You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now, it looks like the log facility is set in estreamer/adapters/cef.py. It would be nice to have this as an option in the configuration to make it easily modifiable.
# Syslog settingsSYSLOG_FACILITY_USER=1SYSLOG_PRIORITY_NOTICE=5# Calc and save the syslog numeric (do not change, gets calculated)SYSLOG_NUMERIC= (SYSLOG_FACILITY_USER<<3|SYSLOG_PRIORITY_NOTICE)
One use case is that in Microsoft Sentinel, the log level is used in Data Collection Rules to specify how logs are handled. By default, these come in under log facility user--which is the same as a lot of other log sources. Without having to spin up another collector, you can split up the parsing by specifying which log levels are applied to a data collection rule.
For example, you can have 1 Azure Monitor Agent collector that takes in Syslog on all facilities, but use a normally unused facility to split off the Common Event Format logs. For example, you may have a data collection rule that looks at local6 which is then tied to Sentinel's CEF ingest which will make them searchable. You may want to carve out CEF into their own facility so they are only captured once. If you have a data collection rule that looks at all facilities, and another that looks for the same information but passes it through the CEF ingest, CEF messages will be in duplicate tables (CommonSecurityLog and Syslog).
The text was updated successfully, but these errors were encountered:
Right now, it looks like the log facility is set in estreamer/adapters/cef.py. It would be nice to have this as an option in the configuration to make it easily modifiable.
One use case is that in Microsoft Sentinel, the log level is used in Data Collection Rules to specify how logs are handled. By default, these come in under log facility user--which is the same as a lot of other log sources. Without having to spin up another collector, you can split up the parsing by specifying which log levels are applied to a data collection rule.
For example, you can have 1 Azure Monitor Agent collector that takes in Syslog on all facilities, but use a normally unused facility to split off the Common Event Format logs. For example, you may have a data collection rule that looks at local6 which is then tied to Sentinel's CEF ingest which will make them searchable. You may want to carve out CEF into their own facility so they are only captured once. If you have a data collection rule that looks at all facilities, and another that looks for the same information but passes it through the CEF ingest, CEF messages will be in duplicate tables (CommonSecurityLog and Syslog).
The text was updated successfully, but these errors were encountered: