Hi community, I have several syslog servers that have multiple source types being ingested by the collector (ie: Cisco router, Cisco switch, load balancers, Aruba Clearpass, etc.). My inclination is to write a FER to split these into separate source categories, but I'm not sure how to do this or if this would be a best practice design. My goal would be to be able to send different logs to different data tiers quickly and filter queries by source category thereby narrowing my search field down. Is there a better/different way to separate these logs?
Please sign in to leave a comment.