You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am using this to stream events to Azure Sentinel. I noticed that this sends events via the syslog facility user and priority notice, which is used by a lot of different applications for logging.
Per the Azure Sentinel duplication avoidance article, it is recommended to send CEF logs via it's own facility in order to avoid duplication of event logs. Basically, in cases where you are using a machine to forward both Syslog and CEF formatted logs, you carve out a facility to use for only CEF, so they do not appear in both the CEF and Syslog tables.
I found a workaround by modifying the adapters/cef.py and adapters/cef2.py to do this in the code. For example:
# Syslog settings
SYSLOG_FACILITY_USER = 16
SYSLOG_PRIORITY_NOTICE = 5
# Calc and save the syslog numeric (do not change, gets calculated)
SYSLOG_NUMERIC = (SYSLOG_FACILITY_USER << 3 | SYSLOG_PRIORITY_NOTICE)
The previous value for SYSLOG_FACILITY_USER was 1, which is "user". Changing this to 16 will make it come in at local0.
I would like to raise a feature request to have this set by the estreamer.conf file to make it easier to manage.
The text was updated successfully, but these errors were encountered:
Hello,
I am using this to stream events to Azure Sentinel. I noticed that this sends events via the syslog facility user and priority notice, which is used by a lot of different applications for logging.
Per the Azure Sentinel duplication avoidance article, it is recommended to send CEF logs via it's own facility in order to avoid duplication of event logs. Basically, in cases where you are using a machine to forward both Syslog and CEF formatted logs, you carve out a facility to use for only CEF, so they do not appear in both the CEF and Syslog tables.
I found a workaround by modifying the adapters/cef.py and adapters/cef2.py to do this in the code. For example:
The previous value for SYSLOG_FACILITY_USER was 1, which is "user". Changing this to 16 will make it come in at local0.
I would like to raise a feature request to have this set by the estreamer.conf file to make it easier to manage.
The text was updated successfully, but these errors were encountered: