Hi @rahulkumar , logstash is a log concentrator, so, probably, from logstash youre receiving logs of different sourcetypes (e.g. linux, firewall, routers, switches, etc...). After extracting metada...
See more...
Hi @rahulkumar , logstash is a log concentrator, so, probably, from logstash youre receiving logs of different sourcetypes (e.g. linux, firewall, routers, switches, etc...). After extracting metadata, you have to recover the raw event and assign to each kind of log the sourcetype to use in the related add-ons, e.g. linux logs must be assigned to the sourcetype linux_secure, linux_audit, and so on. These sourcetypes are the ones from the add-on Splunk Add-on for Linux and Unix that you can download from Splunkbase. Ciao. Giuseppe