Merge pull request #280773 from cwatson-cat/patch-39

prmerger-automator[bot] · web-flow · commit e72e0b92ce6a · 2024-07-25T18:41:38.000Z
Syslog/CEF AMA - upd dedup section w/ info about transformKQL
diff --git a/articles/sentinel/cef-syslog-ama-overview.md b/articles/sentinel/cef-syslog-ama-overview.md
@@ -5,7 +5,7 @@ author: yelevin
 ms.author: yelevin
 ms.topic: concept-article
 ms.custom: linux-related-content
-ms.date: 06/27/2024
+ms.date: 07/12/2024
 #Customer intent: As a security operator, I want to understand how Microsoft Sentinel collects Syslog and CEF messages with the Azure Monitor Agent so that I can determine if this solution fits my organization's needs.  
 ---
 
@@ -95,17 +95,16 @@ Using the same facility for both Syslog and CEF messages might result in data in
 
 To avoid this scenario, use one of these methods:
 
-- **If the source device enables configuration of the target facility**: On each source machine that sends logs to the log forwarder in CEF format, edit the Syslog configuration file to remove the facilities used to send CEF messages. This way, the facilities sent in CEF aren't also be sent in Syslog. Make sure that each DCR you configure in the next steps uses the relevant facility for CEF or Syslog respectively.
+- **If the source device enables configuration of the target facility**: On each source machine that sends logs to the log forwarder in CEF format, edit the Syslog configuration file to remove the facilities used to send CEF messages. This way, the facilities sent in CEF aren't also be sent in Syslog. Make sure that each DCR you configure uses the relevant facility for CEF or Syslog respectively.
 
     To see an example of how to arrange a DCR to ingest both Syslog and CEF messages from the same agent, go to [Syslog and CEF streams in the same DCR](connect-cef-syslog-ama.md?tabs=api#syslog-and-cef-streams-in-the-same-dcr).
 
-- **If changing the facility for the source appliance isn't applicable**: Use an ingest time transformation to filter out CEF messages from the Syslog stream to avoid duplication, as shown in the following query example.
+- **If changing the facility for the source appliance isn't applicable**: After you create the DCR, add ingestion time transformation to filter out CEF messages from the Syslog stream to avoid duplication. See [Tutorial: Edit a data collection rule (DCR)](../azure-monitor/essentials/data-collection-rule-edit.md). Add KQL transformation similar to the following example:
 
-    ```kusto
-    source |
-    where ProcessName !contains "CEF"
+    ```json
+    "transformKql": "  source\n    |  where ProcessName !contains \"CEF\"\n"
     ```
-
+ 
 ## Next steps
 
 > [!div class="nextstepaction"]
