Current setup:
ForeScout currently sending syslog data to a Kiwi syslog server.
Splunk is monitoring the file and pulls it in successfully.
Can I modify the Forescout-TA and Forescout App to read the data and perform the field extractions?
At this time, we are not looking to use the adaptive response or configure policies from Forescout to send to Splunk.
I simply just want to see the data and have the fields extracted correctly.
I modified the the inputs.conf to align with what I think the props.conf is looking, and I included the sourcetype and the index 'fsctcenter' I created:
# ForeScout CounterACT feed
[monitor://E:\syslog\counteract\*\*.txt]
ignoreOlderThan = 7d
sourcetype = fsctcenter_avp
index = fsctcenter
host_segment = 3
↧
