Forum Discussion

Deepanshu_Marwah's avatar
Deepanshu_Marwah
Brass Contributor
Jun 23, 2021
Solved

Urgent !! CEF Syslog duplication Issue

Hi All  I have configured a Fortinet integration with Azure sentinel on local7 facility. My current configuration is ingesting Fortinet logs in both the tables `CommonSecurityLog` and `syslog`. ...
RogerS's avatar
RogerS
Copper Contributor
Jan 28, 2025

I have created a new file in /etc/rsyslog.d/ called 10-filter-CEF.conf and I've tried all sorts of combinations to stop the CEF records from Fortigate firewall being duplicated into the syslog without success.
Some of the combinations I've tried are below; none of which seem to work. Help!!!
#:programname, contains, "CEF" /var/log/CEF.log
#& stop
#:hostname, contains, "prdvmfwall01" /var/log/CEF.log
#& stop
#:msg, contains, "prdvmfwall01 CEF" /var/log/CEF.log
#& stop
#:msg, contains, "0|Fortinet|Fortigate|" /var/log/CEF.log
#& stop
#:rawmsg, contains, "CEF:" /var/log/CEF.log
#& stop
#:rawmsg, contains, "CEF:" ~
#if ($rawmsg contains "CEF:") then stop
#$rawmsg contains "CEF:" then @@127.0.0.1:25226
#& stop
#:msg, contains, "CEF:" ~
if ($programname == "CEF" or $rawmsg contains "CEF:") then stop
#if ($rawmsg contains "CEF:") then stop

RogerS's avatar
RogerS
Copper Contributor
Jan 30, 2025

I'm now getting closer.

I've created a file /etc/rsyslog.d/05-filter-CEF.conf that contains the following:
if ($programname == "CEF") then @@127.0.0.1:28330 
& stop

By doing this I still get CEF records in the syslog.

As suggested by some other articles I changed the port to 25226 but then don't get CEF records in syslog or CommonSecurityLog.

Please can anybody help

Resources