Hi all,
We set sourcetype in inputs.conf on universal forwarder, e.g.
[monitor:///Firewall/*/*_pa_firewall.log]
ignoreOlderThan=1d
disabled = false
host_segment = 2
index = network
sourcetype = pan:log
no_appending_timestamp = true
Sourcetype of related logs changed to pan:traffic. Found that it's caused by an add-on defined on indexer that transforms the sourcetype for a matched pattern.
Then configuration file on indexer is of higher priority than those on universal forwarder. Is that correct?
Thanks a lot.
/st wong
↧