What is the best way to differentiate between devices all sending to syslog? for example if I have an ASA a Switch and a Router all sending syslog to logstash how can I tell them apart?
You can for example
- have multiple network listeners on different ports (tagging incoming events differently),
- use a conditional with a regexp match to try to figure out which kind of device it is, or
- use the IP address of the sending device and somehow look up what kind of device it is.