Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Match Linux log to CIM

tdth
Engager
‎09-05-2024 05:21 AM

Hi all,

Has anyone had experience matching Linux audit logs to CIM before?

I installed the Add-on for Unix and Linux, but it didn't help. Looking at some of the use cases in Security Essentials, it seems they expect data from EDR solutions like CrowdStrike or Symantec, rather than local Linux audit logs.

Does this mean there is no way to use the out-of-the-box use cases created in Security Essentials/Enterprise Security for Linux logs?

 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2024 07:07 AM

Only certain sourcetypes supported by the TA map to CIM datamodels.  The list is at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

If you don't see what you need then you may need to add local aliases, etc. to the TA.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2024 07:07 AM

Only certain sourcetypes supported by the TA map to CIM datamodels.  The list is at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

If you don't see what you need then you may need to add local aliases, etc. to the TA.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tdth
Engager
‎09-06-2024 07:03 AM

Thanks, so this means only certain out-of-box use cases can be used immediately. The rest would need some works to be done.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2024 01:22 PM

Actually, with Linux in general, everything needs "some work" to be done.

A"Linux box" is a very broad term and a Linux server can be based on one of many different distributions (or even be installed as LFS), can be configured in a gazillion different ways so while you could cover some typical cases (like RHEL9/default install/default rsyslog configuration), there is no way to cover "any Linux".

Also remember that audit logs depend greatly (mostly, if not exclusively) on which audit rules you have defined in your system.

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...