SOLVED

Urgent !! CEF Syslog duplication Issue

%3CLINGO-SUB%20id%3D%22lingo-sub-2474682%22%20slang%3D%22en-US%22%3EUrgent%20!!%20CEF%20Syslog%20duplication%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2474682%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20have%20configured%20a%20Fortinet%20integration%20with%20Azure%20sentinel%20on%20local7%20facility.%20My%20current%20configuration%20is%20ingesting%20Fortinet%20logs%20in%20both%20the%20tables%20%60CommonSecurityLog%60%20and%20%60syslog%60.%20The%20number%20of%20logs%20are%20quite%20large%20and%20duplication%20may%20cost%20double%20cost.%20Please%20help%20to%20fix%20this%20issue%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-06-23%20at%206.46.13%20PM.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F290646i43BDDA1BE6235253%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-06-23%20at%206.46.13%20PM.png%22%20alt%3D%22Screenshot%202021-06-23%20at%206.46.13%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202021-06-23%20at%206.46.28%20PM.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F290644i394B888677BDD265%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Screenshot%202021-06-23%20at%206.46.28%20PM.png%22%20alt%3D%22Screenshot%202021-06-23%20at%206.46.28%20PM.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EActions%20tried%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Performed%20steps%20as%20mentioned%20in%20the%20documentation.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-bash%22%3E%3CCODE%3EUsing%20the%20same%20machine%20to%20forward%20both%20plain%20Syslog%20and%20CEF%20messages%0A%0AIf%20you%20plan%20to%20use%20this%20log%20forwarder%20machine%20to%20forward%20Syslog%20messages%20as%20well%20as%20CEF%2C%20then%20in%20order%20to%20avoid%20the%20duplication%20of%20events%20to%20the%20Syslog%20and%20CommonSecurityLog%20tables%3A%0A%0AOn%20each%20source%20machine%20that%20sends%20logs%20to%20the%20forwarder%20in%20CEF%20format%2C%20you%20must%20edit%20the%20Syslog%20configuration%20file%20to%20remove%20the%20facilities%20that%20are%20being%20used%20to%20send%20CEF%20messages.%20This%20way%2C%20the%20facilities%20that%20are%20sent%20in%20CEF%20won't%20also%20be%20sent%20in%20Syslog.%20See%20Configure%20Syslog%20on%20Linux%20agent%20for%20detailed%20instructions%20on%20how%20to%20do%20this.%0A%0AYou%20must%20run%20the%20following%20command%20on%20those%20machines%20to%20disable%20the%20synchronization%20of%20the%20agent%20with%20the%20Syslog%20configuration%20in%20Azure%20Sentinel.%20This%20ensures%20that%20the%20configuration%20change%20you%20made%20in%20the%20previous%20step%20does%20not%20get%20overwritten.%0Asudo%20su%20omsagent%20-c%20'python%20%2Fopt%2Fmicrosoft%2Fomsconfig%2FScripts%2FOMS_MetaConfigHelper.py%20--disable'%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20Tried%20removing%20syslog%20faci%3CSPAN%3Elities%20on%20log%20analytics%20workspace%20%3D%26gt%3B%20agent%20configuration%20%3D%26gt%3B%20syslog%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2475012%22%20slang%3D%22en-US%22%3ERe%3A%20Urgent%20!!%20CEF%20Syslog%20duplication%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2475012%22%20slang%3D%22en-US%22%3EFor%20option%202%2C%20did%20you%20press%20SAVE%20after%20making%20the%20change%3F%20After%20that%20point%20(as%20it%20wont%20delete%20already%20ingested%20data)%20are%20you%20still%20getting%20'new'%20duplicates%20into%20the%20Syslog%20table%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2491671%22%20slang%3D%22en-US%22%3ERe%3A%20Urgent%20!!%20CEF%20Syslog%20duplication%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2491671%22%20slang%3D%22en-US%22%3EPlease%20take%20a%20look%20at%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fagent-linux-troubleshoot%23log-analytics-troubleshooting-tool%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fagent-linux-troubleshoot%23log-analytics-troubleshooting-tool%3C%2FA%3E%20and%20the%20note%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fagent-linux-troubleshoot%23important-configuration-files%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fagents%2Fagent-linux-troubleshoot%23important-configuration-files%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EEditing%20configuration%20files%20for%20performance%20counters%20and%20Syslog%20is%20overwritten%20if%20the%20collection%20is%20configured%20from%20the%20data%20menu%20Log%20Analytics%20Advanced%20Settings%20in%20the%20Azure%20portal%20for%20your%20workspace.%20To%20disable%20configuration%20for%20all%20agents%2C%20disable%20collection%20from%20Log%20Analytics%20Advanced%20Settings%20or%20for%20a%20single%20agent%20run%20the%20following%3A%20sudo%20%2Fopt%2Fmicrosoft%2Fomsconfig%2FScripts%2FOMS_MetaConfigHelper.py%20--disable%20%26amp%3B%26amp%3B%20sudo%20rm%20%2Fetc%2Fopt%2Fomi%2Fconf%2Fomsconfig%2Fconfiguration%2FCurrent.mof*%20%2Fetc%2Fopt%2Fomi%2Fconf%2Fomsconfig%2Fconfiguration%2FPending.mof*%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2491602%22%20slang%3D%22en-US%22%3ERe%3A%20Urgent%20!!%20CEF%20Syslog%20duplication%20Issue%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2491602%22%20slang%3D%22en-US%22%3EYes.%20I%20pressed%20the%20save%20button.%20What%20I%20observed%20was%20default%20%2Fetc%2Frsyslog.conf%20contains%20the%20syslog%20facilities%20as%20well%20that%20adds%20duplicate%20values%20in%20syslog%20table.%20Also%2C%20whenever%20I%20remove%20the%20entries%20from%2095-omsagent.conf%20for%20any%20facility%20as%20per%20docs%2C%20it%20reappears%20after%205%20mins%20in%20the%20conf%20file.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All 

I have configured a Fortinet integration with Azure sentinel on local7 facility. My current configuration is ingesting Fortinet logs in both the tables `CommonSecurityLog` and `syslog`. The number of logs are quite large and duplication may cost double cost. Please help to fix this issue 

Screenshot 2021-06-23 at 6.46.13 PM.png

 

Screenshot 2021-06-23 at 6.46.28 PM.png

Actions tried:

 

1. Performed steps as mentioned in the documentation.

 

 

 

 

Using the same machine to forward both plain Syslog and CEF messages

If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables:

On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this.

You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Azure Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'

 

 

 

 

 

2. Tried removing syslog facilities on log analytics workspace => agent configuration => syslog

 

3 Replies
For option 2, did you press SAVE after making the change? After that point (as it wont delete already ingested data) are you still getting 'new' duplicates into the Syslog table?
Yes. I pressed the save button. What I observed was default /etc/rsyslog.conf contains the syslog facilities as well that adds duplicate values in syslog table. Also, whenever I remove the entries from 95-omsagent.conf for any facility as per docs, it reappears after 5 mins in the conf file.
best response confirmed by Deepanshu_Marwah (Occasional Contributor)
Solution
Please take a look at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot#log-analytics-t... and the note
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot#important-confi...

Editing configuration files for performance counters and Syslog is overwritten if the collection is configured from the data menu Log Analytics Advanced Settings in the Azure portal for your workspace. To disable configuration for all agents, disable collection from Log Analytics Advanced Settings or for a single agent run the following: sudo /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable && sudo rm /etc/opt/omi/conf/omsconfig/configuration/Current.mof* /etc/opt/omi/conf/omsconfig/configuration/Pending.mof*