Hi @Stefanie, I did what you said in the data models that are needed for the infosec app. Nothing changed from the health panel view. It keeps only getting data from authentication and change although the acceleration works good for all of them except for malware and web. One thing i saw that changed is when running the query to identify indexes that feed the data models. | makeresults | eval datamodels = "Authentication:Change:Endpoint:Intrusion_Detection:Network_Sessions:Network_Traffic:Malware:Endpoint.Processes:Web" | makemv delim=":" datamodels | mvexpand datamodels | map search="| makeresults | eval notfound=\"*** NO DATA FOUND ***\" | append [| tstats count from datamodel=$datamodels$ by index, sourcetype] | eventstats count as events |eval datamodel=\"$datamodels$\", index=coalesce(index,notfound)| search NOT notfound=* OR events=1 | table datamodel, index, sourcetype,count" | sort datamodel, index, sourcetype Now i see that network traffic and network sessions data models are no longer indicating "NO DATA FOUND" and they show 1.708.289 and 24.981 events taking them from the main index. Still not getting that data in infosec... I also did the query that you suggested before and everything seems to be working. I was wondering if you could post a screenshot of your network traffic data model just to adjust the settings the same way you have them. When I added the "*" in the data models  i saw that your tag whitelist was blank and mine has 4 or 5 tags, is it supposed to be like that? Thanks for you help. ... View more

Hi @Stefanie ,   1.- The CIM version I have installed is 5.0.1. 2.- When i accelerated the models after installing, infosec was reciecing data and after a couple of days sttoped working. 3.- When I check the index whitelist of each data model it's blank, Is there anything I should add to it? 4.- I have installed all required TA's written in the infosec App prerequisites. Another thing that seems strange is that checking the data model from Settings - Knowledge - Data models. If I choose any model and edit the constraint but without modifying it,  an error shows up saying this: "In handler 'datamodeledit': Error in 'Authentication': Dataset constraints must specify at least one index. " Thanks for your answers.   ... View more

I meant that syslog wasn't writing the directories detailed in the config file but, I've managed to get all logs coming from the firewalls through 514 UDP, in a txt file. I am monitoring that file using SplunkUF and I can see it in the splunk web panel although, I'm trying to use the script posted in the community in order to separate the logs into different files or folders and it isn't working. Is there any update of the script available? if so, could anyone share it in this post?. I'm going to share here the script that I've been using. Thanks. @version:3.2 # syslog-ng configuration file. # # options { chain_hostnames(no); create_dirs (yes); dir_perm(0755); dns_cache(yes); keep_hostname(yes); log_fifo_size(2048); log_msg_size(8192); perm(0644); time_reopen (10); use_dns(yes); use_fqdn(yes); }; source s_network { udp(port(514)); }; #Destinations destination d_cisco_asa { file(“/home/syslog/logs/cisco/asa/$HOST/$YEAR-$MONTH-$DAY-cisco-asa.log” create_dirs(yes)); }; destination d_palo_alto { file(“/home/syslog/logs/paloalto/$HOST/$YEAR-$MONTH-$DAY-palo.log” create_dirs(yes)); }; destination d_all { file(“/home/syslog/logs/catch_all/$HOST/$YEAR-$MONTH-$DAY-catch_all.log” create_dirs(yes)); }; # Filters filter f_cisco_asa { match(“%ASA” value(“PROGRAM”)) or match(“%ASA” value(“MESSAGE”)); }; filter f_palo_alto { match(“009401000570” value(“PROGRAM”)) or match(“009401000570” value(“MESSAGE”)); }; filter f_all { not ( filter(f_cisco_asa) or filter(f_palo_alto) ); }; # Log log { source(s_network); filter(f_cisco_asa); destination(d_cisco_asa); }; log { source(s_network); filter(f_palo_alto); destination(d_palo_alto); }; log { source(s_network); filter(f_all); destination(d_all); }; ... View more

Thanks for the answer I configured the port under the "forwarding and recieving" option as you said and went through this documentation (https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html). I was able to get the configuration that I needed to put in /syslog-ng/conf.d, although it doesn't write the directories in the destinations that are given. I also checked if SELinux was interfering but it is disabled, do you know what the problem could be?. Thanks for your help. Regards. ... View more