Share via

Filtering Logs

Gary S 0 Reputation points
2025-02-21T01:46:21.6366667+00:00

We have a rsyslog server on prem that we are sending on premise firewall, switch and load balancer logs to. We are using the Cisco FTD connector for our firewalls and the regular syslog on for everything else. Problem I am having is that the FTD logs are showing up in the CommonSecurityLog table as expected with the Cisco FTD connector but they are also showing up in the Syslog table in Sentinel.

Is there a way I can prevent the FTD logs from going into the Syslog table?

Thanks

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,241 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Luis Arias 7,941 Reputation points
    2025-02-21T17:16:13.0333333+00:00

    Hello Gary S,

    It looks like the logs are being upplicated on both tables. In that case I understand that rsyslog server collects logs from firewalls, switches, and load balancers. The Cisco FTD firewall logs are being sent to both:

    Cisco FTD Connector in Sentinel → Logs go to CommonSecurityLog (expected ✅).

    rsyslog Server → Sentinel Syslog Data Collector → Logs also go to Syslog (duplicate ❌).

    This results in FTD logs appearing in both CommonSecurityLog and Syslog tables, creating duplication.

    To solve this problem you can modify rsyslog on the server to stop forwarding FTD logs to Sentinel’s Syslog collector. High level of the steps:

    1. Edit rsyslog config on rsyslog server. ex: vim /etc/rsyslog.d/50-default.conf
    2. Add rule to drop FTD logs: 
         if $fromhost-ip == 'FTD_IP_ADDRESS' then { stop }
    3. sudo systemctl restart rsyslog
    4. Verify in Sentinel: 
         Syslog | where Hostname == "FTD_DEVICE_NAME" | take 10

    Another option is use a different syslog server only for the Cisco Firewall syslog and stop sending to the same rsyslog server , This avoid the extra complexity on filter syslog messages.Additional references:

    If the information helped address your question, please Accept the answer.

    Luis

  2. Gary S 0 Reputation points
    2025-03-04T15:00:09.47+00:00

    @SrideviM

    The fix to keep the FTD logs in the CommonSecurityLog table and all the other logs in the Syslog table was setting a transform inside the data collection rules to prevent logs that contained FTD from going into the Syslog table.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.