I'm pretty sure.. when I query SC I'm using index=indexA host=serverA The events returned also show the source as the asa.log file in question. I have visually checked the other 4 UF servers and the few that have stanzas to monitor an identical path/filename are set to us their own unique index names. What I do find really odd is, if I tail -f this asa.log file on serverA, it's SUPER busy. Many, many events, however most of those are not hitting indexB.. only some. The log events in SC do contain the IP address of the source feeding asa.log on serverA though. That might be a difference in raw syslog in the log file, but cisco:asa sourcetype sent to SC? IDK to be honest. But regardless, I'm trusting the host field in SC for these events as being accurate. 16/09/2022
13:22:04.000
Sep 16 08:22:04 x.x.x.x %ASA-5-713904: IP = y.y.y.y, Received encrypted packet with no matching SA, dropping
host:
serverA
source:
/var/log/remote-syslog/asa.log
sourcetype:
cisco:asa
Time
_time:
2022-09-16T13:22:04.000+00:00
Default
index:
indexB
linecount:
1
splunk_server:
idx-i-xxxxxxxx.splunkcloud.com
... View more