Splunk Enterprise Security
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Match Linux log to CIM

tdth
Explorer
‎09-05-2024 05:21 AM

Hi all,

Has anyone had experience matching Linux audit logs to CIM before?

I installed the Add-on for Unix and Linux, but it didn't help. Looking at some of the use cases in Security Essentials, it seems they expect data from EDR solutions like CrowdStrike or Symantec, rather than local Linux audit logs.

Does this mean there is no way to use the out-of-the-box use cases created in Security Essentials/Enterprise Security for Linux logs?

 

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2024 07:07 AM

Only certain sourcetypes supported by the TA map to CIM datamodels.  The list is at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

If you don't see what you need then you may need to add local aliases, etc. to the TA.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-05-2024 07:07 AM

Only certain sourcetypes supported by the TA map to CIM datamodels.  The list is at https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Sourcetypes

If you don't see what you need then you may need to add local aliases, etc. to the TA.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

tdth
Explorer
‎09-06-2024 07:03 AM

Thanks, so this means only certain out-of-box use cases can be used immediately. The rest would need some works to be done.

Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-06-2024 01:22 PM

Actually, with Linux in general, everything needs "some work" to be done.

A"Linux box" is a very broad term and a Linux server can be based on one of many different distributions (or even be installed as LFS), can be configured in a gazillion different ways so while you could cover some typical cases (like RHEL9/default install/default rsyslog configuration), there is no way to cover "any Linux".

Also remember that audit logs depend greatly (mostly, if not exclusively) on which audit rules you have defined in your system.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top