Forum Discussion
Cannot stop CEF duplication to syslog when both processed by same Linux VM
We have a situation where we are sending CEF records from FortiGate firewall to Microsoft Sentinel via Common Event Format (CEF) via AMA Data connector and we also use Syslog via AMA Data connector (...
I know this isn't an orthodox method, but I ran into the same issue, but my issue was running out of local log space in /var/log as a result of this, so I put together this hack since not even MS support could give me a solution that worked.
This runs as a daily cron job.
#!/bin/bash
# Delete CEF messages from /data/var/log/messages so we don't run out of disk space ;)
export SYSLOG_FILE='/var/log/messages'
sed -i '/CEF:'/d $SYSLOG_FILE # Delete CEF messages
sed -i '/^$/d' $SYSLOG_FILE # Delete any blank lines from previous operation
service rsyslog restart