Currently the customer log sources are first sending the logs to a Kiwi syslog forwarder, before forwarding the logs to the VLC. At the SA Head UI, the logs being seen are all via one device ip. The analysts are creating correlation rules based on event source grouping. ( below is the diagram of the traffic flow).
Can we do a Parse to solve the issues single device IP or there are some configuration that need to be done to resolve this issues?