I'm receiving logs from a Barracuda Web Security Gateway into splunk.
I've created a field extraction rule inline, getting the fields to extract to match the fields of the CIM data-model for web proxy.
Some of the fields like "cached", "cookies", "bytes_in" etc, are not present on the Barracuda logs, so i was thinking i could just ignore them.
The barracuda log structure can be found here: https://campus.barracuda.com/product/websecuritygateway/doc/6160435/syslog-and-the-barracuda-web-sec...
after matching the most relevant fields, I went to Enterprise Security, to see if I can have some information regarding ES.
When I go into Enterprise security and check the data model web, I get some matches:
Am I doing this the right way?
There are not many videos teaching how to use ES. This is a clean Splunk install with just the barracuda proxy logs and some event logs.
Can anyone put me on the right track? Thank you
Yes, if the data does not have the field, then you will have to ignore them. CIM will populate them as "unknown" in most cases.
There are some .conf presentations on CIM (https://conf.splunk.com/files/2017/slides/the-power-of-data-normalization-a-look-at-cim-under-the-ho..., for example).
The biggest thing I see people struggle with when they first meet CIM is that it's about events, not data types. What matters in CIM is "ACTOR did THING with RESULT". That can be very simple in something like proxy data ("User went to website successfully", over and over) or it can be more complex in a data source with many types of events.
Yeh, I was able to map some fields with the CIM fields, but wasn't getting/receiving any notable events or anything. Anyway, something happened that now it seems my events doesn't match to the web datamodel anymore. Trying to sort it out.
Yes, if the data does not have the field, then you will have to ignore them. CIM will populate them as "unknown" in most cases.
There are some .conf presentations on CIM (https://conf.splunk.com/files/2017/slides/the-power-of-data-normalization-a-look-at-cim-under-the-ho..., for example).
Ok, and for notable events and such, is normal that I don't see anything then. I will also then need to configure alerts by myself I suppose? I was expecting that if i map all the available fields on the barracuda proxy log, to the CIM proxy model, I would automatically get some "view info" and alerts/notable events automatically. That's the use of CIM right, to create a common model that allows for easy integration.
Thanks for the presentation also, I checked it before, but is kinda empty.