Data Source Integration Manual

 


Out-of-the-box source types

Out-of-the-box source types

This section provides a list of the data sources for which the Splunk App for Enterprise Security provides out-of-the-box support. It also provides a list of the source types that are used for the different data sources and add-ons.

Source types are important because Enterprise Security uses source types as the basis of understanding for all data coming in from a particular source. Source types need to be carefully defined so that they are not overloaded or misused.

When a supported data type is imported, the correct source type needs to be assigned to the data to ensure that data is recognized and parsed correctly by the Splunk App for Enterprise Security. For example, events from a Juniper firewall must be assigned a netscreen:firewall source type for TA-juniper to recognize and parse them correctly.

To learn more about the supported data types and source types, see the "List of pretrained source types" in the core Splunk product documentation. For more information on assigning source types to data inputs, see "About default fields" in the core Splunk product documentation.

The following table lists the data sources with out-of-the-box support in the Splunk App for Enterprise Security, along with the associated source type and add-on name:

Wireless Devices

Data source Source type(s) Add-on Description
Motorola AirDefense wireless IDS airdefense TA-airdefense Parses AirDefense log data for use in CIM compliant Splunk apps
Alcatel alcatel TA-alcatel Parses Alcatel network switch log data for use in CIM compliant Splunk apps

Proxies

Data source Source type(s) Add-on Description
Blue Coat ProxySG bluecoat TA-bluecoat Parses Bluecoat proxy data for use in CIM compliant Splunk apps
Juniper NetScreen firewalls and IDP intrusion detection/prevention systems juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm TA-juniper Parses Juniper log data for use in CIM compliant Splunk apps
Fortinet Unified Threat Management (UTM) systems fortinet TA-fortinet Parses Fortinet log data for use in CIM compliant Splunk apps
Palo Alto firewalls pan, pan:config, pan:system, pan:threat, pan:traffic TA-paloalto Parses Palo Alto firewall log data for use in CIM compliant Splunk apps
Websense firewalls websense TA-websense Parses Websense log data for use in CIM compliant Splunk apps

Intrusion Detection/Prevention Systems

Data source Source type(s) Add-on Description
TippingPoint tippingpoint TA-tippingpoint Parses Tipping Point log data for use in CIM compliant Splunk apps
Juniper IDP juniper:idp, netscreen:firewall, juniper:nsm:idp, juniper:nsm TA-juniper Parses Juniper log data for use in CIM compliant Splunk apps
OSSEC host-based Intrusion Detection System (IDS) ossec TA-ossec Parses OSSEC HIDS log data for use in CIM compliant Splunk apps
Snort network intrusion prevention and detection system (IDS/IPS) snort TA-snort Parses Snort IDS (open source) log data for use in CIM compliant Splunk apps
McAfee firewall mcafee:ids TA-mcafee Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
Norse IPViking norse Splunk_TA_norse Allows you to download Norse Darklist threat intelligence data for use in Splunk. It also includes support for contextual lookups to Norse IPViking
WMI WMI:LocalApplication, WMI:LocalSystem, WMI:LocalSecurity, WMI:CPUTime, WMI:FreeDiskSpace, WMI:LocalPhysicalDisk, WMI:Memory, WMI:LocalNetwork, WMI:LocalProcesses, WMI:ScheduledJobs, WMI:Service, WMI:InstalledUpdates, WMI:Uptime, WMI:UserAccounts, WMI:UserAccountsSID, WMI:Version Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

Networking Devices

Data source Source type(s) Add-on Description
Bro IDS 2.1 bro TA-Bro Allows you to ingest packet captures (pcap) in Splunk using Bro IDS 2.1
Common Event Format (CEF) cef TA-cef Parses ArcSight CEF data to the field names for use in CIM compliant Splunk apps, and is a useful template to start from when building a new add-on
flowd NetFlow collector flowd TA-flowd Parses flowd NetFlow data for use in CIM compliant Splunk apps
NetFlow flowfix Splunk_TA_flowfix Allows you to ingest NetFlow versions 5 and 7, along with IPFIX without vendor extensions.
FTP servers vsftpd TA-ftp Parses vsftpd log data for use in CIM compliant Splunk apps

Anti-virus / Endpoint Software

Data source Source type(s) Add-on Description
Sophos SEC server log or sys log (sophos:threats) TA-sophos Parses Sophos log data for use in CIM compliant Splunk apps
FireEye cef logs or XML output TA-fireeye Parses FireEye data for use in CIM compliant Splunk apps
McAfee anti-virus mcafee:epo, mcafee:ids TA-mcafee Allows you to ingest McAfee EPO data for use in CIM compliant Splunk apps
Symantec AntiVirus version 10 and earlier.
Use sep for version 11 and later.
sav, winsav TA-sav Parses Symantec Anti-Virus log data for use in CIM compliant Splunk apps
Symantec Endpoint Protection (SEP) host-based intrusion
detection/prevention system and Symantec AntiVirus
version 11 and later.
sep, sep:scm_admin TA-sep Parses Symantec Endpoint Protection log data for use in CIM compliant Splunk apps
source::WinEventLog:Application WinEventLog:Application:trendmicro TA-trendmicro Parses Trend Micro log data for use in CIM compliant Splunk apps

Vulnerability Management Systems

Data source Source type(s) Add-on Description
nCircle IP360 vulnerability management system ncircle:ip360 TA-ncircle Allows you to ingest nCircle log data for use in CIM compliant Splunk apps
Nessus vulnerability scanner nessus TA-nessus Allows you to ingest Tenable Nessus log data for use in CIM compliant Splunk apps
Nmap security scanner nmap TA-nmap Parses Fortinet log data for use in CIM compliant Splunk apps

Operating Systems

Data source Source type(s) Add-on Description
Snare snare Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
NTSyslog ntsyslog Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Monitorware monitorware Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps
Platform-specific Unix authentication (security) logs. dhcpd, linux_secure, aix_secure, osx_secure, syslog; Splunk_TA_nix Includes predefined inputs to collect data from *nix systems and normalize the data for use in CIM compliant Splunk apps
Windows event, DHCP, and system update logs. DhcpSrvLog, WindowsUpdateLog, WinRegistry, WinEventLog:Security, WinEventLog:Application, WinEventLog:System, fs_notification, scripts:InstalledApps, scripts:ListeningPorts Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

Other

Data source Source type(s) Add-on Description
IP2Location geolocation software (not applicable) TA-ip2location Provides the ability to correlate IP addresses to locations using the Python IP2Location library
Oracle database oracle TA-oracle Parses Oracle database server log data for use in CIM compliant Splunk apps
source::WinEventLog:Application WinEventLog:Application:rsa TA-rsa Parses RSA ACE log data for use in CIM compliant Splunk apps
Splunk access and authentication logs audittrail TA-splunk Parses Splunk audit log data for use in CIM compliant Splunk apps
Perfmon PERFMON:CPUTime, PERFMON:FreeDiskSpace, PERFMON:Memory, PERFMON:LocalNetwork Splunk_TA_windows Includes predefined inputs to collect data from Windows systems and normalize the data for use in CIM compliant Splunk apps

This documentation applies to the following versions of ES: 3.0 , 3.0.1 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!