Hi, I am currently working on getting our Sophos Central Cloud logs into SPLUNK. I have the 1st step out of the way in that I have the logs being ingested fine. I am however having some difficulty in getting them into the correct index. Following the documentation here: Configuration - Splunk Connect for Syslog (splunk-connect-for-syslog.readthedocs.io) I am planning to add the following to to the splunk_metadata.csv: sophos_sophos central_Event::Endpoint::UpdateSuccess,sourcetype,sophos:endpoint:update:cef,index,sophos sophos_sophos central_Event::Endpoint::WebControlViolation,sourcetype,sophos:endpoint:update:cef,index,sophos Based off the following 2 examples, do these appear correct? Many thanks Shaun
... View more