VMware NSX
Using the VMware NSX distributed firewall. Trying to log the data via syslog to Sumo. We have the data, but it changes log entries based on the event type so splitting the data isn't as easy as spacing it out as some rows have different space.
Anyone parsesed on VMware NSX logs before?
-
Hi Mike,
I have worked with the distributed firewall logs in the past and yes the interleaving of the various eventtypes makes it a little hard to work with.
Basically there are two phases to getting the data workable within Sumo.
1. ensure your multi-line processing is breaking out the events correctly.
2. use the field extraction rules (FER) to rewrite the _sourceCategory / _sourceHorst of the events based on the log content.
Can provide some further advice if you have some example data to work with (redact any confidential info)
Please sign in to leave a comment.
Comments
1 comment