When enabling the “Auto Learn” feature it basically opens upthe firewall to allow any syslog traffic to enter the SIEM receiver. It willstay running for the specified period of time or until you to stop it with the “disable”button. Once you execute the disable button, or when the time period hasexpired, it will auto populate the table with devices that are sending syslog,but will not populate the list of data sources that already exist in the SIEMinterface. Hopefully this has answered your question about the Auto Learn feature.
How to add the host not retrieved by 'Auto Learn' from the syslog-ng ?