Hey all,
I'm trying to pull in the Syslog or our Meraki MX to our on-premise Splunk Enterprise in order to monitor internal port scanning. Right now I have the Syslogs coming in via the Data input > UDP (514). I see all the data being pulled in correctly however when I search internal traffic communication it shows everything going to the broadcast IP. I'm not sure if I should be using a different method, but I would appreciate some guidance on best practices to monitor internet traffic.
Thanks!