Hi, Although I dont have answer to your question, but I guess you can help me with my question. Can you list the steps to do the following for me please 1- Configure Cisco ESA to send logs to Heavy Forwarder 2- Splunk side configuration (Especially capturing all the sourcetypes correctly i.e. , authentication, textmail, http etc.) Our design is, that all endpoints send logs to heavy forwarder, we use syslog-ng. Add-ons are pushed by deployment servers to Heavy forwarders. All logs are then sent from Heavy forwarders to indexers using Universal Forwarders. The problem in this setup is, that, at the Heavy Forwarder level, we can assign only one sourcetype to all the logs coming for a single endpoint. In case of ESA, we are getting multiple sourcetypes from the same end points. I hope you can help me with that as you have already got it configured. Thanks.
... View more