to topics on an MQTT broker and format the messages for logging.

Prerequisites

In this scenario we are going to explore adding logging data to message data from an MQTT broker. This is done by modifying the command parameters for mosquitto_sub to add in the required formatting.

To complete this process in your environment, you should be comfortable with using the command line, and command line tools. You'll also need:

  • Command line access. This is needed to subscribe to a topic on an existing MQTT broker. If you do not have access to the internet, you might need a host where an MQTT broker can be installed.
  • The ability to subscribe to a MQTT broker. Your subscription could be to a local MQTT broker, a public test server, or any other MQTT broker that you are able to access.
  • The ability to subscribe to an MQTT message on a private or a public test server. The examples used in this article are messages from Meraki MV cameras published to a test server.

The examples used in this guide are run on the same host as Splunk Enterprise. You will need the ability to install software to import logs into a local development instance of Splunk Enterprise. Alternatively, you could use the Splunk Universal Forwarder or OpenTelemetry Collector with the HEC exporter, but you will require additional steps not noted in this document.

Logging MQTT messages using Mosquitto and Splunk Enterprise

To enable the logging of messages from MQTT topics, you need to add formatting and metadata. After formatting, the log will be outputted to a log file.

In the following example, mosquitto_sub is used to subscribe to an MQTT broker, format messages in JSON, and log them. By formatting these messages in JSON, users can ingest, search, and visualize data more easily in Splunk Enterprise dashboards, making it accessible to monitor IoT devices like Meraki MV cameras.

The log file is then ingested into Splunk Enterprise, where it is queried and visualized to build an example dashboard with a filter.

  1. Subscribe to a wildcard topic on your device's MQTT broker host, or use test data from test.mosquitto.org. This example uses a public test server. The formatting adds a timestamp and outputs to a log file. JSON formatting, applied via mosquitto_sub’s output formatting, simplifies import into Splunk Enterprise. The example below uses a Unix timestamp %U and the MQTT message payload %j. Additional parameters and metadata can be included to provide context for your services, applications, asset location, or other valuable information.

    mosquitto_sub -h test.mosquitto.org -v -F '{"Timestamp": %U ,"Attributes":{"key":"value"},"Resource":{"service.name":"mosquitto_sub_topic_to_log","service.version":"semver:0.0.1"},"SeverityText":"INFO","SeverityNumber":9,"Body": %j }' -t '#' >> /path/to/mosquitto_mqtt_topics_to_log.json
    
  2. Logs should now be written when subscribed topics publish messages. To confirm this, check for log messages in the log file from mosquitto_sub. You can view the last few entries using the tail command:

    tail /path/to/mosquitto_mqtt_topics_to_log.json
    

    The screenshot below shows an example of a Zsh terminal tailing a JSON-formatted log file from Eclipse Mosquitto.

    Figure1-1_mqtt_json_log_tail_terminal.png

  3. After verifying that the log file contains data, import it into Splunk Enterprise from a local file directory. To do this, go to Settings > Data Inputs > Files & Directories > Add New +. The mosquitto_sub log file can also be sent to Splunk Enterprise using the Splunk Universal Forwarder or Splunk OpenTelemetry Collector.

    The screenshot below shows an example of log file names for MQTT message logs intended for ingestion into Splunk Enterprise.

    Figure1-2_MQTT_Log_Import_Splunk.png

  4. The JSON body, after it has been ingested by Splunk Enterprise, will appear like this in the search events:

    {
      Attributes: { key: value },
      Body: { payload: {"lux": 3.5}, payloadlen: 12, qos: 0, retain: 0, topic: /merakimv/QOE0-89RF-KMHD/light, tst: 2024-10-07T08:19:03.788382-0700 },
      Resource: { service.name: mosquitto_sub_wildcard_topic_to_log, service.version: semver:0.0.1 },
      SeverityNumber: 9,
      SeverityText: INFO,
      Timestamp: 1728314343.788357
    }         
    
  5. If you know the topic of a device or sensor, you can query it in Splunk Enterprise by the topic included with each pre-formatted and logged MQTT message. For example, messages from a Meraki MV camera include MQTT topics for audio, light, and people detection. After importing data into Splunk Enterprise, you can query the sensor readings over time with a SPL query.

    The example SPL below shows a search under the MQTT topic "/merakimv/*/light". This topic contains a device identifier for the Meraki MV camera. The device ID can be extracted into a new field titled device_id using the rex command. The MQTT message payload is formatted in an encoded JSON format, so to utilize the payload data in a query, we will need to decode it. The fromjson command allows us to extract the encoded JSON payload and utilize the key values:

    index="your_mqtt_index" host="your_mqtt_sub_host" sourcetype="mqtt_json" "Body.topic"="/merakimv/*/light"
    | rex field=Body.topic "(?<device_id>[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4})"
    | fromjson Body.payload
    | table Body.tst, device_id, lux
    

    The screenshot below shows an example of MQTT message logs for Meraki MV camera lux readings ingested into Splunk Enterprise.

