jhynds method should work. Alternatively, Support can root into your appliance and dump the raw logs into LEM via the syslog facilities. One note, though: DETECTION TIME is the original time-stamp on the event. INSERTION TIME is when the event was written into the LEM database. Your Detection Times will reflect when things actually happened, and the Insertion Times will be "the present" or whenever the logs get pushed into the LEM.
↧