Below is an example of Event when I run the query:  index=nix* Proxyservername*

Source is /var/adm/messages and /var/log/secure (UNIX LOGS).

Selected fields are:

host

index

process

source

sourcetype

tag

********************************************

12/13/21
6:15:01.000 AM Column icon

Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )

host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/messages
sourcetype = syslog

›
12/13/21
6:15:01.000 AM Column icon

Dec 13 01:15:01 PROXYserver CROND[15913]: (flaradm) CMD (cd /vol00/ServerMgmt/Deploy_script/CURRENT/utils/UvScan_DATs/ ; scp *.dat root@PROXYservr:/usr/local/uvscan/ )

host = Proxyserver
index = nixlogsec
process = CROND
source = /var/log/secure
sourcetype = linux_secure
tag = os tag = unix

›
12/12/21
1:31:33.000 PM Column icon

Dec 12 08:31:33 PROXYserver root: [ID 702911 local1.info] ITSEC : UVSCAN : [uvscan check failed]

host = PROXYservr.lmtas.com
index = nixlogsec
process = root
source = /var/adm/messages
sourcetype = syslog
tag = error

›
12/10/21
9:44:31.000 PM Column icon

Dec 10 16:44:31 PROXYserver scsi: [ID 107833 kern.notice] ASC: 0x32 (no defect spare location available), ASCQ: 0x0, FRU: 0x9d

host = PROXYservr.lmtas.com
index = nixlogsec
process = scsi
source = /var/adm/messages
sourcetype = syslog

To me, it doesn't look like there is anything in the event that identifies which server is sending the syslog file to the proxy server. Unless you can see something?

You are correct, I do not see it either.

We are checking/verifying why we do not see any information that identifies which server (there are 2

UNIX server that are sending data to the Proxy server) is sending the syslog file to the proxy server.

I will update the "query"/messages  as soon as I have the information.

Thanks.