Blog Post

Microsoft Sentinel Blog
12 MIN READ

Azure Sentinel: The connectors grand (CEF, Syslog, Direct, Agent, Custom and more)

Ofer_Shezaf's avatar
Ofer_Shezaf
Icon for Microsoft rankMicrosoft
Aug 13, 2019
(Last updated Apr 20th, 2021)   Please note that as the built-in list of connectors in Azure Sentinel is growing, this list is not actively maintained anymore. Refer to the Azure Sentinel connect...
Updated Sep 29, 2021
Version 171.0
connectors
hpinto's avatar
hpinto
Copper Contributor
Dec 26, 2019

My mistake i din't attach the tcpdump of OMS Agent:

 

udo tcpdump -A -ni any port 25226 -vv
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:30:58.743394 IP (tos 0x0, ttl 64, id 61856, offset 0, flags [DF], proto UDP (17), length 904)
127.0.0.1.35443 > 127.0.0.1.25226: [bad udp cksum 0x0188 -> 0x84d8!] UDP, length 876
Received CEF message in agent incoming port.[25226]
Notice: To tcp dump manually execute the following command - 'tcpdump -A -ni any port 25226 -vv'

 

on logs analytics we can only see message when we put data connector facility as syslog, other wise we din't see nothing as Syslog message os CEF Message.

 

Here is a TCP Dump 

 

127.0.0.1.35443 > 127.0.0.1.25226: [bad udp cksum 0x0138 -> 0xbaba!] UDP, length 796
E..8v.@.@..0.........sb..$.8<190>Dec 26 16:04:23 xxxx-xxx CEF: 0|Fortinet|Fortigate|v6.2.0|28704|utm:app-ctrl app-ctrl-all 

 

on logs analytics

 

ProcessName: CEF

SyslogMessage: 0|Fortinet|Fortigate|v6.2.0|0001

Facility: Syslog

 

Witch facility did MS recommend for this to work?