    Figure1-3_merakimv-mqtt-light.png

  6. A query for Meraki MV audio detections might look similar to the one shown in the previous step, changing the MQTT topic to "/merakimv/*/audio_detections". This returns a payload with timestamp, detection ID, confidence score, and detection type. The query should look like the following:

    index="your_mqtt_index" host="your_mqtt_sub_host" sourcetype="mqtt_json" "Body.topic"="/merakimv/*/audio_detections"
    | rex field=Body.topic "(?<device_id>[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4})"
    | rex mode=sed field=Body.payload "s/(\[|\])//"
    | fromjson Body.payload
    | table ts, device_id, id, confidence, name
    

    The screenshot below shows an example of MQTT message logs from Meraki MV audio detection being ingested into Splunk Enterprise.

    Figure1-4_merakimv_mqtt_audiodetection.png

  7. To query Meraki MV audio analytics, use the MQTT topic "/merakimv/*/audio_analytics" for payload data on audio levels at specific times:

    index="your_mqtt_index" host="your_mqtt_sub_host" sourcetype="mqtt_json" "Body.topic"="/merakimv/*/audio_analytics"
    | rex field=Body.topic "(?<device_id>[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4})"
    | fromjson Body.payload
    | table ts, audioLevel
    | chart max(audioLevel) BY ts
    

    The screenshot below shows an example of MQTT message logs for Meraki MV audio analytics ingested into Splunk Enterprise.

    Figure1-5_merakimv_audio_analytics.png

  8. An SPL query for the Meraki MV raw_detections topic can use a similar structure, changing the topic and decoding the message object. This query excludes payload lengths with less than 42 characters, as these are empty message bodies with a timestamp. The query should look like the following:

    index="your_mqtt_index" host="your_mqtt_sub_host" sourcetype="mqtt_json" "Body.topic"="/merakimv/*/raw_detections" Body.payloadlen>42
    | rex field=Body.topic "(?<device_id>[0-9A-Z]{4}-[0-9A-Z]{4}-[0-9A-Z]{4})"
    | fromjson Body.payload
    | table device_id, ts, detectionId, confidence, detectionType
    

    The screenshot below shows an example of MQTT message logs for Meraki camera audio raw detections ingested into Splunk Enterprise.

Building dashboards

  1. Find the topics you are interested in to build out custom queries and dashboards. You can start by working from the queries above, then adding filters for devices and building visualizations.

    1. Add each of the above queries by clicking Actions > Save as and add them to a new or existing dashboard. Add a dropdown menu with a filter by the device_id using a query similar to this:

      index="your_mqtt_index"  host="your_mqtt_sub_host" sourcetype="mqtt_json" "Body.topic"="/merakimv/*" 
      | rex field=Body.topic "(?<device_id>[0-9A-Z]{4}\-[0-9A-Z]{4}\-[0-9A-Z]{4})" 
      | top limit=100 device_id
      
    2. Modify the data source queries for each visualization to use the device_id menu token. Additional filters can be added if you would like to drill down more on specific topics.

      The screenshot below shows an example of an SPL dashboard panel query in Splunk Enterprise. Notice the usage of a token for the device ID in the path of the MQTT topic.

  2. Admire your dashboard and validate your filters.

Next steps

Bringing your sensor data into Splunk Enterprise can help you get a complete view of your organization. Start with a search and then build dashboards utilizing your sensor data. This can help you get a picture of what is going on on the factory floor, sales floor, or a remote location. As you gather more data over time, this helps you to build baselines for the metrics you're monitoring. Other ways you can explore your MQTT topics and sensor data include:

  • Creating custom dashboards for your IoT, IIoT and Meraki MV cameras to better visualize your sensor data.
  • Utilizing ITSI to correlate your device and service metrics with business services KPIs.
  • Correlating security events with Splunk products like Splunk Enterprise Security or Splunk SOAR to help your SOC build new capabilities with existing sensor data.
  • Integrating your Meraki cameras and other sensors with Splunk Edge Hub.

You might also find it helpful to configure the following Mosquitto systemd service. This configures Mosquitto to run as a persistent background service that automatically starts on system boot, ensuring MQTT messages are continuously captured and logged.

[Unit]
Description=Mosquitto MQTT Subscriber to topic: # 
After=network.target
Wants=network.target
[Service]
Type=notify
NotifyAccess=main
ExecStart=mosquitto_sub -h your.mqttbrokerhost.com -v -F '{"Timestamp": %U ,"Attributes":{"key":"value"},"Resource":{"service.name":"mosquitto_sub_topic_to_log","service.version":"semver:0.0.1"},"SeverityText":"INFO","SeverityNumber":9,"Body": %j }' -t '#' >> /path/to/LogAllMqttTopics.json
ExecReload=/bin/kill -HUP $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target

In addition, these resources might help you understand and implement this guidance: