VMware NSX


1 comment

  • Avatar
    Eddie Thompson

    Hi Mike,

    I have worked with the distributed firewall logs in the past and yes the interleaving of the various eventtypes makes it a little hard to work with.

    Basically there are two phases to getting the data workable within Sumo.

    1. ensure your multi-line processing is breaking out the events correctly.

    2. use the field extraction rules (FER) to rewrite the _sourceCategory / _sourceHorst of the events based on the log content.

    Can provide some further advice if you have some example data to work with (redact any confidential info)

    Comment actions Permalink

Please sign in to leave a comment.