Has anyone had any experience with setting up log collection from replicating SEPM servers and preventing duplicate indexing?
We have two SEPM sites that replicate once per day. Currently we're forwarding all of the logs from one of the sites which picks up all of the logs, but leads to a delay of up to 24 hours in collecting logs from the second site.
To prevent the delay, we'd have to start also forwarding from the second site, but I anticipate this would lead to duplicated logs as the replicated logs would be forwarded from both servers.
I was hoping I might be able to blacklist based on a "server" or "site" string in the logs, but I can't find a string common to all logs for each site.
Any suggestions or help appreciated and would love to know if anyone has managed this scenario before.
... View more