We have been ingesting our Check Point logs via the Check Point OPSEC LEA add-on and finally realized that the HOST being reported is always our management station IP where we are pulling logs from... Is there a way to change this in the OPSEC Lea add on or would we be better off doing this in transforms.conf and props.conf on the heavy forwarder?
↧
Splunk add-on for Check Point OPSEC LEA: Why does the host field show pulling logs from manager IP?
↧