CEF Proxy for Sentinel and Apparent Log Source

Occasional Contributor

Hello colleagues,

 

I have a question regarding the common scenario, where we need to install a linux VM (on-prem/ on cloud) to act as a  proxy to send logs from Fortinet and other CEF log sources like Cisco etc.

 

If I use the same VM as a proxy for multiple log sources (like Fortinet, Cisco etc), would Sentinel be able to differentiate between the log sources? 

 

Would you rather recommend using one VM-proxy per log source, like one for Cisco, another one for Fortinet to keep it easy for Sentinel?

 

1.jpg

1 Reply

@salkhan The DeviceVendor and DeviceProduct fields in the CommonSecurityLog should tell you where the data came from