the splunk CIM discusses the use of tags to help identify log entries according to an object/action/status formula - which is nice. however, are there any recommendations on how to identify a taxonomy for the eventtypes themselves so that the tags make sense?
what is the best way of classifying eventtypes into something useful - does what i have done in the following example make sense...?
i have a bunch of firewall log messages, so i create an eventtype called network_acl that matches all relevant log entries; then i create another eventtype called network_acl.denied which literally matches 'eventtype=network_acl AND denied'.
for the network_acl eventtype, i add tags 'acl application, firewall, host, network'
for the network_acl.denied eventtype, i add tags 'access, attempt, denied'
this method seems to work well so far; adding field extraction to pick out ip's etc seems to allow me to get most questions i have, but i have a nagging feeling i'm approaching this the wrong way.
i am also concerned that the network_acl.denied dependence on the 'parent's' eventtype is not the most efficient way of querying for it.
... View more