Thank you for your reply. Ingest Actions seem to be the only solution for us even because, since we use the one shot command, the sourcetype is not always the same, just like the host and the source. So it's almost impossible to create a rule that cannot be bypassed. I am now considering creating a new forwarder that would verify that the destination index is indeed audit-XXXX. (The format we expect for our UF) ... View more

Hello, We want to allow people to use the oneshot command to ingest logs, sadly I have already considered overwriting the index but, it's not working for us since we have one index by "audit". However, the destination index always has the same pattern (for example, audit-XXXX). I haven't found a way to restrict everything coming in on port 9997 to the audit-XXXX indexes. To be honest, from a security point of view, It seems crazy that it's impossible to set restrictions. The only solution I can see now is to deploy a new forwarder on another host that only allows audit indexes as destinations. Regards, Sagittis ... View more