You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/cef-syslog-ama-overview.md
+7-7Lines changed: 7 additions & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: yelevin
5
5
ms.author: yelevin
6
6
ms.topic: concept-article
7
7
ms.custom: linux-related-content
8
-
ms.date: 06/27/2024
8
+
ms.date: 07/12/2024
9
9
#Customer intent: As a security operator, I want to understand how Microsoft Sentinel collects Syslog and CEF messages with the Azure Monitor Agent so that I can determine if this solution fits my organization's needs.
10
10
---
11
11
@@ -95,17 +95,17 @@ Using the same facility for both Syslog and CEF messages might result in data in
95
95
96
96
To avoid this scenario, use one of these methods:
97
97
98
-
-**If the source device enables configuration of the target facility**: On each source machine that sends logs to the log forwarder in CEF format, edit the Syslog configuration file to remove the facilities used to send CEF messages. This way, the facilities sent in CEF aren't also be sent in Syslog. Make sure that each DCR you configure in the next steps uses the relevant facility for CEF or Syslog respectively.
98
+
-**If the source device enables configuration of the target facility**: On each source machine that sends logs to the log forwarder in CEF format, edit the Syslog configuration file to remove the facilities used to send CEF messages. This way, the facilities sent in CEF aren't also be sent in Syslog. Make sure that each DCR you configure uses the relevant facility for CEF or Syslog respectively.
99
99
100
100
To see an example of how to arrange a DCR to ingest both Syslog and CEF messages from the same agent, go to [Syslog and CEF streams in the same DCR](connect-cef-syslog-ama.md?tabs=api#syslog-and-cef-streams-in-the-same-dcr).
101
101
102
-
-**If changing the facility for the source appliance isn't applicable**: Use an ingest time transformation to filter out CEF messages from the Syslog stream to avoid duplication, as shown in the following query example.
102
+
-**If changing the facility for the source appliance isn't applicable**: After you create the DCR, add ingestion time transformation to filter out CEF messages from the Syslog stream to avoid duplication. On the DCR in the Azure portal, select **Export template** > **Edit template**. Add KQL transformation to filter out CEF messages similar to the following example:
103
103
104
-
```kusto
105
-
source |
106
-
where ProcessName !contains "CEF"
104
+
```json
105
+
"transformKql": " source\n | where ProcessName !contains \"CEF\"\n"
107
106
```
108
-
107
+
For more information, see [Tutorial: Edit a data collection rule (DCR)](../azure-monitor/essentials/data-collection-rule-edit.md).
0 commit comments