salkhan
Occasional Contributor

‎Oct 03 2020 10:31 AM - last edited on ‎Dec 23 2021 04:49 AM by

‎Oct 03 2020 10:31 AM - last edited on ‎Dec 23 2021 04:49 AM by

CEF Proxy for Sentinel and Apparent Log Source

Hello colleagues,

 

I have a question regarding the common scenario, where we need to install a linux VM (on-prem/ on cloud) to act as a  proxy to send logs from Fortinet and other CEF log sources like Cisco etc.

 

If I use the same VM as a proxy for multiple log sources (like Fortinet, Cisco etc), would Sentinel be able to differentiate between the log sources? 

 

Would you rather recommend using one VM-proxy per log source, like one for Cisco, another one for Fortinet to keep it easy for Sentinel?

 

1.jpg

381 Views
0 Likes
1 Reply
Reply
Gary Bushey

‎Oct 05 2020 05:39 AM

‎Oct 05 2020 05:39 AM

Re: CEF Proxy for Sentinel and Apparent Log Source

@salkhan The DeviceVendor and DeviceProduct fields in the CommonSecurityLog should tell you where the data came from

0 Likes
Reply
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE