Q: Why do I get two identical syslog messages from some alerts, one from the DC, and the other from the IS?

A:

It is possible to configure the syslog settings separately for the DC and the IS. The IS alerts are produced according to each detection engine policy, where the DC alerts are produced according to compliance events or to "responses".

the Detection Engine controls the IS

To set the policy for the IS, set it on the detection engine. Edit the detection engine (D.E.) and choose "alerting". The syslog settings for the D.E. control where every alert for that D.E. is syslogged. In my case I wanted all alerting to come from the DC, so I turned it off on every D.E. so it would not come from the IS too.

The DC has granular alerting capability

For the DC, see Policy & Responses/Alerts. You can create one or more syslog-type alerting mechanisms there, and activate or deactivate each one.

Then, go to Policy & Responses/Impact Flag Alerts. Here you can select one of the syslog-type mechanisms you defined above, and choose whether to receive a syslog message according to the impact flag on the alert.

You can do the same for RNA Event Alerts too. There are other features on the DC which can be configured to generate a syslog event, such as in Policy & Response/Compliance/Policy Management.