Event data from operating systems (OS) is a type of data that comes from state changes in the OS itself, plus services and various applications running on the system. On Linux and UNIX systems, these are text files usually stored under the /var/log directory. On Windows, the data come from the Windows Management Interface. For purposes of data typing, this article includes all non-security related events. Security events, while found in the same locations in the OS, are treated separately and are documented in the network authentication and local authentication data type descriptor articles.
Event data on the OS provides visibility on the state of OS systems. The data can be only informational or error based. Applications and services that are non-kernel related report the same kinds of state changes but within the context of the service. You can track events by source, code, message, severity, and more. For further details, see the documentation associated with the OS you are interested in.
When your Splunk deployment is ingesting operating system event data, you can use the data to achieve objectives related to the following use cases:
- Reconstructing a website defacement
- Investigating a ransomware attack
- Recognizing improper use of system administration tools
- Creating a timebound picture of network activity
- Detecting the use of randomization in cyberattacks
- Monitoring command line interface actions
- Securing a work-from-home organization
These data types have many available fields, but users typically derive the most value out of the fields listed here.
System affected by the patch change or target of the event.
Checksum of the file in scope.
Human-readable event name.
Status of the operation in scope.
System connected to the listening port.
Name of the operating system resource.
Note that the names of these fields vary, depending on the data source. The Splunk Common Information Model (CIM) can be added to your deployment to normalize and validate data at search time, accelerate key data in searches and dashboards, or create new reports and visualizations. In the Common Information Model, operating system event data is typically mapped to the Endpoint, Inventory and Updates models.
Known data sources and source types
Guidance for onboarding data can be found in the Splunk documentation, Getting Data In.