The cim_Authentication_indexes
is defined, in our case, as (index=wineventlog OR index=<linux> OR index=<rsa> OR ...)
For the index=wineventlog
we have nice compliance with the Authentication datamodel except src
at 68% and src_user
at 5%. So, I wonder if we should change the definition of the macro to be something like - ( (index=wineventlog AND src=*) OR index=<linux> OR index=<rsa> OR ...)
.
Does it make any sense?
No. YOU have to decide what fields are important TO YOU and then ensure that they exist every time that they should. Fix the field extractions. Do not hide the events.
That would be case in the ideal world. However, not all events have all the fields (as the vendor/product may only offer limited fields in the events) that we need for a given datamodel. what do you suggest in those situations?
If you have some kind of a sudo
thing and your system does not log the src_user
, then you should scream bloody hell at your vendor to fix their logging. I have never seen such a situation, although I have seen many situations where src_user
has no context and therefore is meaningless and quite logically does not exist.
I got it @woodcock - thank you.
You should fix the onboarding of the data to address field issues. Doing it at search is just a bandaid of the root issue. And you do not want to get into the business of hand managing updates to the datamodels either.
It makes sense @starcher, but I'm not sure whether src
must exist for all the events, in this particular case.
for authentication datamodel, 'src' is a key field to know the endpoint/client involved in the authentication process. If you do not have that in the events and if you want to exclude them (as a last resort), adjust your eventtypes.conf and tags.conf to exclude them from not going to Authentication datamodel.
Great information. Where exactly do these eventtypes.conf
and tags.conf
exist?