I have multiple firewalls (same log type) sending logs to a single collector and I need to identify them by their IP addresses. Is there a way to do this neither having to create and label hundreds of collectors nor requiring manual maintenance (e.g., using rsyslog would require editing it's config file every time a new log source is added)?
How to identify each device that sends logs to a single forwarder collector?
+4- Bronze 1
If your firewall allows for it, often they'll send something like a hostname or IP in the raw log. If you just parse that to an observer field it sounds like it would save you a lot of labeling effort.
- Bronze 2
Mostly parsed logs will have ip details under UDM observer/intermediary/principal.hostname.
If your requirement is to have name identifier tagged to each event as well , e.g. ASA_DMZ. Then you can achieve it through custom parsing. Please note that Chronicle doesn't support translate filter plugin.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.