Hi Folks,
We use Splunk enterprise cloud as our central logging and SIEM system. All windows logs as well as logs from network devices are sent to the Splunk Cloud.
For log transmission, we use the following two methods (both methods are documented in the doc attached)
- For windows and unix machines --> Installing splunk universal forwarder agents
- For network devices that send raw logs --> Configuring splunk log forwarder on a docker instance
The windows logs are parsed correctly on Splunk however for logs from networking devices since they are sent in syslog format are not.
I was wondering if there are any apps (for palo alto and cisco) that would retroactively parse the previously ingested data? If we can, what would be the best way of doing so? (re-run the data? can we parse it as we perform searches?)
Many thanks for your help in advance.
