It;s I am in the process of event sources integration on the local log collector.
Initially I have integrated winevent_nic, ODBC, File Reader, they are working fine, and also I am able to see them under the local log collector "collector.id" meta key.
Last week & on today, I have integrated 4-5 syslogs event sources & 1 netflow event sources on the local log collector. And the event sources which are integrated by syslog method those 4-5 event sources are also integrated on the customer current enVision server, and I have installed zConnector to forward the all the logs from enVision to Local collector.
Let me explain:
Device Type: Ironmail (McAfee Email Gateway)
IP Address: 10.6.5.17
Collection Type: Syslogs
Log Collector Name: NCORP-RSALH-01 (it's a local log collector, a part of log hybrid & on which I found the said issue)
Now if I see the above ip address in Health & Wellness > Event Sources Monitoring, then I can see that the ip address are coming under 3 different types of log collectors.
It'a an migration activity from enVision to SA.
NOTICE: See the last updated time also.
1- z Connector (10.6.101.10) - enVision
2- VLC - NCORP-VLC-01
3- NCORP-RSALH-01 - Local Log Collector
In the below screenshot I can simply understand from the screenshot that the ip address are coming from three collector sources and the last & latest logs are coming from RSALH-01.
Now if see the same ip address under log decoder > stats > log stats
In that kindly emphasis on the forwarder ip address "10.6.101.10", it's last received time is 12:43 PM.
But if I see the same ip address under investigation then i can see that ip address under the same "NCORP-RSALH-01" collector id.
In the below screenshot, firstly I am showing you the collector id's.
Now if I click on ncorp-rsalh-01 collector id, then I can't find those event sources which are configured by syslog method & netflow method.
NOTICE: For the information, I have also integrated few cisco asa firewalls, ip, ids, and other event sources, and for all the event sources I am facing the same issue.
Ideally all the event sources which are configured on a specific collector, should also reflect the same under the investigation page also.
Now if i look for the same ip address on the investigation page without any filter, then I am able to find out that ip address with it's respective parser.
As I wrote above that I had integrated by other collection methods also like windows, file reader, odbc.
Those are showing under their respective collector id, but syslog & netflow are not coming.
So I am not sure in future if i integrate event sources by other collection methods like vmware, checkpoint, sdee, will also reflect under their collector or not.
Now this issue is creating many challenges to understand and to find out that which devices get configured in the network or not.
Related to this, I also tried to find out related articles, but unable to found any.