Duplicate logs of CEF with Syslog

Qusai_Ismail · ‎Feb 07 2023

Hello,

Is there a way to remove duplication of CommonSecurity and Syslog when Log collector Server is configured to forward CEF and Syslog.

for example F5 WAF firewall sending Syslog with CEF formate in facility Local0, which result to duplication.

We already configured the Log analytic Agent management to fetch the syslog of Local0, bcz there is different sources send with that facility.

Is there a way to remove duplication when taken into account that we can't change it from the source system(F5 waf)

Thanks.

mikhailf · ‎Feb 07 2023

Hello @Qusai_Ismail,

You can try Data collection transformations - Azure Monitor | Microsoft Learn.

Qusai_Ismail · ‎Feb 07 2023

Thanks, but this need to use Azure Monitor agent, not Log Analytic agent, yes?
Bcz we are using Log analytic agent (OMS agent)

mikhailf · ‎Feb 08 2023

@Qusai_Ismail

I think you can use the data transformation with old Log Analytics agents as well. Because it is done on the Azure level and not on the log forwarder.

Transform or customize data at ingestion time in Microsoft Sentinel (preview) | Microsoft Learn

Qusai_Ismail · ‎Feb 08 2023

Thank you, we find a workaround and solve it by edit oms configuration (/etc/rsyslog.d/security-config-omsagent.conf) to

if $rawmsg contains "CEF:" or $rawmsg contains "ASA-" then {
@@127.0.0.1:25226
stop
}

omryma · ‎Mar 16 2023

@Qusai_Ismail

This workaround gets overwritten at some point by the azure sentinel no?

Duplicate logs of CEF with Syslog

Duplicate logs of CEF with Syslog

Re: Duplicate logs of CEF with Syslog

Re: Duplicate logs of CEF with Syslog

Re: Duplicate logs of CEF with Syslog

Re: Duplicate logs of CEF with Syslog

Re: Duplicate logs of CEF with Syslog

Products (65)

Special Topics (44)

Video Hub (444)

Most Active Hubs

Most Active Hubs

Video Hub

Duplicate logs of CEF with Syslog