Re: IBMi Server Data Correlation with Splunk

Maxime · ‎06-17-2024

Hello,

I have been using the Splunk SIEM tool for some time.
I have integrated security data to be reused by IBMi servers.

The information included in Splunk is such that it is generated by the IBMi, so I wonder whether Splunk understands the data it receives ?

An example is that when IBMi sends a zone call Remote_IP, can Splunk know that it is an IP address?

Do I have to change the format of his data ?

I also wonder how to do data correlation on Splunk?

Thanks in advance for reading.

tej57 · ‎06-17-2024

Hello @Maxime,

By default Splunk tries to parse the data that got ingested from whatsoever log source it had been onboarded. However, there's no gaurantee that Splunk will be able to understand the log source completely and provide you with the fields. There are lots of apps and add-ons available on Splunkbase for the exact same purpose (to collect and parse the data). However, if you do not find associated app/add-on, you can write the sourcetype configuration as per your requirement and you should then be able to get the necessary fields.

Also, if the data generated is in structured format (JSON, XML, CSV, etc.), Splunk has parsing written for those by default. In that case, you'll be able to directly visualize the data.

You can find the relevant documentation links below:

- https://docs.splunk.com/Documentation/Splunk/latest/Data/WhatSplunkdoeswithyourdata

- https://docs.splunk.com/Documentation/Splunk/latest/Data/Overviewofeventprocessing

- https://docs.splunk.com/Documentation/Splunk/latest/Data/Createsourcetypes

- https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Configuring_new_source_types

Thanks,
Tejas.

---

If the above solution helps, an upvote is appreciated.

deepakc · ‎06-17-2024

At a high level:

Splunk can ingest most types of logs data, using different methods of collection.

Splunk works on Key Value pairs - so if IBMi can send the data, with this data, you can then search it.

The first thing to do is to look at the IBMi data and workout what format it is and how to collect that data, example, is it in a text log file, Json, XML, DB, syslog or API.

You then need to set up the data collection method, this could involve a UF(Splunk Agent), Hec using HTTP API, or syslog etc, this has to be based on your environment and preferred method of collecting IBMi data, and place that data into an index.

You then need to look at if there's a Splunk Add on in Splunkbase for IBMi data, this is used for parsing the data, if there isn’t one, you then need to develop Splunk props and transforms for the parsing of the data.

You then have to make the IBMi, Data CIM complaint, so analyse what type of data it is, extract it via parsing and map those fields to CIM fields, so Splunk SIEM ES can make use of that data.

Maxime · ‎06-17-2024

Hey,

Your message allowed me to realize that in my question there is missing some information.

IBMi data are in Json format and integrate to the HTTP event collector.

I didn’t understand what I had to do to make Splunk understand the data and make the correlation.

deepakc · ‎06-17-2024

Your data that's already in ingested needs to be made CIM complaint, it might be worth spending some time getting your head around the CIM concepts, after this you can look at developing correlation rules.

https://lantern.splunk.com/Splunk_Platform/Product_Tips/Data_Management/Complying_with_the_Splunk_Co...

IBMi Server Data Correlation with Splunk

configuration

using Splunk Enterprise

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation