Our firewall logs shows twice on splunk. I configured rsyslog server with tcp. When I configure the log server with udp . Everythink is okey. But tcp is problem. When I configured the log server 10514 tcp every duplicate.
Can you tell more how you environment is configured, how you are ingesting those logs to splunk etc. Your current information didn't give enough information to help you.