Forum Discussion
Cannot stop CEF duplication to syslog when both processed by same Linux VM
We have a situation where we are sending CEF records from FortiGate firewall to Microsoft Sentinel via Common Event Format (CEF) via AMA Data connector and we also use Syslog via AMA Data connector (...
Hey
You need to add this line of code to you Data collection rule for syslog, this will stop the duplicate data
so you dont need to mess around with rsyslog : )
- "transformKql": " source\n | where ProcessName !contains \"CEF\"\n"
https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview?tabs=single
Thanks
Matt
