Forum Discussion
Cisco ASA log entries duplicated in CommonSecurityLog and Syslog
Hi, I have some Cisco ASA firewalls sending their logs to the Sentinel collector (running on rsyslog) and I can see that most of the log entries in the CommonSecurityLog are also recorded in the Sys...
yes its possible misconfiguration. can you share what steps you followed and the config files you are using? they should be generic configs.
Did you find any solution on this AdiGrio? i have the same issue with the default installation.
Also do you know if there is a way for syslog not written in /var/log/messages ?
- I am facing the same issue with Fortinet logs.
I performed the recommended steps as per documentation.
Using the same machine to forward both plain Syslog and CEF messages
If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables:
On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this.
You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Azure Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'
