Splunk Enterprise Security

Match Linux log to CIM

tdth
Engager

Hi all,

Has anyone had experience matching Linux audit logs to CIM before?

I installed the Add-on for Unix and Linux, but it didn't help. Looking at some of the use cases in Security Essentials, it seems they expect data from EDR solutions like CrowdStrike or Symantec, rather than local Linux audit logs.

Does this mean there is no way to use the out-of-the-box use cases created in Security Essentials/Enterprise Security for Linux logs?

 

Thanks

Labels (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Only certain sourcetypes supported by the TA map to CIM datamodels.  The list is at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

If you don't see what you need then you may need to add local aliases, etc. to the TA.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Only certain sourcetypes supported by the TA map to CIM datamodels.  The list is at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

If you don't see what you need then you may need to add local aliases, etc. to the TA.

---
If this reply helps you, Karma would be appreciated.
0 Karma

tdth
Engager

Thanks, so this means only certain out-of-box use cases can be used immediately. The rest would need some works to be done.

PickleRick
SplunkTrust
SplunkTrust

Actually, with Linux in general, everything needs "some work" to be done.

A"Linux box" is a very broad term and a Linux server can be based on one of many different distributions (or even be installed as LFS), can be configured in a gazillion different ways so while you could cover some typical cases (like RHEL9/default install/default rsyslog configuration), there is no way to cover "any Linux".

Also remember that audit logs depend greatly (mostly, if not exclusively) on which audit rules you have defined in your system.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...