Forum Discussion

Neophyte

28 days ago

LogSource Resource Mapping Confusion

I have a ticket opened but hoping to get a quicker response here.

I am using LogSources but since we are an MSP with multiple clients, there seems to be an issue syslog's are being mapped to other client devices that have the same IP because I'm using IP=system.hostname as the mapping.

I have even pointed all the duplicate IPs to their respective syslog collector and it still maps wrong.

Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?

Is there a way I can use AND logic with the Token mapping for _lm.collectorId = system.collectorid?

Thanks in advance.

LM Logs

Justin_Lanoue
27 days ago
Yeah I know about that option which is what I was refencing in the opening and that doesn't work.
I seem to have fixed this issue though with my own experimentation with the below settings.
This got devices mapping properly with duplicate IP as seen below.
It went from the wrong core switch to the proper Sophos XG device that shared the same IP.

No clue how this works as if knows the deviceID the log is coming from why even have all this IP mapping shenanigans?

Stuart_Weenig
Mastermind
28 days ago
Justin_Lanoue wrote:
Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?

On purpose, it ignores the collector assignment. This is because you might want the logs coming in on one collector and the collection happening on a different collector, to distribute the load.

FWIW: we don't use IP=system.hostname. Instead we use IP=system.ips. However, I can't be sure that one customer's logs aren't showing up under a different customer. Now I have to check and I'll be following for a solution.
- Justin_Lanoue
  Neophyte
  28 days ago
  FWIW: we don't use IP=system.hostname. Instead we use IP=system.ips. However, I can't be sure that one customer's logs aren't showing up under a different customer
  I found using system.ips was way worse as it opened a broader scope to duplicate IPs.
  On purpose, it ignores the collector assignment. This is because you might want the logs coming in on one collector and the collection happening on a different collector, to distribute the load.
  I understand but even then, there should be logic to know the collector and the device both have the system.tenant.identifier property or something.
  I'll definitely update this thread if I get a solution from support.
  - Stuart_Weenig
    Mastermind
    28 days ago
    On the device, you can check a box that says "Enable LM Logs" which will give you the ability to specify a collector group and collector. That may be how it's done.
    
    Now i gotta go figure out how to script it so that all devices have it checked and set to the collecting collector.

Forum Discussion

LogSource Resource Mapping Confusion

Related Content

Has anybody noticed the flaw in LogSource logic?

Resource Explorer

Resource Dead parameter

Resource Tree is BACK!

Resource Property Filters on the New UI Preview

Recent Discussions

Anyone else getting Spammed with emails this morning?

I need to alert for 20 consecutive failed logon attempts within a 30 minute time period

Issues automating Least Privelege at scale

LogicModules Toolbox Broken in Version 210

Chat link location