I use cp_log_export on my checkpoint management server to send logs (CEF format) to my syslog-ng server and on the same server, my splunk forwarder send log to my splunk server.
I got too many logs from checkpoint and I would like to know if I can did some filters on splunk forwarder or syslog-ng server before ?
for the moment in my syslog-ng I filter uniquely with tho IP source of my checkpoint management server and in my splunk forwarder with the sourcetype (checkpoint:cef).
After regarding the logs on splunk, I would like to get only the logs from the cef_product MTA, can I filter that on splunk forwarder or syslog-ng ? I prefer filtered syslog-ng to reduce the amount of logs in my syslog server.