I have configured our XG to push all syslog data to a syslog-ng collector, from there I have the splunk forwarder set to forward all data from the log to my indexer as sourcetype = sophos:xg:syslog
However, everything is logging on the indexer as sourcetype sophos:xg:IDP even though we have all syslog data forwarding from the firewall. Is there something I need to change on inputs.conf or outputs.conf of the indexer or forwarder to make this function properly?
I have installed the add-on on both the indexer and the forwarder and restarted splunk on both.
↧