UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.


Overview

Finding ID Version Rule ID IA Controls Severity
V-221621 SPLK-CL-000250 SV-221621r879557_rule Low
Description
If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. Centralized log aggregation must also include logs from databases and servers (e.g., Windows) that do not natively send logs using the syslog protocol.
STIG Date
Splunk Enterprise 7.x for Windows Security Technical Implementation Guide 2023-06-09

Details

Check Text ( C-23336r416320_chk )
Examine the site documentation that lists the scope of coverage for the instance being reviewed.

Select Settings >> Data Inputs. Verify that data inputs are configured to support the scope of coverage documented for the site.

If Splunk enterprise is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.
Fix Text (F-23325r416321_fix)
Configure Splunk Enterprise to aggregate log records from organization-defined devices and hosts within its scope of coverage, as defined in the site security plan.