Fortinet Connector or CEF AMA Connector? - Sentinel

rob wood 41 Reputation points
2024-02-29T15:03:56.91+00:00

Hello, Client has Fortinet connector but is having to filter logging so that the log ingestion is not massively costly. I'm sure we could achieve better results using the CEF AMA connector to filter out the security logs from syslog but not sure what to configure on the data collection rule as i have little to no experience of syslog and linux. Would appreciate some direction here please, including which logs to collect and the logging level Regards Rob

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
986 questions

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sedat SALMAN 13,160 Reputation points
    2024-02-29T16:10:15.8166667+00:00

    shortly

    Fortinet Connector can parse Fortinet-specific fields and events but CEF AMA Connector supports CEF and it is Cost-effective, as filtering happens pre-ingestion

    at first

    generally, selection is based on the log source and what you need

    if you need the most detailed Fortinet-specific fields and analysis out-of-the-box, the Fortinet Connector could be a better fit.

    If cost-effectiveness is the top priority, CEF AMA Connector might be preferable due to its pre-ingestion filtering capabilities.

    If your team has expertise with Syslog and Linux, setting up the CEF AMA Connector will likely be more manageable.

    0 comments
  2. Sedat SALMAN 13,160 Reputation points
    2024-03-07T04:48:40.0733333+00:00

    as for your comment this is about which logs do you want to collect at which level

    i have added a slink explaing what are those facilities under syslog

    https://debian-handbook.info/browse/stable/sect.syslog.html

    but for example

    do you want to collect user logs at which level (all messages, just error messages or warning also)

    we have several log levels like info, warning, crit, error

    if you need just critical go with log_crit if you need all go with log_info

    the selection and level is completely up to your requirements

    0 comments
  3. rob wood 41 Reputation points
    2024-03-21T11:50:48.7166667+00:00

    Resolved with our own logic

  4. Marilee Turscak-MSFT 33,951 Reputation points Microsoft Employee
    2024-03-26T19:39:38.2066667+00:00

    Hi @rob wood ,

    I'm glad that you were able to resolve your issue and thank you for sharing the status of your issue so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:

    Your client has the Fortinet connector and was aiming to filter logging so that the log ingestion would not be too costly .You were considering using the CEF AMA connector to filter out the security logs from syslog but were uncertain what to configure on the data collection rule.

    Solution:

    Using your own internal logic you were able to filter the logs you needed.

    The official documentation has some data collection best practices that are also helpful to follow in this situation.

    There is also a sample rule here that you could reference, which has some Linux-specific guidance in the comments.

    If you would like to update with more details about your solution I will also edit this post to include those here.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments