Splunk Enterprise Security

Which log goes to which datamodel

vijaysri
Contributor

Hi,

Please let me know to which datamodel below logs should be tagged to ?

1)Syslog:

Jun 18 06:25:02 ip-00-0-00-000 start-amazon-cloudwatch-agent[0000]: 2020/06/18 06:25:02 Stopping tail as file no longer exists: /var/log/syslog
 
2) Antivirus Database update logs:
Wed May 27 23:46:53 2020 -> daily database available for download (remote version: 00000)
 
3) Linux Kernal Logs
May 27 09:28:45 ip-00-0-0-000 kernel: [    0.000000] Initializing cgroup subsys cpuset
Labels (1)
Tags (2)
0 Karma
1 Solution

vijaysri
Contributor

syslog and kernal log goes to endpoint Datamodel.

Endpoint Datamodel:

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Antivirus database update logs goes to Malware Datamodel

Malware Datamodel:

  • Use this model for any malware detection (e.g. anti-virus) or malware operation (e.g. scan start, malware signature update) event
  • It is best suited to signature-based anti-malware, where the scanning engine receives updates to a set of signatures
  • Some products are difficult to decide whether they are best modeled as Malware or Intrusion Detection: either can be network or host based, and there is significant overlap. If it is unclear, then initiate a discussion with CSOC and other Splunk developers to decide which model is best used for a given product's logs.

View solution in original post

0 Karma

vijaysri
Contributor

syslog and kernal log goes to endpoint Datamodel.

Endpoint Datamodel:

The fields and tags in the Application State data model describe service or process inventory and state, such as Unix daemons, Windows services, running processes on any OS, or similar systems.

Antivirus database update logs goes to Malware Datamodel

Malware Datamodel:

  • Use this model for any malware detection (e.g. anti-virus) or malware operation (e.g. scan start, malware signature update) event
  • It is best suited to signature-based anti-malware, where the scanning engine receives updates to a set of signatures
  • Some products are difficult to decide whether they are best modeled as Malware or Intrusion Detection: either can be network or host based, and there is significant overlap. If it is unclear, then initiate a discussion with CSOC and other Splunk developers to decide which model is best used for a given product's logs.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

One does not tag events to datamodels.  Events match event types, which are mini searches.  Event types have tags.  Datamodels use tags to specify the event types they are looking for.

If your events do match an existing event type/tag then they may not apply to any data models.  There's nothing wrong with that.

---
If this reply helps you, an upvote would be appreciated.