Forum Discussion

Neophyte

3 months ago

LogSource Resource Mapping Confusion

I have a ticket opened but hoping to get a quicker response here.

I am using LogSources but since we are an MSP with multiple clients, there seems to be an issue syslog's are being mapped to other client devices that have the same IP because I'm using IP=system.hostname as the mapping.

I have even pointed all the duplicate IPs to their respective syslog collector and it still maps wrong.

Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?

Is there a way I can use AND logic with the Token mapping for _lm.collectorId = system.collectorid?

Thanks in advance.

LM Logs

Justin_Lanoue
3 months ago
Yeah I know about that option which is what I was refencing in the opening and that doesn't work.
I seem to have fixed this issue though with my own experimentation with the below settings.
This got devices mapping properly with duplicate IP as seen below.
It went from the wrong core switch to the proper Sophos XG device that shared the same IP.

No clue how this works as if knows the deviceID the log is coming from why even have all this IP mapping shenanigans?

Anonymous
3 months ago
Justin_Lanoue wrote:
Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?

On purpose, it ignores the collector assignment. This is because you might want the logs coming in on one collector and the collection happening on a different collector, to distribute the load.

FWIW: we don't use IP=system.hostname. Instead we use IP=system.ips. However, I can't be sure that one customer's logs aren't showing up under a different customer. Now I have to check and I'll be following for a solution.
- Justin_Lanoue
  Neophyte
  3 months ago
  FWIW: we don't use IP=system.hostname. Instead we use IP=system.ips. However, I can't be sure that one customer's logs aren't showing up under a different customer
  I found using system.ips was way worse as it opened a broader scope to duplicate IPs.
  On purpose, it ignores the collector assignment. This is because you might want the logs coming in on one collector and the collection happening on a different collector, to distribute the load.
  I understand but even then, there should be logic to know the collector and the device both have the system.tenant.identifier property or something.
  I'll definitely update this thread if I get a solution from support.
  - Anonymous
    3 months ago
    On the device, you can check a box that says "Enable LM Logs" which will give you the ability to specify a collector group and collector. That may be how it's done.
    
    Now i gotta go figure out how to script it so that all devices have it checked and set to the collecting collector.

Forum Discussion

LogSource Resource Mapping Confusion

Related Content

Resource Explorer

Has anybody noticed the flaw in LogSource logic?

Resource Tree Deprecation?

Resource Dead parameter

Resource Tree is BACK!

Recent Discussions

LM datasources backing up

Hint to backing up LM datasources

Auto Balanced Collector Group vs Failover?

Monitoring Top 10 processes on Windows and Linux platforms

Which property source sets system.collector?