VMware NSX

Comments

1 comment

  • Avatar
    Eddie Thompson

    Hi Mike,

    I have worked with the distributed firewall logs in the past and yes the interleaving of the various eventtypes makes it a little hard to work with.

    Basically there are two phases to getting the data workable within Sumo.

    1. ensure your multi-line processing is breaking out the events correctly.

    2. use the field extraction rules (FER) to rewrite the _sourceCategory / _sourceHorst of the events based on the log content.

    Can provide some further advice if you have some example data to work with (redact any confidential info)

    0
    Comment actions Permalink

Please sign in to leave a comment.