Every OS records details of its operating conditions and errors, and these time-stamped logs are the fundamental and authoritative source of system telemetry. Depending on the OS, there may be separate logs for different classes of events, such as routine informational updates, system errors, boot loader records, login attempts, and debug output. Error logs often aggregate records from multiple subsystems and OS services or daemons, and, thus, are a definitive source of troubleshooting information. In the Common Information Model, system log data is typically mapped to the Endpoint data model.
Correlating system log entries is one of the best ways of identifying the root cause of a subtle system failure. System logs include a variety of security information such as attempted logins, file access, and system firewall activity. They can also be used to identify changes in system configurations and commands executed by users or privileged users.
When your Splunk deployment is ingesting system log data, you can use it to accomplish security and compliance and IT Ops use cases.
Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). In addition, these Splunk Add-Ons and Apps are helpful for working with system log data.
Looking for more information on data types? Download the Splunk Essential Guide to Machine Data.