This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi there,
I have a DCR configured to collect incoming Palo Alto CEF logs and forward them to Sentinel.
The DCR allows only one facility, which tcpdump verifies is the incoming CEF logs:
The DCR was enabled from within Sentinel so it is correctly collecting the CEF logs and I can see them in the CommonSecurityLog table and in tcpdump:
However the logs are also being sent to the Syslog table, with the CEF header extracted.
There is nothing being forwarded from 50-default.conf:
I don't want these duplicate CEF logs in the Syslog table.
The DCR seems ok.
There is nothing in the rsyslog configuration files I can that would be causing this.
Thoughts?
I wanted to check in and see if you had any other questions or if the answers below helped to resolve your issue?
Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Figured it out, it was a second DCR.
very odd though since that ama host wasn't associated with one of the 2 DCRs and the one it wasn't associated with was the 'good' DCR.
Anyways I deleted the other DCR and no more duplicates.
Finding the culprit was a bit tricky so I blogged about it here:
Do you possibly have the MMA and AMA agent running at the same time? Check the workspace to see if Syslog is flagged in the Legacy Agents Management section.
There is also a note about duplication in Syslog setup instructions: https://learn.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script
I have this running in my lab with no duplication.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@David Broggy I'm glad that you were able to resolve your issue and thank you for posting your solution with the detailed steps so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: Palo alto CEF logs are duplicating to both Syslog and CommonSecurityLog tables
Solution:
Resolved by @David Broggy detailed troubleshooting steps have been documented in his blog - https://simple-security.ca/2023/08/03/linux-ama-syslog-agents-how-to-identify-dcrs-that-are-causing-duplicate-data-collection/
Also, will check with our team and get these steps documented in our docs (KB)
Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution.