topic Re: Authentication tag not being applied in Knowledge Management

Authentication tag not being applied

unclemoose — Sun, 10 Aug 2025 22:12:21 GMT

I am trying to learn SIEM tech and am at the stage where im trying to use/setup Splunk CIM. My pipeline uses fake logs and I am trying to get them to show up with the Authentication data model. However it seems like the authentication tag is not being applied.

(files shortened )
My eventtypes.conf:
[account_locked]

search = sourcetype="logstream" action="failure" signature="Account locked"

tags = authentication, failure, account_locked

My tags.conf:

[eventtype=account_locked]

authentication = enabled

failure = enabled

account_locked = enabled

and my props.conf:

[logstream]

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z

TIME_PREFIX = "\"_time\": \"""

MAX_TIMESTAMP_LOOKAHEAD = 30

INDEXED_EXTRACTIONS = json

FIELDALIAS-src_user_for_user = user AS src_user

FIELDALIAS-src_for_src = src AS src

FIELDALIAS-dest_for_dest = dest AS dest

FIELDALIAS-app_for_app = app AS app

FIELDALIAS-dest_for_dest = dest AS dest

Now what is really stumping me here is that no event types are being recognized. However, if I search for those logs by doing the command I used for the event type, I get the results and logs I am looking for:

search = sourcetype="logstream" action="failure" signature="Account locked"

A couple of things I confirmed:

- HEC token is correct
- The Field Aliases are compliant with the Authentication Data Model

Re: Authentication tag not being applied

PrewinThomas — Mon, 11 Aug 2025 03:58:47 GMT

@unclemoose

Are you seeing events with eventtype=account_locked? If not, Make sure eventtype is saved in a visible app and permissions are set to global.

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Authentication tag not being applied

gcusello — Mon, 11 Aug 2025 07:11:44 GMT

Hi @unclemoose ,

where are you running the eventtype search: in the same app where it was created or in another one?

check if your eventtype is visible also outside the app where it was created, probably you shared your eventtype at app level and not at global level.

check the permissions of the eventtype.

Ciao.

Giuseppe

Re: Authentication tag not being applied

PickleRick — Mon, 11 Aug 2025 09:35:16 GMT

Apart from what has already been said about permissions, the question is what is your architecture? (all-in-one, separate indexing and search-head layer, any pre-parsing HFs?) And where did you put those props and transforms. And don't use indexed extractions unless there is absolutely no other way (not related to the problem at hand but worth remembering).

Re: Authentication tag not being applied

livehybrid — Mon, 11 Aug 2025 09:49:10 GMT

Hi @unclemoose

Firstly, settings tags = authentication, failure, account_locked in your eventtypes.conf is deprecated, so you should probably remove this incase its causing an issue.

Secondly, I wanted to check is what search mode you are using, are you using Fast mode? If so you probably wont see the eventtypes/tag fields come back - Try running in Smart of Verbose mode - do you see the tags returned then?

Lastly, where are these files within your environment? Are they in a custom/specific app? Are you running the search from the same app as the app? Are the configurations shared globally with the system or only within its app?

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Authentication tag not being applied

unclemoose — Mon, 11 Aug 2025 18:29:10 GMT

This lead me to the solution! I tried looking for eventtype=account_locked and got nothing. Turns out that my eventtypes were not global. Not only that but I needed to make a copy of my tags.conf in the search app instead of it being local to the app [logstream].