STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 5 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Splunk Enterprise 8.x for Linux Security Technical Implementation Guide

V-251663

CAT III (Low)

Splunk Enterprise must be configured to aggregate log records from organization-defined devices and hosts within its scope of coverage.

Rule ID

SV-251663r992039_rule

STIG

Splunk Enterprise 8.x for Linux Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-000174CCI-003821

Discussion

If the application is not configured to collate records based on the time when the events occurred, the ability to perform forensic analysis and investigations across multiple components is significantly degraded. Centralized log aggregation must also include logs from databases and servers (e.g., Windows) that do not natively send logs using the syslog protocol.

Check Content

Examine the site documentation that lists the scope of coverage for the instance being reviewed.

Select Settings >> Data Inputs. Verify that data inputs are configured to support the scope of coverage documented for the site.

If Splunk enterprise is not configured to aggregate log records from organization-defined devices and hosts within its scope of coverage, this is a finding.

Fix Text

Configure Splunk Enterprise to aggregate log records from organization-defined devices and hosts within its scope of coverage, as defined in the site security plan.