Splunk Enterprise

IBMi Server Data Correlation with Splunk

Maxime
Loves-to-Learn

Hello,

I have been using the Splunk SIEM tool for some time.
I have integrated security data to be reused by IBMi servers.

The information included in Splunk is such that it is generated by the IBMi, so I wonder whether Splunk understands the data it receives ? 

An example is that when IBMi sends a zone call Remote_IP, can Splunk know that it is an IP address?

Do I have to change the format of his data ?

I also wonder how to do data correlation on Splunk?

Thanks in advance for reading.

 

 

 

Labels (3)
0 Karma

tej57
Contributor

Hello @Maxime,

By default Splunk tries to parse the data that got ingested from whatsoever log source it had been onboarded. However, there's no gaurantee that Splunk will be able to understand the log source completely and provide you with the fields. There are lots of apps and add-ons available on Splunkbase for the exact same purpose (to collect and parse the data). However, if you do not find associated app/add-on, you can write the sourcetype configuration as per your requirement and you should then be able to get the necessary fields. 

Also, if the data generated is in structured format (JSON, XML, CSV, etc.), Splunk has parsing written for those by default. In that case, you'll be able to directly visualize the data.

You can find the relevant documentation links below:

https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkdoeswithyourdata

https://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing

https://docs.splunk.com/Documentation/Splunk/latest/Data/Createsourcetypes

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types

 

Thanks,
Tejas.

 

---

If the above solution helps, an upvote is appreciated.

 

0 Karma

deepakc
Builder

At a high level:

Splunk can ingest most types of logs data, using different methods of collection.

Splunk works on Key Value pairs - so if IBMi can send the data, with this data, you can then search it.

The first thing to do is to look at the IBMi data and workout what format it is and how to collect that data, example, is it in a text log file, Json, XML, DB, syslog or API.


You then need to set up the data collection method, this could involve a UF(Splunk Agent), Hec using HTTP API, or syslog etc, this has to be based on your environment and preferred method of collecting IBMi data, and place that data into an index.

You then need to look at if there's a Splunk Add on in Splunkbase for IBMi data, this is used for parsing the data, if there isn’t one, you then need to develop Splunk props and transforms for the parsing of the data.

You then have to make the IBMi, Data CIM complaint, so analyse what type of data it is, extract it via parsing and map those fields to CIM fields, so Splunk SIEM ES can make use of that data. 

 

 

0 Karma

Maxime
Loves-to-Learn

Hey,

Your message allowed me to realize that in my question there is missing some information.

IBMi data are in Json format and integrate to the HTTP event collector.

I didn’t understand what I had to do to make Splunk understand the data and make the correlation.

0 Karma

deepakc
Builder

Your data that's already in ingested needs to be made CIM complaint, it might be worth spending some time getting your head around the CIM concepts, after this you can look  at developing correlation rules. 

 

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Complying_with_the_Splunk_Co... 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...