Oct 30 2020 06:01 AM
Hi, I'm planning an on-prem syslog/CEF forwarder and the documentation is a little unclear to me. I need the forwarder to forward CEF messages from sources that support it, and raw syslog messages from sources that don't support CEF. The documentation here suggests that the forwarder will only send CEF messages up to Sentinel. In my testing I also found that after configuring the Syslog data settings on the Log Analytics workspace I was able to forward raw syslog messages through the same server.
Am I going about this the correct way?
Step 3 on this page mentions that /etc/rsyslog.d/security-config-omsagent.conf contains 'if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then @@127.0.0.1:25226' which suggested that plain syslog messages would not be forwarded.
Oct 30 2020 07:21 AM