you need to craft a template with a fixed facility you want. That's the <xx> part inside the template. See RFC5424 for how to calculate it (yes, it should be easier, but it's a pretty uncommon request and this is right now the only way to do it.).
HTH Rainer El dom, 24 mar 2024 a las 13:21, Steven Briggs via rsyslog (<rsyslog@lists.adiscon.com>) escribió: > > > I have a rsyslog forwarder RHEL 7.9 That is forwarding syslog and CEF > > messages to Azure Sentinel now using AMA. What happens is when cef messages > > are forwarded they appear in the sentinel twice once in syslog table and > > then in the common security. Which creates duplicates. It’s not possible to > > change client config, too many devices and appliances > > > My question is can I change the facility of incoming syslogs on the > > forwarding server ? > > > > Other question is whether I can change syslog messages to CEF format on > > the forwarder ? > > > > > > > > > > > > > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.