We're trying to stand up a SIEM offering and have run into a particular problem related to retention of customer audit logs. We have a myriad of firewall devices sending their audit logs to one or more Connectors via an anycast address (so that the audit log gets delivered to the "closest" Connector). We would like to be able to funnel audit logs from a particular event source (i.e., the firewall device) into one and only one Storage Group on the Logger.
WHen initially reading the Logger documentation, it appeared as though this was a trivial task--you just set up Devices, Device Groups, Storage Rules, and Storage Groups. But I'm finding now that the "Device" is not the event source (the firewall), but the Connector that is sending the logs back to the Logger.
Is there an easy way to accomplish this objective? I would think this is a relatively common use case, but I can't find any threads on the topic.