We use Websense in the Cloud, and their method for retrieving log files is to use a perl script which pulls down the logs in CEF format. I set up the script on a syslog server, it writes the CEF files are a folder. The syslog server runs the Universal Forwarder to send data to the indexers. I configured a monitor for that folder.
I can the universal forwarder monitoring the files, but they never show up in my searches. We have many other log sources on this syslog server, all are working fine, except they are all in .log format. These are .cef files.
Any help would be appreciated.
#### Websense Cloud Logging
[monitor:///opt/syslog/logs/websense_cloud/*.cef]
index = syslog
sourcetype = websense:cef
host_segment = 4
ignoreOlderThan = 5d
↧