Logging practices for security logging.

misteryuku · ‎04-19-2012

I would like to create log messages that would be used for log analysis using Splunk such as checking for occurence of Denial of Service attacks. What would be the best logging practices for that as in what are the most important information that i should be displaying in the log messages???

elusive · ‎02-13-2017

Hi. The link you have provided above does not work anymore. It seems like the pages has changed. Can you provide the link again? thanks!

gjanders · ‎02-13-2017

The common information model has it's own manual in particular you may wish to refer to using the CIM and the examples of using the CIM

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

ziegfried · ‎04-19-2012

This is a good place for getting started:

In addition, naming field according to the CIM (Common Information Model) would be a good idea:

http://docs.splunk.com/Documentation/ES/latest/CreateTA/CommonInformationModelFieldReference

misteryuku · ‎04-20-2012

Okay. i see...

ziegfried · ‎04-20-2012

something like allowed/blocked or success/failure. whatever is more reasonable.

misteryuku · ‎04-20-2012

What does the action field for the network protection/traffic represent? Does it represent the action of the packet??

ziegfried · ‎04-19-2012

Yup. Network Protection/Traffic might be the best choice.

misteryuku · ‎04-19-2012

Lets say if i want to monitor the traffic of the network as in detecting Denial of service attacks, the log message should contain the fields under the network protection category of the Common Information Model. Is that true?

Logging practices for security logging.

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk