Splunk Application or "Best Practices" document

Looking to figure out best practices around what to report on from the Syslog output from SPP.

Capturing the logs and everything is all working as expected, but looking for something to help figure out which logs are the important ones and which to alert on. Does anyone know of a document out there that spells out the Syslog logs and which are best to send out alerts for? 

Either that, or if someone has created a lightweight Splunk app that does something similar with the Syslog output.

Parents Reply
  • Thanks, this gives a good high-level overview of all of the events sent to Syslog.

    Do you know if there's any sort of a library or an example ruleset, or even something you or another engineer has used as a basis to start from? I don't have any Splunk experience, so I'm just looking for anything that would help out the customer without them needing to create dozens and dozens of filter rules to get the information they're after.