CEF Proxy for Sentinel and Apparent Log Source

%3CLINGO-SUB%20id%3D%22lingo-sub-1742370%22%20slang%3D%22en-US%22%3ECEF%20Proxy%20for%20Sentinel%20and%20Apparent%20Log%20Source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1742370%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20colleagues%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%20regarding%20the%20common%20scenario%2C%20where%20we%20need%20to%20install%20a%20linux%20VM%20(on-prem%2F%20on%20cloud)%20to%20act%20as%20a%26nbsp%3B%20proxy%20to%20send%20logs%20from%20Fortinet%20and%20other%20CEF%20log%20sources%20like%20Cisco%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20use%20the%20same%20VM%20as%20a%20proxy%20for%20multiple%20log%20sources%20(like%20Fortinet%2C%20Cisco%20etc)%2C%20would%20Sentinel%20be%20able%20to%20differentiate%20between%20the%20log%20sources%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWould%20you%20rather%20recommend%20using%20one%20VM-proxy%20per%20log%20source%2C%20like%20one%20for%20Cisco%2C%20another%20one%20for%20Fortinet%20to%20keep%20it%20easy%20for%20Sentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221.jpg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223926i03089E4F8708D8D5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%221.jpg%22%20alt%3D%221.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1742370%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESentinel%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1745361%22%20slang%3D%22en-US%22%3ERe%3A%20CEF%20Proxy%20for%20Sentinel%20and%20Apparent%20Log%20Source%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1745361%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F818249%22%20target%3D%22_blank%22%3E%40salkhan%3C%2FA%3E%26nbsp%3BThe%20DeviceVendor%20and%20DeviceProduct%20fields%20in%20the%20CommonSecurityLog%20should%20tell%20you%20where%20the%20data%20came%20from%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello colleagues,

 

I have a question regarding the common scenario, where we need to install a linux VM (on-prem/ on cloud) to act as a  proxy to send logs from Fortinet and other CEF log sources like Cisco etc.

 

If I use the same VM as a proxy for multiple log sources (like Fortinet, Cisco etc), would Sentinel be able to differentiate between the log sources? 

 

Would you rather recommend using one VM-proxy per log source, like one for Cisco, another one for Fortinet to keep it easy for Sentinel?

 

1.jpg

1 Reply
Highlighted

@salkhan The DeviceVendor and DeviceProduct fields in the CommonSecurityLog should tell you where the data came from