I am facing a strange issue with netwitness. I can see the audit logs from a particular hybrid coming in as a event source with the IP of the hybrid and this is again being parsed as different log sources.
I see no global audit configuration in my SA and no log forwarding set on the log decoder. How do I disable this ? I do not need the audit logs coming in as events and consuming extra EPS as I can easily search for audit logs in the log view of my appliance.
Any hints of what else I should check?