Information Security and Network Awareness

Hurricane Labs

Subscribe to Hurricane Labs: eMailAlertsEmail Alerts
Get Hurricane Labs: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Java Developer Magazine, Travel Tips, Haiti EarthQuake

Blog Feed Post

The Tagging Of The Splunk


In Splunk there are a number of ways to “add knowledge”, as they call it, to your incoming data. You can tag a host with an arbitrary text block to identify it some way. For example, could be tagged as “critical” or “confidential”, you can even get crazy and tag it as what its function is. You can also have multiple tags, comma separated, of course. This makes Splunk a very powerful way to help manage and track the types of data coming. Of course such a powerful mechanism is not without its drawbacks but there aren’t many, I’ll attempt to elaborate on some of the pitfalls of Splunk tagging and how to avoid them. Away we go…

The Undertagger


You know this type, he’s the one that doesn’t talk a lot in meetings because you should just magically know what is on his mind, he also hates to be asked questions. Yes this guy just assumes everyone knows the same things as he does so tagging doesn’t naturally suit him. The problem of course is when the Undertagger is on vacation or not involved in say, the monitoring of whatever systems he is responsible for. I’ve dealt with this type for many years and the only way to deal with him is to ask as many questions as you can and tag for him. Sounds like a horrible solution, and it is, however you can’t change people and they seldom change on their own.

The problem the Undertagger is causing is a big problem throughout all of IT and that is the “silo” mentality and today’s mostly holistic approach to things really confounds the Undertagger and systems like Splunk make their heads explode because they’re really very happy in their bubble. We have to pull the information out of the Undertagger and get it into Splunk using any means we can find. Personally I try taking Undertagger out to lunch and getting information that way when they’re least expecting it, failing that I just badger them until they tell me what I need until I go away. I will then happily do all the tagging for them based on that.

The Midtagger

The Midtagger is a rare beast, most people fall into one of our other two categories. This type though is often “too busy” to do the tagging but always “means to” and just never does. You can usually defeat the Midtagger by offering ways in which tagging would make them less busy. This can usually be done by showing them how adding knowledge to Splunk can save time with support calls and unrelated questions. People who “get” Splunk are generally data driven and this method does work.

The Overtagger

This is probably the most common type, the Overtagger *cue dramatic music* and wow can this one be tricky. They tag EVERYTHING, host, source,sourcetype, destination and on and on and on, usually with overlapping tags or such in depth detail that the tags are bigger than the data itself. On one hand you don’t want to diminish their enthusiasm but they can’t keep tagging everything in sight either and certainly not with so many levels of detail. Tags should be quick hits that help describe groups of things and not just one thing, not usually anyway.

The Strategy

This is where we’ll talk strategy and not just about a specific type, these strategies should prove effective across all of our tagger types. The first part of our strategy is glaringly simple, have a plan. I know, I know, sounds really easy right? An effective tagging plan should answer the basic questions of “what should I tag, how should I tag and where should I tag it?” These questions can be answered with a simple one page tagging cheat sheet that data wranglers can use when they’re getting data into Splunk. Want some examples? I knew you did.

Tag Host

Tag By Group or Function

Host Example 1

A host tag should identify the host by its larger group or function. If you have a group of web servers that all do basically the same thing and that is run the corporate website you could tag the hosts with “web_servers, corp_site” or however you choose to designate it.

Tag By Criticality

Host Example 2
Another way to tag hosts is by their criticality and it is not exclusive of the above examples. If a system simply cannot ever go down or have a problem and if something bad happens then everyone should be woken up. A “critical” tag is the way to do this. I find doing this by host is a great way to do this. A more broad example would be a set of tags that say “web_servers, corp_financial_reporting, critical”. We can then construct a Splunk alert that escalates as needed.

Tag Sourcetype

Tag By Application

Sourcetype Example 1
This is much simpler, you can tag sourcetype based on whatever application it is. I use this a lot with custom applications. For example, if you have a custom java application, you could tag this sourcetype as the common name for that application so it is instantly identifiable.

Tag By Unknown

Sourcetype Example 2
I also like to tag sourcetypes that I don’t fully understand so I come back to them later. I usually use an “unknown” tag for that but whatever your preference is will probably work.

Final Note

These are just a couple of ways I use Splunk tags and these will hopefully get you thinking about creative ways to use them in your organization, I find them a very powerful element of Splunk but not always an appropriately appreciated one. I might also be categorized as an Overtagger in some cases but that’s okay, I’ve learned to live with it. The important point is to make sure you are using the Splunk knowledge system to its fullest potential and tagging is a huge element of that.

The post The Tagging Of The Splunk appeared first on Hurricane Labs.

Read the original blog entry...

More Stories By Hurricane Labs

Christina O’Neill has been working in the information security field for 3 years. She is a board member for the Northern Ohio InfraGard Members Alliance and a committee member for the Information Security Summit, a conference held once a year for information security and physical security professionals.