Splunk Enterprise Security

Which log goes to which datamodel

VijaySrrie
Builder

Hi,

Please let me know to which datamodel below logs should be tagged to ?

1)Syslog:

Jun 18 06:25:02 ip-00-0-00-000 start-amazon-cloudwatch-agent[0000]: 2020/06/18 06:25:02 Stopping tail as file no longer exists: /var/log/syslog
 
2) Antivirus Database update logs:
Wed May 27 23:46:53 2020 -> daily database available for download (remote version: 00000)
 
3) Linux Kernal Logs
May 27 09:28:45 ip-00-0-0-000 kernel: [    0.000000] Initializing cgroup subsys cpuset
Labels (1)
Tags (2)
0 Karma
1 Solution

VijaySrrie
Builder

syslog and kernal log goes to endpoint Datamodel.

Endpoint Datamodel:

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Antivirus database update logs goes to Malware Datamodel

Malware Datamodel:

  • Use this model for any malware detection (e.g. anti-virus) or malware operation (e.g. scan start, malware signature update) event
  • It is best suited to signature-based anti-malware, where the scanning engine receives updates to a set of signatures
  • Some products are difficult to decide whether they are best modeled as Malware or Intrusion Detection: either can be network or host based, and there is significant overlap. If it is unclear, then initiate a discussion with CSOC and other Splunk developers to decide which model is best used for a given product's logs.

View solution in original post

0 Karma

VijaySrrie
Builder

syslog and kernal log goes to endpoint Datamodel.

Endpoint Datamodel:

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Antivirus database update logs goes to Malware Datamodel

Malware Datamodel:

  • Use this model for any malware detection (e.g. anti-virus) or malware operation (e.g. scan start, malware signature update) event
  • It is best suited to signature-based anti-malware, where the scanning engine receives updates to a set of signatures
  • Some products are difficult to decide whether they are best modeled as Malware or Intrusion Detection: either can be network or host based, and there is significant overlap. If it is unclear, then initiate a discussion with CSOC and other Splunk developers to decide which model is best used for a given product's logs.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

One does not tag events to datamodels.  Events match event types, which are mini searches.  Event types have tags.  Datamodels use tags to specify the event types they are looking for.

If your events do match an existing event type/tag then they may not apply to any data models.  There's nothing wrong with that.

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...