I'm in the middle of major consolidation of 15 instances (of the full Orion platform) nationwide down to 4. Part of the plan is to turn down the 'noise' from both traps and syslogs by inserting a layer of kiwi in front of each regional instance and then using rules / actions to filter out and forward critical, actionable stuff on to Orion. What I'm seeing in testing though is a trap comes in to kiwi & is successfully (kinda) sent over to Orion. But it's showing up there under syslogs instead of alerts.
Any pointers on making this work correctly?
Would also love to hear experiences of anyone else doing something similar.
Thanks!