https://community.cisco.com/t5/network-security/sending-cisco-device-syslog-in-cef-into-microsoft-sentinel/m-p/5344482#M1123391 <DIV class="">These are the 2 documentations that we followed to ingest Cisco device syslog into our Sentinel instance:&nbsp;</DIV><DIV class=""><U><A title="https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent" href="https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent</A></U></DIV><DIV class=""><U><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html" target="_blank" rel="noopener">eStreamer eNcore for Sentinel Operations Guide v4.0.9 - Cisco</A></U></DIV><DIV class="">&nbsp;</DIV><DIV class=""><STRONG>Issue 1:</STRONG> The problem with our current working setup is that the syslog is not in Common Event Format (CEF). What I understand is that the Microsoft Azure Monitoring Agent (AMA) only collects/monitors/ingests syslog into Microsoft Sentinel. The Microsoft AMA does not convert the syslog into CEF. The formatting of Cisco device syslog has always been determined at the Cisco device end.</DIV><DIV class="">&nbsp;</DIV><DIV class=""><STRONG>Issue 2:</STRONG>&nbsp;In our case, we want CEF format and Cisco has always utilized the Cisco eStreamer integration to send its Cisco devices' syslog in CEF into 3rd&nbsp;party SIEMs (like Splunk, Sentinel, etc...). The issue is that Cisco eStreamer (eNcore client) solution is EOL and unsupported, is there a plan to replace Cisco's ability to send its device syslog in CEF?</DIV><DIV class="">&nbsp;</DIV><DIV class=""><STRONG>Cisco eStreamer (eNcore client) solution is EOL/unsupported and we need a solution to ingest Cisco syslog in CEF into our Microsoft Sentinel. Is there a way to do this?</STRONG></DIV><DIV class="">&nbsp;</DIV><DIV class="">Thanks in advance.</DIV> Tue, 04 Nov 2025 19:16:08 GMT grant-luong 2025-11-04T19:16:08Z https://community.cisco.com/t5/network-security/sending-cisco-device-syslog-in-cef-into-microsoft-sentinel/m-p/5344482#M1123391 <DIV class="">These are the 2 documentations that we followed to ingest Cisco device syslog into our Sentinel instance:&nbsp;</DIV><DIV class=""><U><A title="https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent" href="https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent" target="_blank" rel="noopener">https://learn.microsoft.com/en-us/azure/sentinel/forward-syslog-monitor-agent</A></U></DIV><DIV class=""><U><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html" target="_blank" rel="noopener">eStreamer eNcore for Sentinel Operations Guide v4.0.9 - Cisco</A></U></DIV><DIV class="">&nbsp;</DIV><DIV class=""><STRONG>Issue 1:</STRONG> The problem with our current working setup is that the syslog is not in Common Event Format (CEF). What I understand is that the Microsoft Azure Monitoring Agent (AMA) only collects/monitors/ingests syslog into Microsoft Sentinel. The Microsoft AMA does not convert the syslog into CEF. The formatting of Cisco device syslog has always been determined at the Cisco device end.</DIV><DIV class="">&nbsp;</DIV><DIV class=""><STRONG>Issue 2:</STRONG>&nbsp;In our case, we want CEF format and Cisco has always utilized the Cisco eStreamer integration to send its Cisco devices' syslog in CEF into 3rd&nbsp;party SIEMs (like Splunk, Sentinel, etc...). The issue is that Cisco eStreamer (eNcore client) solution is EOL and unsupported, is there a plan to replace Cisco's ability to send its device syslog in CEF?</DIV><DIV class="">&nbsp;</DIV><DIV class=""><STRONG>Cisco eStreamer (eNcore client) solution is EOL/unsupported and we need a solution to ingest Cisco syslog in CEF into our Microsoft Sentinel. Is there a way to do this?</STRONG></DIV><DIV class="">&nbsp;</DIV><DIV class="">Thanks in advance.</DIV> Tue, 04 Nov 2025 19:16:08 GMT https://community.cisco.com/t5/network-security/sending-cisco-device-syslog-in-cef-into-microsoft-sentinel/m-p/5344482#M1123391 grant-luong 2025-11-04T19:16:08Z https://community.cisco.com/t5/network-security/sending-cisco-device-syslog-in-cef-into-microsoft-sentinel/m-p/5345528#M1123431 <P>There are no current plans to support&nbsp;CEF format for Syslog. If this is an important functionality, please reach out to your Cisco account team and request that they file and enhancement request on your behalf.&nbsp;</P> <DIV id="bodyDisplay_3" class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"> <DIV class="lia-message-body-content"> <P><EM>Thank you for rating helpful posts!</EM></P> </DIV> </DIV> Sat, 08 Nov 2025 15:13:46 GMT https://community.cisco.com/t5/network-security/sending-cisco-device-syslog-in-cef-into-microsoft-sentinel/m-p/5345528#M1123431 nspasov 2025-11-08T15:13:46Z