VMware NSX

Comments

1 comment

  • Avatar
    Eddie Thompson

    Hi Mike,

    I have worked with the distributed firewall logs in the past and yes the interleaving of the various eventtypes makes it a little hard to work with.

    Basically there are two phases to getting the data workable within Sumo.

    1. ensure your multi-line processing is breaking out the events correctly.

    2. use the field extraction rules (FER) to rewrite the _sourceCategory / _sourceHorst of the events based on the log content.

    Can provide some further advice if you have some example data to work with (redact any confidential info)

Please sign in to leave a comment.