cim_Authentication_indexes is defined, in our case, as
(index=wineventlog OR index=<linux> OR index=<rsa> OR ...)
index=wineventlog we have nice compliance with the Authentication datamodel except
src at 68% and
src_user at 5%. So, I wonder if we should change the definition of the macro to be something like -
( (index=wineventlog AND src=*) OR index=<linux> OR index=<rsa> OR ...).
Does it make any sense?
That would be case in the ideal world. However, not all events have all the fields (as the vendor/product may only offer limited fields in the events) that we need for a given datamodel. what do you suggest in those situations?
If you have some kind of a
sudo thing and your system does not log the
src_user, then you should scream bloody hell at your vendor to fix their logging. I have never seen such a situation, although I have seen many situations where
src_user has no context and therefore is meaningless and quite logically does not exist.
You should fix the onboarding of the data to address field issues. Doing it at search is just a bandaid of the root issue. And you do not want to get into the business of hand managing updates to the datamodels either.
for authentication datamodel, 'src' is a key field to know the endpoint/client involved in the authentication process. If you do not have that in the events and if you want to exclude them (as a last resort), adjust your eventtypes.conf and tags.conf to exclude them from not going to Authentication datamodel.