Occasional Contributor

Hello colleagues,

 

I have a question regarding the common scenario, where we need to install a linux VM (on-prem/ on cloud) to act as a  proxy to send logs from Fortinet and other CEF log sources like Cisco etc.

 

If I use the same VM as a proxy for multiple log sources (like Fortinet, Cisco etc), would Sentinel be able to differentiate between the log sources? 

 

Would you rather recommend using one VM-proxy per log source, like one for Cisco, another one for Fortinet to keep it easy for Sentinel?

 

1.jpg

@salkhan The DeviceVendor and DeviceProduct fields in the CommonSecurityLog should tell you where the data came from

We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE