LogSource Resource Mapping Confusion
I have a ticket opened but hoping to get a quicker response here.
I am using LogSources but since we are an MSP with multiple clients, there seems to be an issue syslog's are being mapped to other client devices that have the same IP because I'm using IP=system.hostname as the mapping.
I have even pointed all the duplicate IPs to their respective syslog collector and it still maps wrong.
Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?
Is there a way I can use AND logic with the Token mapping for _lm.collectorId = system.collectorid?
Thanks in advance.
Yeah I know about that option which is what I was refencing in the opening and that doesn't work.
I seem to have fixed this issue though with my own experimentation with the below settings.
This got devices mapping properly with duplicate IP as seen below.
It went from the wrong core switch to the proper Sophos XG device that shared the same IP.
No clue how this works as if knows the deviceID the log is coming from why even have all this IP mapping shenanigans?