Filtering Logs

Question

We have a rsyslog server on prem that we are sending on premise firewall, switch and load balancer logs to. We are using the Cisco FTD connector for our firewalls and the regular syslog on for everything else. Problem I am having is that the FTD logs are showing up in the CommonSecurityLog table as expected with the Cisco FTD connector but they are also showing up in the Syslog table in Sentinel.

Is there a way I can prevent the FTD logs from going into the Syslog table?

Thanks

Answer 1

Hello Gary S,

It looks like the logs are being upplicated on both tables. In that case I understand that rsyslog server collects logs from firewalls, switches, and load balancers. The Cisco FTD firewall logs are being sent to both:

Cisco FTD Connector in Sentinel → Logs go to CommonSecurityLog (expected ✅).

rsyslog Server → Sentinel Syslog Data Collector → Logs also go to Syslog (duplicate ❌).

This results in FTD logs appearing in both CommonSecurityLog and Syslog tables, creating duplication.

To solve this problem you can modify rsyslog on the server to stop forwarding FTD logs to Sentinel’s Syslog collector. High level of the steps:

1. Edit rsyslog config on rsyslog server. ex: vim /etc/rsyslog.d/50-default.conf
2. Add rule to drop FTD logs:

      if $fromhost-ip == 'FTD_IP_ADDRESS' then { stop }
   

3. sudo systemctl restart rsyslog
4. Verify in Sentinel:

      Syslog | where Hostname == "FTD_DEVICE_NAME" | take 10
      
   

Another option is use a different syslog server only for the Cisco Firewall syslog and stop sending to the same rsyslog server , This avoid the extra complexity on filter syslog messages.Additional references:

• https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent

If the information helped address your question, please Accept the answer.

Luis