I cannot find any configuration guide about Airwatch event source implementation.
what type of logging facilities does it provide? is it CEF syslog? If so you wont need an integration guide as CEF is parsed normally by the CEF parser.
I'm not 100% sure, but I don't think Airwatch uses CEF. Pending their reply. Now, Airwatch is configured to send the logs to the log collector, but once we test the connection, it fails. Any ideas? Could be that port 514 is not enabled in LC?
If it's sending syslog to 514 then we're collecting it. See if the event source is showing up in device.ip.
Retrieving data ...