I have some Cisco ASA firewalls sending their logs to the Sentinel collector (running on rsyslog) and I can see that most of the log entries in the CommonSecurityLog are also recorded in the Syslog table. That basically doubles the storage used and for 15 GB/Day worth of ASA logs that's a substantial double-dipping.
The log extract from the CommonSecurityLog for session id 629326377:
The same session id (629326377) in the Syslog table:
I was under the impression that the ASA logs that are sent as CEF are not supposed to end up in the Syslog as well.
The ASA logging is configured exactly as indicated by the Sentinel connector for Cisco ASA. We need the logs that are missed by the CEF parser as they contain good information but we don't want them duplicated.
Thanks for your reply and yes, the instructions to configure the log collection for ASA were followed as I mentioned in my original post and we are getting the log entries parsed in CommonSecurityLog. Would we get them if the CEF collector was not configured properly? I have this happening in two Sentinel instances. One has a low volume of ASA logs so the effect was negligible but the other one cannot be ignored. The volume of data ingested per day for the two logs is almost the same: