I integrated few linux srevers on ESM on which different applications was installed.Now I am getting logs but unable to differentiate between OS logs and Application logs.
As well as i am getting so many Unknown logs also. Any Help..???
You can enable the parsers for the linux data source that match the application you are feeding logs from, if the data source and linux are capable of using ASP parsers, otherwise, go through your unknown events packet data, and start creating custom parsers to grab that data out.
It is very tedious and time consuming, but unless you have parsers for both linux OS logs, and the parsers for the application logs you are feeding over the same channel, you will not be able to get an accurate read on the data.
Hopefully this helps, but custom parsers is a huge pain point, and multiple log sources from the same box is fairly difficult to accomplish in the SIEM. Same types of issues grabbing IIS logs, Exchange Logs, and Windows Event Logs all from a WMI device, it can be done, but requires some special configurations.