After setting up log forwarding to syslog servers and once the logs start flowing into Sentinel, it's common to see entries with many blank fields.
A potential cause for this is that these logs might lack a facility and severity level.
To filter out such logs, you can simply uncheck the option to "Collect messages without PRI header (facility and severity)" when creating the data collection rule (DCR) through the "Common Event Format (CEF) via AMA" data connector. Keep in mind, this option is only available during the configuration of the DCR from the data connector interface. #MicrosoftSentinel #Commonsecuritylogs #CEF
Disclaimer
The views expressed in this blog post are solely my own and do not represent those of my employer or any clients. The views and opinions expressed in this blog post are based on references from Microsoft articles. Assistance from ChatGPT is taken for customizing the blog.
Comments