Selecting and Creating Detection Rules with Syslog and Splunk

In today's cybersecurity landscape, effective detection rules are crucial for identifying and mitigating potential threats. Syslog, a standard protocol for logging system events, can be leveraged to create powerful detection rules. By ingesting these rules into Splunk, a leading security information and event management (SIEM) platform, organizations can enhance their security posture and gain valuable insights. In this blog post, we will explore how to select and create detection rules using syslog and integrate them into Splunk.

Top 10 Important Detection Rules

When selecting detection rules, it's essential to prioritize based on the potential impact and likelihood of a security incident. The traffic light system or risk matrix can be used to assess the criticality of each rule. Here are the top 10 important detection rules to consider:

  1. Authentication failures
  2. Unauthorized access attempts
  3. Privilege escalation
  4. Suspicious network connections
  5. Malware detection
  6. Data exfiltration
  7. Configuration changes
  8. System resource anomalies
  9. Suspicious user behavior
  10. Compliance violations

To select rules effectively, assign each rule a color (red, yellow, or green) or a risk score based on its potential impact and likelihood. Focus on implementing high-priority rules (red or high-risk) first, followed by medium (yellow) and low (green) priority rules.

Creating Syslog Detection Rules

Now, let's dive into creating detection rules using syslog. Here are examples of how to create syslog rules for each of the top 10 important rules:

Authentication failures:

authpriv.* /Failed login attempt/

Unauthorized access attempts:

authpriv.* /Unauthorized access attempt/

Privilege escalation:

authpriv.* /Privilege escalation/

Suspicious Network Detection

kern.* /Suspicious network connection/


kern.* /Malware detected/

Data exfil

kern.* /Data exfiltration/

Config changes

local7.* /Configuration change/

System resource anomalie

kern.* /System resource anomaly/

Suspicious user behavior

authpriv.* /Suspicious user behavior/

Compliance violations

local7.* /Compliance violation/

These rules are written in the syslog format, specifying the facility, severity, and message pattern to match. Adjust the rules based on your specific environment and requirements.

Ingesting Syslog Rules into Splunk

To ingest syslog rules into Splunk, follow these steps:

  1. Configure your syslog sources to forward logs to Splunk.
  2. In Splunk, navigate to "Settings" > "Data inputs" and select "UDP" or "TCP" based on your syslog configuration.
  3. Specify the port number and source type for the incoming syslog data.
  4. Save the configuration and start the input.
  5. Create a new Splunk search and use the source and sourcetype fields to filter the relevant syslog data.
  6. Apply the syslog detection rules using Splunk's search language. For example:
  1. source="syslog" sourcetype="syslog" "Failed login attempt"
  2. Save the search as an alert or dashboard panel for real-time monitoring and incident response.

By ingesting syslog detection rules into Splunk, you can centralize your security monitoring, correlate events across multiple sources, and leverage Splunk's powerful analytics capabilities to detect and investigate security incidents effectively.

Remember to regularly review and update your detection rules based on evolving threats and your organization's specific needs. Stay proactive in your cybersecurity efforts to protect your systems and data from potential breaches.