in our enviroment all devices are sending logs to syslog-ng server which is relaying them to SA, but...
SA recognize all of those messages as "device.ip=10.0.0.5" (syslog server) instead of original device address - for example 10.0.0.1 (fw).
There is information about original address in header, so it shouldn't be so hard to parse that to this variable, but I realy don't know how to do that
Has somebody solved this already?
Example of FW log which is parsed under device.ip of syslog server.
Jun 6 14:29:25 10.0.0.1 FW01: NetScreen device_id=FW01 [Root]system-notification-00257(traffic): start_time="2014-06-06 14:29:24" duration=0 policy_id=915 service=udp/port:44246 proto=17 src zone=DMZ dst zone=Untrust action=Deny sent=0 rcvd=109 src=10.1.1.1 dst=22.214.171.124 src_port=6881 dst_port=44246 session_id=0
Thanks for any help.