Add an an additional “CEFVendorProduct” Package Policy, which works just like “Application ID” but uses the two CEF header fields for routing decision. The precedence of collector selection would then be:
0) CEFVendorProduct
1) Application ID
2) Unique Matching Rule
3) UniversalCEFCollector
4) UniversalSyslogCollector (this is for the generic event collector)

This would help solve the multipe event sources on the same host using CEF Syslog problem.

by: Norbert K. | over a year ago | Integrations