Does anyone out there use Splunk to collect Sonicwall Syslogs? We only have the 2GB splunk license and in hardly touch that. When I turn on the Sonicwall it overloads Splunk with logs. So I'm looking for any recommendations that anyone would have to quiet this thing down. I really only care about errors, I'm not doing any log collecting for compliance or anything like that. I just like to know when things go wrong.
I was able to figure it out, in there the log settings there is a preconfigured setting for low logging that works perfect.
While I haven't used that myself too much yet, if you know how to distinguish an error event you'd like to index from a non-error event you'd like to discard you can set up regex-based filtering in props.conf/transforms.conf like this:
props.conf
[your_sonicwall_sourcetype]
...
TRANSFORMS-filter = setnull,filter_for_errors
transforms.conf
[setnull]
REGEX = .
DEST_KEY = queue
FORMAT = nullQueue
[filter_for_errors]
REGEX = some regular expression identifying events you want to keep
DEST_KEY = queue
FORMAT = parsingQueue