I am currently sending logs of over 20 different data sources using a syslog server. So all logs (of completely different devices) are reaching the Receiver with the same IP.
The syslog server writes a header on each log, with information about the original IP and hostname, but I don´t know how to integrate all these single data sources
I am trying to do that using a parent/clients data sources, but can´t find useful documentation and until now, it does not work
Can somebody help me with this topic?
Create a normal data source for your syslog server except enable Syslog-ng relay. Then add the rest of the data sources normally. That's it.
So long as either the hostname or IP is in the syslog header and matches your data source configuration it will figure it out and route the logs to the correct data sources.
Would it be possible to do the same without having to create child/client datasources and keep the same parsing (source IP, destination IP, host) ?
The reason why I am asking this is typically when you are using agentless/automated event collection wiht WEF or syslog you probably do not want to bother much with creating thousands of datasources in the SIEM and maintain them over time.
Also how can you manage such when you have devices such as laptops which are changing IP address all the time ?
Thank you in advance
Yes, this is possible. The key to parsing different device types under one data source is to enable the parsing rules for each device type in the Policy Editor.
Also, you can configure a pool of IP addresses in the Receiver properties under Receiver Configuration | Interfaces | Communications.