Duplicate logs of CEF with Syslog




Is there a way to remove duplication of CommonSecurity and Syslog when Log collector Server is configured to forward CEF and Syslog.

for example F5 WAF firewall sending Syslog with CEF formate in facility Local0, which result to duplication.

We already configured the Log analytic Agent management to fetch the syslog of Local0, bcz there is different sources send with that facility. 

Is there a way to remove duplication when taken into account that we can't change it from the source system(F5 waf)



5 Replies
Thanks, but this need to use Azure Monitor agent, not Log Analytic agent, yes?
Bcz we are using Log analytic agent (OMS agent)



I think you can use the data transformation with old Log Analytics agents as well. Because it is done on the Azure level and not on the log forwarder.

Transform or customize data at ingestion time in Microsoft Sentinel (preview) | Microsoft Learn

Thank you, we find a workaround and solve it by edit oms configuration (/etc/rsyslog.d/security-config-omsagent.conf) to

if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then {


This workaround gets overwritten at some point by the azure sentinel no?