Every operating system (OS) records details of its operating conditions and errors, and these time-stamped logs are the fundamental and authoritative source of system telemetry. Depending on the OS, there may be separate logs for different classes of events, such as routine informational updates, system errors, boot loader records, login attempts, and debug output. Correlating system log entries is one of the best ways of identifying the root cause of a subtle system failure. System logs include a variety of security information such as attempted logins, file access, and system firewall activity. They can also be used to identify changes in system configurations and commands executed by users or privileged users. Error logs often aggregate records from multiple subsystems and OS services or daemons, and, thus, are a definitive source of troubleshooting information. In the Common Information Model, system log data is typically mapped to the Endpoint data model.
When your Splunk deployment is ingesting system log data, you can use the data to achieve the following:
Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). In addition, these Splunk Add-Ons and Apps are helpful for working with system log data.
Looking for more information on data types? Download the Splunk Essential Guide to Machine Data.