We are manually moving files into SA via a script, and basically need to confirm that we drop those files in the "work" directory thats created after creating the event source in SA....is that right?
After you have created the event source in SA, you will need to place them in the "/var/netwitness/logcollector/upload/<eventsource>" directory. SA will then push these files into the 'work' directory as required.
I normally kick off a "tailf /var/log/messages | grep -i <eventsource> --color" command to see that the files are being processed.
AH..ok, so we went ahead and placed the files in the 'work' directory and it seemed to work. I guess we just saved the appliance a step...as long as that doesnt hurt anything we can leave the script alone and let it place those files there without any issue. I just wanted to make sure that was being done right.
Retrieving data ...