Forum Discussion
Solved
Urgent !! CEF Syslog duplication Issue
Hi All I have configured a Fortinet integration with Azure sentinel on local7 facility. My current configuration is ingesting Fortinet logs in both the tables `CommonSecurityLog` and `syslog`. ...
- Please take a look at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot#log-analytics-troubleshooting-tool and the note
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot#important-configuration-files
Editing configuration files for performance counters and Syslog is overwritten if the collection is configured from the data menu Log Analytics Advanced Settings in the Azure portal for your workspace. To disable configuration for all agents, disable collection from Log Analytics Advanced Settings or for a single agent run the following: sudo /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable && sudo rm /etc/opt/omi/conf/omsconfig/configuration/Current.mof* /etc/opt/omi/conf/omsconfig/configuration/Pending.mof*
CliveWatson
Microsoft
MicrosoftFor option 2, did you press SAVE after making the change? After that point (as it wont delete already ingested data) are you still getting 'new' duplicates into the Syslog table?
- Yes. I pressed the save button. What I observed was default /etc/rsyslog.conf contains the syslog facilities as well that adds duplicate values in syslog table. Also, whenever I remove the entries from 95-omsagent.conf for any facility as per docs, it reappears after 5 mins in the conf file.
- CliveWatsonPlease take a look at https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot#log-analytics-troubleshooting-tool and the note
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agent-linux-troubleshoot#important-configuration-files
Editing configuration files for performance counters and Syslog is overwritten if the collection is configured from the data menu Log Analytics Advanced Settings in the Azure portal for your workspace. To disable configuration for all agents, disable collection from Log Analytics Advanced Settings or for a single agent run the following: sudo /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable && sudo rm /etc/opt/omi/conf/omsconfig/configuration/Current.mof* /etc/opt/omi/conf/omsconfig/configuration/Pending.mof*
