Issue regarding logs duplication in CEF via AMA method

Question

Hello Everyone,&nbsp;Greeting!!&nbsp;I am configuring my linux machine and I have installed AMA agent on that machine and also run the CEF forwarder script.&nbsp;Link for your reference:https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-ama#run-the-installation-script&nbsp;The good thing is, I am getting CEF logs in Sentinel in CommonSecurityLog but the problem is same logs are getting in Syslog Schema as well,&nbsp;Anyone here can help me with this issue?&nbsp;I tried to use the method&nbsp;sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'&nbsp;But this method is for OMS Agent,&nbsp;I am here using Azure Monitor Agent,&nbsp;I want to remove the duplicate CEF logs which are coming under Syslog Schema&nbsp;Your help is appreciated, Thanks in Advance.&nbsp;Regards,Shivam

shahkhanmd · Answer

I have similar challenge, Unable to block CEF going to syslog table. Can someone brief the rsyslog configuration to filter facilities . OMS agent have two ports to differentiate the CEF and syslog. where as AMA agent works over Unix Domain Socket, Unable to segregate the CEF and syslog forwarding.

mikhailf · Answer

Hello&nbsp;GOYALS001&nbsp;,&nbsp;You can filter out facilities from Syslog by configuring your log forwarder.Go to Log Analytics Workspace that have Sentinel installed -&gt; Legacy Agents Management -&gt; Syslog. And remove facilities you don't want to be ingested into Syslog.

Forum Discussion

Issue regarding logs duplication in CEF via AMA method

Share

Resources