Hi Vishal,
I haven't tried it but I guess switching to "send syslog from Gateways" may help in this case.
Policy events are aggregated at MX into alerts. If syslog is sent from Gateways directly, it should happen before the aggregation.
- Please be reminded that you need to allow the Gateways' management IP to send syslog traffic to your Splunk server if there is firewall between them.
Hope it helps. Thanks.
------------------------------
Louis Tsoi
Associate Consultant
Cyberforce Limited
------------------------------
Original Message:
Sent: 02-02-2021 15:45
From: Vishal Navale
Subject: User information shows as Multiple in Splunk, if Aggregation happened in Imperva
We are not getting user details for Policy events in Splunk. If that Policy events are aggregated as Distributed in Imperva, we can see duser= "Multiple"
Does anyone know how to get/capture user info related to that event if aggerated?
Thanks
#DatabaseActivityMonitoring
------------------------------
Vishal Navale
concord NC
------------------------------