https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31837#M5594 <P>Lets say if i want to monitor the traffic of the network as in detecting Denial of service attacks, the log message should contain the fields under the network protection category of the Common Information Model. Is that true?</P> Fri, 20 Apr 2012 06:41:01 GMT misteryuku 2012-04-20T06:41:01Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31835#M5592 <P>I would like to create log messages that would be used for log analysis using Splunk such as checking for occurence of Denial of Service attacks. What would be the best logging practices for that as in what are the most important information that i should be displaying in the log messages???</P> Fri, 20 Apr 2012 02:24:58 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31835#M5592 misteryuku 2012-04-20T02:24:58Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31836#M5593 <P>This is a good place for getting started:</P> <UL> <LI><A href="http://dev.splunk.com/view/logging-with-splunk/SP-CAAADP5">http://dev.splunk.com/view/logging-with-splunk/SP-CAAADP5</A></LI> <LI><A href="http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6">http://dev.splunk.com/view/logging-best-practices/SP-CAAADP6</A></LI> </UL> <P>In addition, naming field according to the CIM (Common Information Model) would be a good idea:</P> <UL> <LI><A href="http://docs.splunk.com/Documentation/ES/latest/CreateTA/CommonInformationModelFieldReference">http://docs.splunk.com/Documentation/ES/latest/CreateTA/CommonInformationModelFieldReference</A></LI> </UL> Fri, 20 Apr 2012 06:00:15 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31836#M5593 ziegfried 2012-04-20T06:00:15Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31837#M5594 <P>Lets say if i want to monitor the traffic of the network as in detecting Denial of service attacks, the log message should contain the fields under the network protection category of the Common Information Model. Is that true?</P> Fri, 20 Apr 2012 06:41:01 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31837#M5594 misteryuku 2012-04-20T06:41:01Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31838#M5595 <P>Yup. Network Protection/Traffic might be the best choice.</P> Fri, 20 Apr 2012 06:42:57 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31838#M5595 ziegfried 2012-04-20T06:42:57Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31839#M5596 <P>What does the action field for the network protection/traffic represent? Does it represent the action of the packet??</P> Fri, 20 Apr 2012 07:04:59 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31839#M5596 misteryuku 2012-04-20T07:04:59Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31840#M5597 <P>something like allowed/blocked or success/failure. whatever is more reasonable.</P> Fri, 20 Apr 2012 07:10:47 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31840#M5597 ziegfried 2012-04-20T07:10:47Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31841#M5598 <P>Okay. i see...</P> Fri, 20 Apr 2012 07:19:59 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31841#M5598 misteryuku 2012-04-20T07:19:59Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31842#M5599 <P>Hi. The link you have provided above does not work anymore. It seems like the pages has changed. Can you provide the link again? thanks!</P> Tue, 14 Feb 2017 04:47:38 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31842#M5599 elusive 2017-02-14T04:47:38Z https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31843#M5600 <P>The common information model has it's <A href="http://docs.splunk.com/Documentation/CIM/latest/User/Overview">own manual</A> in particular you may wish to refer to <A href="http://docs.splunk.com/Documentation/CIM/latest/User/HowtouseCIM">using the CIM</A> and the <A href="http://docs.splunk.com/Documentation/CIM/4.7.0/User/UsetheCIMtonormalizeOSSECdata">examples of using the CIM</A></P> Tue, 14 Feb 2017 06:30:33 GMT https://community.splunk.com/t5/Getting-Data-In/Logging-practices-for-security-logging/m-p/31843#M5600 gjanders 2017-02-14T06:30:33Z