Getting Data In

The Common Information Model, Syslog logs, and unsure where to go from here.

tentontitan
New Member

Hey splunk>answers,

As the title suggests I'm not sure what or how I should go about any of this. The long story short:

1) Universal Forwarder on a local syslog server. Monitors the syslog files that are created.

2) Splunk server listens for the universal forwarder. Then splunk works its magic to for searching and indexing of the data.

3) I also have the common information model app installed for practice and testing.

Where I'm stuck is with this:

  • How does the common information model help me when transforming, indexing, and searching Syslog and (hopefully active directory data).

  • How can properly identify interesting fields in Syslog. I have it identified as Syslog traffic. And in splunk I see the Time column and the Event column. I'm wondering if there are ways I can drill that data down even further.

Appreciate any advice as always,

tentontitan

0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

You will need to identify what sort of events are being logged by Syslog. Are they just 'standard' unix types event, are they firewall events, or something custom?

Once you know the types of events you are receiving, match them to one (or more) of the data models provided by the CIM. You will then be able to use any CIM-compliant dashboards and searches, or enable data model acceleration.

0 Karma

tentontitan
New Member

I'm currently working with Switch data in my lab. I'll be sending active directory data soon. That said when I work with switch data in splunk I get 2 fields:

Time and Events.

I'm trying to determine if separating those fields out even further would help with drilling into the data and attaching them to the common information model.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...