Forum Discussion

Justin_Lanoue's avatar
3 months ago

LogSource Resource Mapping Confusion

I have a ticket opened but hoping to get a quicker response here.

I am using LogSources but since we are an MSP with multiple clients, there seems to be an issue syslog's are being mapped to other client devices that have the same IP because I'm using IP=system.hostname as the mapping.

I have even pointed all the duplicate IPs to their respective syslog collector and it still maps wrong.

Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?

Is there a way I can use AND logic with the Token mapping for _lm.collectorId = system.collectorid?

Thanks in advance.

  • Yeah I know about that option which is what I was refencing in the opening and that doesn't work.

    I seem to have fixed this issue though with my own experimentation with the below settings.

    This got devices mapping properly with duplicate IP as seen below.

    It went from the wrong core switch to the proper Sophos XG device that shared the same IP.

     

    No clue how this works as if knows the deviceID the log is coming from why even have all this IP mapping shenanigans?

  • Anonymous's avatar
    Anonymous
    Justin_Lanoue wrote:

    Am I doing something wrong or is the system not smart enough to know that it came on this collector, therefore I should only map it to resources monitored by that collector?

    On purpose, it ignores the collector assignment. This is because you might want the logs coming in on one collector and the collection happening on a different collector, to distribute the load. 

    FWIW: we don't use IP=system.hostname. Instead we use IP=system.ips. However, I can't be sure that one customer's logs aren't showing up under a different customer. Now I have to check and I'll be following for a solution. 

    • Justin_Lanoue's avatar
      Justin_Lanoue
      Icon for Neophyte rankNeophyte

      FWIW: we don't use IP=system.hostname. Instead we use IP=system.ips. However, I can't be sure that one customer's logs aren't showing up under a different customer

      I found using system.ips was way worse as it opened a broader scope to duplicate IPs.

      On purpose, it ignores the collector assignment. This is because you might want the logs coming in on one collector and the collection happening on a different collector, to distribute the load. 

      I understand but even then, there should be logic to know the collector and the device both have the system.tenant.identifier property or something.

      I'll definitely update this thread if I get a solution from support.

      • Anonymous's avatar
        Anonymous

        On the device, you can check a box that says "Enable LM Logs" which will give you the ability to specify a collector group and collector. That may be how it's done.

        Now i gotta go figure out how to script it so that all devices have it checked and set to the collecting collector.