Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Which log goes to which datamodel

VijaySrrie
Builder
‎07-19-2020 07:05 PM

Hi,

Please let me know to which datamodel below logs should be tagged to ?

1)Syslog:

Jun 18 06:25:02 ip-00-0-00-000 start-amazon-cloudwatch-agent[0000]: 2020/06/18 06:25:02 Stopping tail as file no longer exists: /var/log/syslog
 
2) Antivirus Database update logs:
Wed May 27 23:46:53 2020 -> daily database available for download (remote version: 00000)
 
3) Linux Kernal Logs
May 27 09:28:45 ip-00-0-0-000 kernel: [    0.000000] Initializing cgroup subsys cpuset
Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

VijaySrrie
Builder
‎07-20-2020 07:15 PM

syslog and kernal log goes to endpoint Datamodel.

Endpoint Datamodel:

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Antivirus database update logs goes to Malware Datamodel

Malware Datamodel:

  • Use this model for any malware detection (e.g. anti-virus) or malware operation (e.g. scan start, malware signature update) event
  • It is best suited to signature-based anti-malware, where the scanning engine receives updates to a set of signatures
  • Some products are difficult to decide whether they are best modeled as Malware or Intrusion Detection: either can be network or host based, and there is significant overlap. If it is unclear, then initiate a discussion with CSOC and other Splunk developers to decide which model is best used for a given product's logs.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

VijaySrrie
Builder
‎07-20-2020 07:15 PM

syslog and kernal log goes to endpoint Datamodel.

Endpoint Datamodel:

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Antivirus database update logs goes to Malware Datamodel

Malware Datamodel:

  • Use this model for any malware detection (e.g. anti-virus) or malware operation (e.g. scan start, malware signature update) event
  • It is best suited to signature-based anti-malware, where the scanning engine receives updates to a set of signatures
  • Some products are difficult to decide whether they are best modeled as Malware or Intrusion Detection: either can be network or host based, and there is significant overlap. If it is unclear, then initiate a discussion with CSOC and other Splunk developers to decide which model is best used for a given product's logs.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-20-2020 06:59 AM

One does not tag events to datamodels.  Events match event types, which are mini searches.  Event types have tags.  Datamodels use tags to specify the event types they are looking for.

If your events do match an existing event type/tag then they may not apply to any data models.  There's nothing wrong with that.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...