Oct 03 2020
- last edited on
Dec 23 2021
I have a question regarding the common scenario, where we need to install a linux VM (on-prem/ on cloud) to act as a proxy to send logs from Fortinet and other CEF log sources like Cisco etc.
If I use the same VM as a proxy for multiple log sources (like Fortinet, Cisco etc), would Sentinel be able to differentiate between the log sources?
Would you rather recommend using one VM-proxy per log source, like one for Cisco, another one for Fortinet to keep it easy for Sentinel?
Oct 05 2020 05:39 AM
@salkhan The DeviceVendor and DeviceProduct fields in the CommonSecurityLog should tell you where the data came from