Might be dumb question but I just want to confirm that ESS does monitor all logs going into Splunk by default?
Also, how would I know if the log format is readable for ESS parsing?
Thanks, D.
Firstly, you can choose which logs to ingest into splunk. So if you haven't added the logs, it is not available to ES.
Second, ES uses a lot of tagging and only event types that have been tagged correctly will be looked at by the ES app automatically. So within the built in reports other sourcetypes will be ignored.
But from within the app, you can search ALL your data and use any of it to create correlation searches or notable events, or even tag it to appear in the reports.
As for the parsing, if it is text format and relevant to security, it can be added but some is easier than others. Read the Data Source Integration Manual for ES.
ES is an app that sits on top of Splunk that provides insight into security data, which can come from anywhere depending on your use-case. The app includes various methods to collect and visualize data, but any 'monitoring' is dependent on the searches that you configure, and they will depend on what you are looking for.
The parsing of data is handled by splunkd, according to rules that can be put in place by any app. If you are looking at a 'standard' log, then it's likely we already have parsing rules included by default, but for custom logs you will likely have to define some if Splunk's initial attempts don't work for you
To set up a conversation specific to security use-cases, I recommend engaging your Sales Rep to set up a call with someone who can assess the use-case(s) you have in mind and provide