SIEM Foundations: Verify That All Data Sources Are Logging as Expected

Version 4

    Any time new data sources have been added to your ESM, it's a good idea to get in the habit of validating that the events are flowing in properly, being parsed as expected, and have timestamps that are consistent with the rest of your environment.  Below is a basic checklist of items to look for the ensure that data sources are logging as expected.

     

    • Look for inactivity flags in the system tree on the left side of the console (assuming you have not disabled inactivity flags entirely in an earlier step).  Flags are often indicators of data sources that are misconfigured or not sending data.  If you see inactivity flags, examine the data source configuration in ESM, as well as on the source device, and ensure that everything is set up properly.  Often a misconfigured port or IP address is the culprit here.

    inactivity flags.png

    Data Source Inactivity Flags

    • Leverage a generic view such as Dashboard Views/Normalized Dashboard to examine your logs for each data source, and confirm that you are seeing what’s expected.  You're looking to ensure that the event descriptions are appropriate for your data source, and the volumes of logs generally match your expectations.
    • Examine the time stamps on the most recent events coming in from your data source.  Do the time stamps on these events appear consistent?  If your data source is something that logs fairly consistently over time, then the most recent logs should be no more than a few minutes old.  Also, there should be no logs "in the future".  Time configuration is one of the most common issues with data sources.  It's not uncommon for data sources to have incorrect or unexpected time zones, and these issues should be corrected as soon as they are discovered to avoid future problems.

     

    Remember that the time zone configured in ESM for a data source should always match the time zone of the logs received from that source.  If they don't match, then some very unexpected things can happen.  If you discover inconsistent time settings, then you should adjust either the time zone on the upstream data source, or adjust the time zone configuration in the data source properties in ESM to match what you're seeing.

     

    The McAfee KnowledgeBase has more details on troubleshooting timestamps:

     

     

    « previousoutlinenext »