Forum Discussion

Brass Contributor

Feb 07, 2023

Duplicate logs of CEF with Syslog

Hello, Is there a way to remove duplication of CommonSecurity and Syslog when Log collector Server is configured to forward CEF and Syslog. for example F5 WAF firewall sending Syslog with CEF fo...

omryma
Jun 13, 2023
i got a solution that worked for me:
i've created a seperate machine used only for CEF logs - on that machine just make an IPTABLES that blocks port 25224.

sudo iptables -A INPUT -p udp --dport 25224 -j DROP
sudo iptables -A OUTPUT -p udp --dport 25224 -j DROP

mikhailf

Steel Contributor

Hello Qusai_Ismail,

You can try Data collection transformations - Azure Monitor | Microsoft Learn.

Qusai_Ismail

Brass Contributor

Feb 08, 2023

Thanks, but this need to use Azure Monitor agent, not Log Analytic agent, yes?
Bcz we are using Log analytic agent (OMS agent)

mikhailf
Steel Contributor
Feb 08, 2023
Qusai_Ismail

I think you can use the data transformation with old Log Analytics agents as well. Because it is done on the Azure level and not on the log forwarder.
Transform or customize data at ingestion time in Microsoft Sentinel (preview) | Microsoft Learn
- Qusai_Ismail
  Brass Contributor
  Feb 09, 2023
  Thank you, we find a workaround and solve it by edit oms configuration (/etc/rsyslog.d/security-config-omsagent.conf) to
  
  if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then {
  @@127.0.0.1:25226
  stop
  }
  - omryma
    Copper Contributor
    Mar 16, 2023
    Qusai_Ismail
    This workaround gets overwritten at some point by the azure sentinel no?

Forum Discussion

Duplicate logs of CEF with Syslog

Share

Resources