Skip to main content

 

Splunk Lantern

System log data

 

Every operating system (OS) records details of its operating conditions and errors, and these time-stamped logs are the fundamental and authoritative source of system telemetry. Depending on the OS, there may be separate logs for different classes of events, such as routine informational updates, system errors, boot loader records, login attempts, and debug output. Correlating system log entries is one of the best ways of identifying the root cause of a subtle system failure. System logs include a variety of security information such as attempted logins, file access, and system firewall activity. They can also be used to identify changes in system configurations and commands executed by users or privileged users. Error logs often aggregate records from multiple subsystems and OS services or daemons, and, thus, are a definitive source of troubleshooting information. In the Common Information Model, system log data is typically mapped to the Endpoint data model

Before looking at documentation for specific data sources, review the Splunk Docs information on general data ingestion: 

Use cases for Splunk security products