SA incorrectly parsing RHEL, Solaris, Linux syslogs

Question asked by Jesse Carleton on Jul 16, 2014
Looking for some input on how to make these sources come up as their proper source.


Basically we're pushing the events via syslog to SA from RHEL, Solaris, and Linux environments (mixed environment, also have Windows). In SA, the events get shuffled into a few device types; crossbeam, rhlinux (includes tons of UFW logs, which would like to come up elsewhere as well), Solaris, and winevent_nic. The only reason I can find for these Unix boxes coming up in winevent_nic is the fact that they're negotiating/querying LDAP/AD.


How can we get these appearing as the appropriate device types?


Thanks in advance.