@Nicholas DiCola (SECURITY JEDI) 

 

Thanks for your reply and yes, the instructions to configure the log collection for ASA were followed as I mentioned in my original post and we are getting the log entries parsed in CommonSecurityLog. Would we get them if the CEF collector was not configured properly? I have this happening in two Sentinel instances. One has a low volume of ASA logs so the effect was negligible but the other one cannot be ignored. The volume of data ingested per day for the two logs is almost the same:

 

 

Regards,

Adrian

@AdiGrio 

yes its possible misconfiguration.  can you share what steps you followed and the config files you are using?  they should be generic configs.

Did you find any solution on this @AdiGrio? i have the same issue with the default installation. 

Also do you know if there is a way for syslog not written in /var/log/messages ?

I am facing the same issue with Fortinet logs.
I performed the recommended steps as per documentation.

Using the same machine to forward both plain Syslog and CEF messages

If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables:

On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this.

You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Azure Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'