Hi all,
We have our ossec logs from servers being sent to a forwarder and then the forwarder to indexer. On the forwarder, sourcetype is configured as ossec_alerts
In search results, the source host shows as the forwarder and not the actual server it comes from. The actual server name shows up right next to the date/time but not as a parsed field. EG:
2020/03/20 17:23:00 srv-01 SOURCE=forwarder
Any ideas?