All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Defining and locating eventtypes in PCI app

zliu
Splunk Employee
Splunk Employee
‎08-26-2011 10:09 AM

In Splunk 4.1.4

***What happened:

tried to run the PCI 1.1.1 Network Changes report but it fails stating that eventtype=snmpd_network_down and eventtype=linux-password-change are missing. In investigating the issue, noticed the following.

tag=eventtype::network - Missing are eventtype=fschange_add_network, eventtype= fschange_modify_network, and eventtype=snmpd_network_down

tag=eventtype::modify - Missing are eventtype=auditd_modify, eventtype=configuration-change, eventtype=linux- password-change and linux-password-change-failed

tag=eventtype::configuration - Missing eventtype=configuration-change

tag=eventtype::policy - Is missing

***What is found:

It seems that those eventypes are all located at
$SPLUNK_HOME/etc/apps/unix/default/eventtypes.conf. They are under UNIX app.

***Questions:

How do I know which eventtypes needs to be defined under the PCI App? Or do I have to define all of them? Once I know which ones, what the best way to do this?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

zliu
Splunk Employee
Splunk Employee
‎08-26-2011 10:10 AM

This doesn't appear to be a problem with PCI, instead the UNIX app being used by the customer. Note that PCI is not compatible with the Splunk for Unix app and SKB-unix should be used instead. In general, the SKB's that we offer contain the proper eventtypes and tags to drive the PCI reports.

The report in question PCI 1.1.1 uses the following base search syntax to look for network changes: The errors that are being seen is a result of the unix app specifying one of these tags w/ missing eventtypes. If the customer believes they have data that qualifies as network change data but it's not showing up in the report, then the data is likely not being tagged appropriately.

tag=pci tag=eventtype::network tag=eventtype::modify (tag=eventtype::configuration OR tag=eventtype::policy)

View solution in original post

Reply
Solved! Jump to solution
Solution

zliu
Splunk Employee
Splunk Employee
‎08-26-2011 10:10 AM

This doesn't appear to be a problem with PCI, instead the UNIX app being used by the customer. Note that PCI is not compatible with the Splunk for Unix app and SKB-unix should be used instead. In general, the SKB's that we offer contain the proper eventtypes and tags to drive the PCI reports.

The report in question PCI 1.1.1 uses the following base search syntax to look for network changes: The errors that are being seen is a result of the unix app specifying one of these tags w/ missing eventtypes. If the customer believes they have data that qualifies as network change data but it's not showing up in the report, then the data is likely not being tagged appropriately.

tag=pci tag=eventtype::network tag=eventtype::modify (tag=eventtype::configuration OR tag=eventtype::policy)

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...