Greetings,
Is there a way to easily list which hosts are transmitting to a specified event source? When we add a new server to the network and point it toward a collector for an event source, we need a way to verify if the logs from the host are actually reaching it. Most of the event sources are syslog. I realize that this is probably a scenario where it depends on a lot of factors, but could you help point us in the right direction in how we might be able to accomplish this?
Thank you,
Hi Daniel,
via log search you should be able to groupby the hostname of the devices, if the hostname isn’t a key value pair you could leverage regex to extract the device name or better again you can use our custom parsing tool to auto extract values. See here: Custom Parsing Tool | InsightIDR Documentation
If you can provide an example log line I can assist with a query that would allow you to search back on historical data, as any custom parsing rule would only change net new data received, it doesn’t apply retroactively.
David