SPLK-CL-000100 - Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

Information

If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. Centralized log aggregation must also include logs from databases and servers (e.g., Windows) that do not natively send logs using the syslog protocol.

Solution

Configure Splunk Enterprise to aggregate log records from organization-defined devices and hosts within its scope of coverage, as defined in the site security plan.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_8-x_for_Linux_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12(1), CAT|III, CCI|CCI-000174, CCI|CCI-003821, Rule-ID|SV-251663r992039_rule, STIG-ID|SPLK-CL-000100, Vuln-ID|V-251663

Plugin: Splunk

Control ID: c7edf6a3c3ef91746f3de8107a16b480bf0c87b570259ac9ea06f8ed88f67888