Splunk Enterprise Security

How to create matching log with CIM "proxy" data model to see information in ES?

DBuhler
Explorer

I'm receiving logs from a Barracuda Web Security Gateway into splunk.
I've created a field extraction rule inline, getting the fields to extract to match the fields of the CIM data-model for web proxy.
Some of the fields like "cached", "cookies", "bytes_in" etc, are not present on the Barracuda logs, so i was thinking i could just ignore them.

The barracuda log structure can be found here: https://campus.barracuda.com/product/websecuritygateway/doc/6160435/syslog-and-the-barracuda-web-sec...

after matching the most relevant fields, I went to Enterprise Security, to see if I can have some information regarding ES.

When I go into Enterprise security and check the data model web, I get some matches:
alt text
Am I doing this the right way?
There are not many videos teaching how to use ES. This is a clean Splunk install with just the barracuda proxy logs and some event logs.

Can anyone put me on the right track? Thank you

1 Solution

dshpritz
SplunkTrust
SplunkTrust

Yes, if the data does not have the field, then you will have to ignore them. CIM will populate them as "unknown" in most cases.

There are some .conf presentations on CIM (https://conf.splunk.com/files/2017/slides/the-power-of-data-normalization-a-look-at-cim-under-the-ho..., for example).

View solution in original post

jcoates
Communicator

The biggest thing I see people struggle with when they first meet CIM is that it's about events, not data types. What matters in CIM is "ACTOR did THING with RESULT". That can be very simple in something like proxy data ("User went to website successfully", over and over) or it can be more complex in a data source with many types of events.

DBuhler
Explorer

Yeh, I was able to map some fields with the CIM fields, but wasn't getting/receiving any notable events or anything. Anyway, something happened that now it seems my events doesn't match to the web datamodel anymore. Trying to sort it out.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Yes, if the data does not have the field, then you will have to ignore them. CIM will populate them as "unknown" in most cases.

There are some .conf presentations on CIM (https://conf.splunk.com/files/2017/slides/the-power-of-data-normalization-a-look-at-cim-under-the-ho..., for example).

DBuhler
Explorer

Ok, and for notable events and such, is normal that I don't see anything then. I will also then need to configure alerts by myself I suppose? I was expecting that if i map all the available fields on the barracuda proxy log, to the CIM proxy model, I would automatically get some "view info" and alerts/notable events automatically. That's the use of CIM right, to create a common model that allows for easy integration.

Thanks for the presentation also, I checked it before, but is kinda empty.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...