Hello, Thank you for sharing the details of your configuration. Based on your description, there are two separate issues related to data model compatibility and notable event generation in Splunk Enterprise Security. Endpoint Data Model Not Recognizing Sourcetypes The Endpoint Data Model in Splunk Enterprise Security expects specific sourcetypes defined in the CIM (Common Information Model). While the Splunk Add-on for Unix and Linux provides sourcetypes such as: linux_secure linux_messages_syslog linux_audit only some of these are mapped to the Endpoint data model by default. In your configuration: /var/log/auth.log -> linux_secure /var/log/syslog -> linux_messages_syslog /var/log/audit/audit.log -> auditd The main issue is that linux_messages_syslog and auditd are not automatically mapped to the Endpoint data model unless CIM field mappings and tags are properly applied. Recommended actions: Verify CIM compliance using the CIM Data Model Audit dashboard. Check if the events contain the required CIM fields such as: user src dest process action Ensure proper event tags are applied (for example: authentication, process, change, etc.). If necessary, create field aliases or eventtype mappings to align the sourcetypes with the Endpoint data model. For example, verify whether your events appear in the data model: | datamodel Endpoint Authentication search If no results appear, the events are not mapped correctly to CIM.
... View more
