I have multiple firewalls (same log type) sending logs to a single collector and I need to identify them by their IP addresses. Is there a way to do this neither having to create and label hundreds of collectors nor requiring manual maintenance (e.g., using rsyslog would require editing it's config file every time a new log source is added)?
If your firewall allows for it, often they'll send something like a hostname or IP in the raw log. If you just parse that to an observer field it sounds like it would save you a lot of labeling effort.
Mostly parsed logs will have ip details under UDM observer/intermediary/principal.hostname.
If your requirement is to have name identifier tagged to each event as well , e.g. ASA_DMZ. Then you can achieve it through custom parsing. Please note that Chronicle doesn't support translate filter plugin.
User | Count |
---|---|
3 | |
2 | |
1 | |
1 | |
1 |