2018-08-08 08:34 AM
I am facing a strange issue with netwitness. I can see the audit logs from a particular hybrid coming in as a event source with the IP of the hybrid and this is again being parsed as different log sources.
I see no global audit configuration in my SA and no log forwarding set on the log decoder. How do I disable this ? I do not need the audit logs coming in as events and consuming extra EPS as I can easily search for audit logs in the log view of my appliance.
Any hints of what else I should check?
2018-08-08 08:26 PM
check the rsyslog configuration of the source system /etc/rsyslog.d/ and look for any confgurations in there that point to your destination system. also check for /etc/rsyslog.nw.conf in case someone has configured syslog forwarding from the admin>System > host tasks button