Log forwarder sending duplicate logs

securityxpert1122 · ‎Aug 18 2023

I have two log forwarders sending logs to Sentinel. One is logstash and other one is Azure log forwarder I setup on Ubuntu.

Since logstash was sending logs to commonsecuritylogs_CL table and those were not being parsed so thats the reason I setup azure log forwarder. I requested client to send their network devices logs to only azure log forwarder, they said we did the same however, I doubt that because I am still receiving logs into commonsecurity_CL table.

.

Question 1:

How can I verify which log forwarder is sending logs to commonsecuritylog table and which log forwarder is sending logs to commonsecuritylog_CL table? Since I doubt that logstash is sending logs to commonsecurity_CL table or maybe azure log fowarder is sending logs to commonsecurity_CL table also (but I am not sure how to verify)

question 2:

is there a way to turn down the logstash log forwarder from within Sentinel portal?

Usama_Saleem · ‎Aug 21 2023

Run the following KQL query to get the list of log forwarders (set the timeframe according to you need)

CommonSecurityLog
| distinct DeviceVendor

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Log forwarder sending duplicate logs

Log forwarder sending duplicate logs

Re: Log forwarder sending duplicate logs