Splunk SOAR

monitoring phantom logs

meshorer
Path Finder

hello,

I am trying to gather important logs from the daemons ( in order to forward them to an external siem), that I could use to fire an alert when one of the following occurs:
1. an automated playbook failed to run

2. an action failed to work

3. phantom was not able to ingest all the data forwarded to it and a data was loss

4. a process (daemon) stopped working

5. System Health - CPU, memory usage, disk usage

i have read the article "Configure the logging levels for Splunk Phantom daemons (link: https://docs.splunk.com/Documentation/Phantom/4.10.7/Admin/Debug) but I would need to identify the relevant log that tells each. 

I would appreciate your help on this.

Labels (1)
0 Karma

phanTom
SplunkTrust
SplunkTrust

@meshorer I have led you to the water, now you need to learn how to drink it 😉

I don't have the knowledge, nor the time,  straight away to work out how to do it the way you need to but you have the logs, now you just need to do the engineering piece and make it work in your SIEM. 

There is also REST capability that you could have a script or some other REST capability in your SIEM to grab the data from REST.

Maybe consider changing the logs to JSON:

Before you begin

Configure Splunk SOAR (On-premises) with JSON log format by issuing the following command from the Splunk SOAR console:
$phenv set_preference --logging-format json


Happy SOARing! 

0 Karma

phanTom
SplunkTrust
SplunkTrust

@meshorer 

For all apart from the action failure (which you can get from the external splunk option, but also from the below app) you will need to install a Universal Forwarder on the box and install the Splunk App for SOAR on it and point it to your indexing layer, or HFW as an interim forwarding layer. This comes with the ingestion config for all DAEMON logs out of the box. 

Instructions are here: https://docs.splunk.com/Documentation/SOARApp/1.0.41/Install/ConfigureITSI 

  1. decided
  2. actiond
  3. ingestd
  4. Could be all daemon logs under sourcetype splunk_app_soar:daemon?
  5. Not a daemon but will likely need https://splunkbase.splunk.com/app/3412 as the app only ingests linux:audit from what I can see. 

 

--- Hope this helps! If so please mark as a solution for future readers. Happy SOARing! --

Tags (1)
0 Karma

meshorer
Path Finder

Hi @phanTom 

the thing is that I am looking to forward the logs to an external siem which is not splunk (so this app won’t be helpful for my situation)

This is done with rsyslog

that is why I want to identify the relevant logs for me

0 Karma

phanTom
SplunkTrust
SplunkTrust

@meshorer that's fine! Download the app, look in the inputs.conf file and you will have the path to all log files it monitors. 

I gave you the name of the Daemon so just add ".log" to the end and that's the log you need to monitor. I would assume the other SIEM has an app/parser/collector/something already for Linux as the only thing the Splunk App for SOAR won't monitor is the OS performance metrics. 

 

0 Karma

meshorer
Path Finder

@phanTom 

thank you for all your help!

I am familiar with the daemons names, I am trying to identify the relevant log from each <daemon>.log to fit my cases,

let me be more specific:

for example, I think that thelog message for playbook running is "decided_command_handler_process_containers.cpp : 597 : DECIDED_CMD_PROCESS_CONTAINERS: rule <playbook id> on container <containet number> SUCCESS"

or the log message for succussing ingestion is: 
"connector_executor.cpp : 934 : INGESTDCommandProcessor::ExecuteConnector DONE. Outcome: success"

could you help me identify the relevant cpp and number (597 and 934 are the examples I have pasted here) for each case I wrote above?

I hope that I did not complicate the things too much..

0 Karma

meshorer
Path Finder

@phanTom ,

Anything on this?

 

thank you in advance

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...