Splunk Enterprise Security

How to create matching log with CIM "proxy" data model to see information in ES?

DBuhler
Explorer

I'm receiving logs from a Barracuda Web Security Gateway into splunk.
I've created a field extraction rule inline, getting the fields to extract to match the fields of the CIM data-model for web proxy.
Some of the fields like "cached", "cookies", "bytes_in" etc, are not present on the Barracuda logs, so i was thinking i could just ignore them.

The barracuda log structure can be found here: https://campus.barracuda.com/product/websecuritygateway/doc/6160435/syslog-and-the-barracuda-web-sec...

after matching the most relevant fields, I went to Enterprise Security, to see if I can have some information regarding ES.

When I go into Enterprise security and check the data model web, I get some matches:
alt text
Am I doing this the right way?
There are not many videos teaching how to use ES. This is a clean Splunk install with just the barracuda proxy logs and some event logs.

Can anyone put me on the right track? Thank you

1 Solution

dshpritz
SplunkTrust
SplunkTrust

Yes, if the data does not have the field, then you will have to ignore them. CIM will populate them as "unknown" in most cases.

There are some .conf presentations on CIM (https://conf.splunk.com/files/2017/slides/the-power-of-data-normalization-a-look-at-cim-under-the-ho..., for example).

View solution in original post

jcoates
Communicator

The biggest thing I see people struggle with when they first meet CIM is that it's about events, not data types. What matters in CIM is "ACTOR did THING with RESULT". That can be very simple in something like proxy data ("User went to website successfully", over and over) or it can be more complex in a data source with many types of events.

DBuhler
Explorer

Yeh, I was able to map some fields with the CIM fields, but wasn't getting/receiving any notable events or anything. Anyway, something happened that now it seems my events doesn't match to the web datamodel anymore. Trying to sort it out.

0 Karma

dshpritz
SplunkTrust
SplunkTrust

Yes, if the data does not have the field, then you will have to ignore them. CIM will populate them as "unknown" in most cases.

There are some .conf presentations on CIM (https://conf.splunk.com/files/2017/slides/the-power-of-data-normalization-a-look-at-cim-under-the-ho..., for example).

DBuhler
Explorer

Ok, and for notable events and such, is normal that I don't see anything then. I will also then need to configure alerts by myself I suppose? I was expecting that if i map all the available fields on the barracuda proxy log, to the CIM proxy model, I would automatically get some "view info" and alerts/notable events automatically. That's the use of CIM right, to create a common model that allows for easy integration.

Thanks for the presentation also, I checked it before, but is kinda empty.

Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...