Aug 18 2023 04:27 AM
I have two log forwarders sending logs to Sentinel. One is logstash and other one is Azure log forwarder I setup on Ubuntu.
Since logstash was sending logs to commonsecuritylogs_CL table and those were not being parsed so thats the reason I setup azure log forwarder. I requested client to send their network devices logs to only azure log forwarder, they said we did the same however, I doubt that because I am still receiving logs into commonsecurity_CL table.
.
Question 1:
How can I verify which log forwarder is sending logs to commonsecuritylog table and which log forwarder is sending logs to commonsecuritylog_CL table? Since I doubt that logstash is sending logs to commonsecurity_CL table or maybe azure log fowarder is sending logs to commonsecurity_CL table also (but I am not sure how to verify)
question 2:
is there a way to turn down the logstash log forwarder from within Sentinel portal?
Aug 21 2023 12:38 AM