Blog Post

Microsoft Sentinel Blog
12 MIN READ

Azure Sentinel: The connectors grand (CEF, Syslog, Direct, Agent, Custom and more)

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Aug 13, 2019
(Last updated Apr 20th, 2021)   Please note that as the built-in list of connectors in Azure Sentinel is growing, this list is not actively maintained anymore. Refer to the Azure Sentinel connect...
Updated Sep 29, 2021
Version 171.0
connectors
hpinto's avatar
hpinto
Copper Contributor
Dec 26, 2019

Hi Ofer_Shezaf 

 

Yes we did that seps on CEF connector, this is why we comment post, because we can't put the CEF working, its frustanting, because we OMS Agent says that collects logs on 25256.

 

The events are observed by the CEF Troubleshooter.

 

Security-config-omsagent.conf contains rsyslog.d routing configuration
rsyslog daemon configuration was found valid.
Trying to restart syslog daemon
Restarting rsyslog daemon - 'sudo service rsyslog restart'
Redirecting to /bin/systemctl restart rsyslog.service
rsyslog daemon restarted.
This will take a few seconds.
Omsagent restarted.
This will take a few seconds.
Incoming port grep: 0.0.0.0:514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:514 0.0.0.0:*

Daemon incoming port 514 is open
Incoming port grep: 25226
tcp 0 0 127.0.0.1:25226 0.0.0.0:* LISTEN

Omsagent is listening to incoming port 25226
Validating CEF\ASA into rsyslog daemon - port 514
This will take 60 seconds.
sudo tcpdump -A -ni any port 514 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:50.745647 IP (tos 0x0, ttl 64, id 55478, offset 0, flags [DF], proto TCP (6), length 1335)
10.35.72.145.13129 > 10.35.72.147.shell: Flags [P.], cksum 0x7dcb (correct), seq 24964634:24965917, ack 15089686, win 229, options [nop,nop,TS val 1370415842 ecr 324117405], length 1283
E..7..@.@...
#H.
#H.3I...|....@.....}......
Received CEF\ASA message in daemon incoming port.[514]
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 514 -vv'
Fetching CEF messages from daemon files.

 

Then we need to add to the DataConnectos -> syslog -> add syslog facility, or otherwise the log don't appear the message on logAnalytics.

 

On Fortinet we can only specified facility as syslog, alert, auth, kernel and Local0, etc... we have specified the facility Syslog facility.

 

This is a parsing issue, because the message is send is syslog, and sentinel read the CEF, and map as Process Name: CEF.

 

But on data connectors we din't see any green connector to CEF or Fortinet.