Forum Discussion
Cannot stop CEF duplication to syslog when both processed by same Linux VM
We have a situation where we are sending CEF records from FortiGate firewall to Microsoft Sentinel via Common Event Format (CEF) via AMA Data connector and we also use Syslog via AMA Data connector (...
Hi RogerS,
The issue is that the rsyslog is forwarding CEF logs to both destinations (AMA Data Connector and Syslog), causing duplication. The key is ensuring that rsyslog only forwards the logs to one destination and stops processing them after that.
Try updating the filter to make sure it properly stops processing after forwarding the logs. You can modify the configuration like this:
if ($programname == "CEF") then {
action(type="omfwd" Target="127.0.0.1" Port="28330" Protocol="tcp")
stop
}This ensures that the CEF records are only forwarded once to the right destination.
Regards!
