Hi.
Currently, I receive my Linux logs in an index called linux_logs and a syslog sourcetype.
I would like to change the syslog sourcetype to the linux_secure sourcetype.
How can I make that change so that the new logs already arrive in the new sourcetype?
My configuration
Sourcetype syslog
Sourcetype linux_secure
Thanks!
Hi
why you are collecting those logs with syslog and especially with UDP? That way you will always lose some events time by time! Much better way is use UFs on those nodes and use it. Then it's much easier to define which sourcetype which file are.
r. Ismo