Hi,
I need to make events I am receiving from a Modsecurity available and formatted for Splunk Enterprise Security. I have a distributed environment.
I know that I have to turn them into CIM, add tags, eventtype, extract fields, and create aliases.
Is it mandatory to create a custom add-on for achieving the goal? If not, which files.conf do I have o change (inside which path)?
Is there any tutorial/example on how to integrate a non natively supported device into Enterprise Security?
The changes (tags, eventtype, extract fields and create aliases) have to be done on the Indexer, Search Head, or both?
Am I missing something else?
Thank you very much.
Regrads.
... View more