eg. I have many logs forwarded to the syslog server.
I intend to install a universal forwarder on that syslog server to forward to splunk.
However once forwarded to Splunk, what will be the sourcetype?
Can my checkpoint server logs be recognized as sourcetype=cp_log in Splunk or is it syslog?
I tried just uploading the log file in splunk with sourcetype=cp_log, it does not recognize the format.
Log entry format is as follows:
Checkpoint xxxx -[action:" xx",flags:"xxx", ifdir:"xx",etc ]
↧