Query Details
Data Per Syslog Server
Query
//Show data received per Syslog server per device that reports to each Syslog server. Change the where DeviceVendor statement for the vendor to look for, or add more based on the devices you know report to each syslog server. CommonSecurityLog | where DeviceVendor == "Fortinet" | where isnotempty(ReceivedBytes) | summarize sum(ReceivedBytes) by Computer
Explanation
This query shows the amount of data received by each device that reports to a Syslog server. It specifically looks for devices from the vendor "Fortinet". You can modify the query to include other device vendors or add more conditions based on the devices you know report to each Syslog server. The query then summarizes the total received bytes for each computer.
Details
Rod Trent
Released: January 21, 2022
Tables
CommonSecurityLog
Keywords
CommonSecurityLog,DeviceVendor,ReceivedBytes,Computer
Operators
| where==isnotemptysummarizesumby