When viewing firewall logs in the SIEM, I would like to see which firewall had the event.
My thought would be that this should be in the sensor column, but the actual syslog server that received the event is listed there. This is not very helpful when you have a dozen or more (or even two or more) firewalls feeding syslog to that one syslog server. They all show as the same sensor.
Yes, I can dig into the events, but when you have 3.5-4 million events in the DB, each screen refresh can be painfully slow.
Does anyone have a solution to have the firewall name/ip as the sensor for the syslogs?