This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How to identify each device that sends logs to a single forwarder collector?

Posted on 04-04-2024 07:36 AM
Lord_Capybara
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have multiple firewalls (same log type) sending logs to a single collector and I need to identify them by their IP addresses. Is there a way to do this neither having to create and label hundreds of collectors nor requiring manual maintenance (e.g., using rsyslog would require editing it's config file every time a new log source is added)?

1 2 86
Topic Labels
2 REPLIES 2

Posted on --/--/---- --:-- AM
DanHansen
Silver 1
Silver 1
Reply posted on --/--/---- --:-- AM

If your firewall allows for it, often they'll send something like a hostname or IP in the raw log. If you just parse that to an observer field it sounds like it would save you a lot of labeling effort.

0 Likes

Posted on --/--/---- --:-- AM
deeshu
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Mostly parsed logs will have ip details under UDM observer/intermediary/principal.hostname.

If your requirement is to have name identifier tagged to each event as well , e.g. ASA_DMZ. Then you can achieve it through custom parsing. Please note that Chronicle doesn't support translate filter plugin.