cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Duplicate logs of CEF with Syslog

Qusai_Ismail
Brass Contributor

‎Feb 07 2023 05:25 AM

‎Feb 07 2023 05:25 AM

Duplicate logs of CEF with Syslog

Hello,

 

Is there a way to remove duplication of CommonSecurity and Syslog when Log collector Server is configured to forward CEF and Syslog.

for example F5 WAF firewall sending Syslog with CEF formate in facility Local0, which result to duplication.

We already configured the Log analytic Agent management to fetch the syslog of Local0, bcz there is different sources send with that facility. 

Is there a way to remove duplication when taken into account that we can't change it from the source system(F5 waf)

 

Thanks.

3,755 Views
0 Likes
11 Replies
Reply
11 Replies
Qusai_Ismail

‎Feb 07 2023 11:44 PM

‎Feb 07 2023 11:44 PM

Re: Duplicate logs of CEF with Syslog

Thanks, but this need to use Azure Monitor agent, not Log Analytic agent, yes?
Bcz we are using Log analytic agent (OMS agent)
0 Likes
Reply
mikhailf

‎Feb 08 2023 03:05 AM

‎Feb 08 2023 03:05 AM

Re: Duplicate logs of CEF with Syslog

@Qusai_Ismail 

 

I think you can use the data transformation with old Log Analytics agents as well. Because it is done on the Azure level and not on the log forwarder.

Transform or customize data at ingestion time in Microsoft Sentinel (preview) | Microsoft Learn

0 Likes
Reply
Qusai_Ismail

‎Feb 08 2023 11:32 PM

‎Feb 08 2023 11:32 PM

Re: Duplicate logs of CEF with Syslog

Thank you, we find a workaround and solve it by edit oms configuration (/etc/rsyslog.d/security-config-omsagent.conf) to

if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then {
@@127.0.0.1:25226
stop
}
1 Like
Reply
omryma

‎Mar 16 2023 04:11 AM

‎Mar 16 2023 04:11 AM

Re: Duplicate logs of CEF with Syslog

@Qusai_Ismail 

This workaround gets overwritten at some point by the azure sentinel no? 

0 Likes
Reply
Riddhi_Vamja

‎Jun 04 2023 10:49 PM

‎Jun 04 2023 10:49 PM

Re: Duplicate logs of CEF with Syslog

How does it get overwritten?
0 Likes
Reply
Riddhi_Vamja

‎Jun 04 2023 10:49 PM

‎Jun 04 2023 10:49 PM

Re: Duplicate logs of CEF with Syslog

Any issue observed after these changes?
0 Likes
Reply
Qusai_Ismail

‎Jun 05 2023 02:50 AM

‎Jun 05 2023 02:50 AM

Re: Duplicate logs of CEF with Syslog

Yes it's got overwritten by Sentinel configuration
0 Likes
Reply
Qusai_Ismail

‎Jun 05 2023 02:51 AM

‎Jun 05 2023 02:51 AM

Re: Duplicate logs of CEF with Syslog

Unfortunately ,it's got overwritten by Sentinel configuration
0 Likes
Reply
best response confirmed by Qusai_Ismail (Brass Contributor)
omryma

‎Jun 13 2023 03:01 AM

‎Jun 13 2023 03:01 AM

Solution

Re: Duplicate logs of CEF with Syslog

i got a solution that worked for me:
i've created a seperate machine used only for CEF logs - on that machine just make an IPTABLES that blocks port 25224.

sudo iptables -A INPUT -p udp --dport 25224 -j DROP
sudo iptables -A OUTPUT -p udp --dport 25224 -j DROP

0 Likes
Reply
Qusai_Ismail

‎Jun 13 2023 11:37 PM

‎Jun 13 2023 11:37 PM

Re: Duplicate logs of CEF with Syslog

Thank you, i will try this.
1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by Qusai_Ismail (Brass Contributor)
omryma

‎Jun 13 2023 03:01 AM

‎Jun 13 2023 03:01 AM

Solution

Re: Duplicate logs of CEF with Syslog

i got a solution that worked for me:
i've created a seperate machine used only for CEF logs - on that machine just make an IPTABLES that blocks port 25224.

sudo iptables -A INPUT -p udp --dport 25224 -j DROP
sudo iptables -A OUTPUT -p udp --dport 25224 -j DROP

View solution in original post

0 Likes
Reply