syslog - question probably answered already


Space invader
edited October 2014 in AlienVault USM Appliance > Sensor
When viewing firewall logs in the SIEM, I would like to see which firewall had the event.

My thought would be that this should be in the sensor column, but the actual syslog server that received the event is listed there. This is not very helpful when you have a dozen or more (or even two or more) firewalls feeding syslog to that one syslog server. They all show as the same sensor.

Yes, I can dig into the events, but when you have 3.5-4 million events in the DB, each screen refresh can be painfully slow.

Does anyone have a solution to have the firewall name/ip as the sensor for the syslogs?

  • Have you checked the 'device' field? Is it populated with the sensor name/IP as well?
  • ooohhh...cool. I did not know you could change the view on the SIEM console.

    I added the device and now I can see the correct FW in those events.

    Thanks again!
